[Bug 46798] New: Multiple Microsoft applications need support for Antimalware Scan Interface (AMSI) 'AMSI.dll'

wine-bugs at winehq.org wine-bugs at winehq.org
Fri Mar 8 06:43:00 CST 2019 

https://bugs.winehq.org/show_bug.cgi?id=46798

            Bug ID: 46798
           Summary: Multiple Microsoft applications need support for
                    Antimalware Scan Interface (AMSI) 'AMSI.dll'
           Product: Wine
           Version: 4.3
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: -unknown
          Assignee: wine-bugs at winehq.org
          Reporter: focht at gmx.net
      Distribution: ---

Hello folks,

to track the introduction of Antimalware Scan Interface component with recent
commits. Search didn't return any Wine related bug reports hence I assume it's
some sekrit stuff CodeWeavers works on. My guess would be it's Microsoft Office
2016/Office 365 that has AMSI integration for VBA Macro's (VBE7.dll).

Microsoft docs:

https://docs.microsoft.com/en-us/windows/desktop/amsi/antimalware-scan-interface-portal

https://www.microsoft.com/security/blog/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/

--- quote ---
Antimalware Scan Interface (AMSI)

Purpose

The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard
that allows your applications and services to integrate with any antimalware
product that's present on a machine. AMSI provides enhanced malware protection
for your end-users and their data, applications, and workloads.

AMSI is agnostic of antimalware vendor; it's designed to allow for the most
common malware scanning and protection techniques provided by today's
antimalware products that can be integrated into applications. It supports a
calling structure allowing for file and memory or stream scanning, content
source URL/IP reputation checks, and other techniques.

AMSI also supports the notion of a session so that antimalware vendors can
correlate different scan requests. For instance, the different fragments of a
malicious payload can be associated to reach a more informed decision, which
would be much harder to reach just by looking at those fragments in isolation.
Windows components that integrate with AMSI

The AMSI feature is integrated into these components of Windows 10.

    User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX
installation)
    PowerShell (scripts, interactive use, and dynamic code evaluation)
    Windows Script Host (wscript.exe and cscript.exe)
    JavaScript and VBScript
    Office VBA macros
--- quote ---

Found an app that makes use of AMSI here:

https://github.com/wchen-r7/amsiscanner

--- quote ---
AMSI Scanner

A C/C++ implementation of Microsoft's Antimalware Scan Interface.
--- quote ---

--- snip ---
$ wine ./amsiscanner.exe amsiscanner.exe 
0009:fixme:amsi:AmsiInitialize L"\794d\6d41\6973\6353\6e61\656er", 0x33fdd4
0009:fixme:amsi:AmsiOpenSession 0xdeadbeef, 0x33fdd0
0009:fixme:amsi:AmsiScanBuffer 0xdeadbeef, 0x340000, 178688,
L"\6d61\6973\6373\6e61\656e\2e72\7865er.\0188", 0xdeadbeef, 0x33fdcc
0009:fixme:amsi:AmsiUninitialize 0xdeadbeef
Sample size: 178688 bytes
Risk level = 1 (No threat detected)
--- snip ---

$ sha1sum amsiscanner.exe 
257626250fd91de2f853758c3cccc8e5f5830113  amsiscanner.exe

$ du -sh amsiscanner.exe 
176K    amsiscanner.exe

$ wine --version
wine-4.3-188-gab7756619c

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list