“With Windows 10, Microsoft will be adding a new layer of protection against dynamic script-based malware and non-traditional avenues of cyberattack: the Antimalware Scan Interface (AMSI).
AMSI is a “generic interface standard that allows applications and services to integrate with any antimalware product present on a machine.”
The interface is there for application developers and antivirus vendors to use.
The former can have their app call it if they want some extra scanning and analysis of potentially malicious content.
“While the malicious script might go through several passes of deobfuscation, it ultimately needs to supply the scripting engine with plain, unobfuscated code. When it gets to this point, the application can now call the new Windows AMSI APIs to request a scan of this unprotected content,” Lee Holmes, MMPC Principal Software Engineer, explained.
“While we’ve been talking about this in the context of scripting engines, it doesn’t need to stop there. Imagine communication apps that scan instant messages for viruses before ever showing them to you or games that validate plugins before installing them.”
Third-party developers of antimalware products should seriously consider implementing support for AMSI, as their engine can gain insight into the data that applications (including Windows built-in scripting hosts) consider potentially malicious.
Users do nothing, except from benefiting directly from the developers’ decision to used AMSI.”