This FAQ article provides information on Sophos Antimalware Scan Interface (AMSI) Protection
The following sections are covered:
Applies to the following Sophos products and versions Central Windows Endpoint 10.8.3Sophos Endpoint IPS
Some of the more advanced malware leverages scripts that are obfuscated or encrypted to prevent scanning by traditional means and are often loaded directly into memory without utilizing a file on the device. The Sophos Antimalware Scan Interface (AMSI) Protection integrates into applications for Windows 10 and Windows Server 2016 and allows for the most common malware scanning and protection techniques.
Sophos AMSI Protection is not limited to file, memory or stream scanning of its supported its supported components (see 'Which components does Windows AMSI integrate into'). In fact its design makes it agnostic of the calling process. It does provide its malware scanning and protection techniques to each and every application that integrates support for the AMSI interface. Hence scanning any type of data those applications will provide.
AMSI Protection checks include whether scripts are safe to run, even if they’re obfuscated or only generated at runtime. Similar checks can be applied for code that is loaded from sources other than the local disk before it is executed from memory.
Microsoft has introduced the Windows Antimalware Scanning Interface in Windows 10 and Windows Server 2016. Sophos AMSI Protection supports Windows AMSI on Windows 10 as well as Windows Server 2016.
Windows AMSI is integrated into the following components:
Windows AMSI is a generic interface that that allows any application to integrate malware detection. Microsoft has integrated support for AMSI into their own scripting interpreters that are shipped with Windows, hence Sophos AMSI Protection is supported for the following scripting languages:
Windows AMSI is not supported out-of-the-box for other popular script languages like Perl or Python. However, if the interpreters for those languages are extended with support for AMSI, the AMSI provider will get called for those languages, too.
Please refer to KB134333 What data is collected by the Sophos Antimalware Scan Interface (AMSI) Protection?
No, AMSI will be installed as an active component on valid endpoints automatically.
On Sophos Central:
On the Endpoint:
In Sophos Central:
Sophos AMSI Protection can either be enabled or disabled through a Threat Protection Policy:
Sophos AMSI Protection functionality can be tested using the EICAR test string, executed through Poweshell. The EICAR test string is not a virus, it is an industry standard detection test. Sophos AMSI Protection will report its presence as AMSI/Eicar-A2. Here are the steps to test it:
You can exclude a drive, folder or file by full path. Code in this location is not scanned. You can use the wildcard * for file name or extension.
To set exclusions:
To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update
CAUTION - Think carefully before you add global exclusions because doing so may reduce your protection
If Sophos AMSI Protection blocks the execution of a specific script, the user will receive a toast notification in the tray area:
An event will be added to the Sophos Endpoint:
In addition, a 'Warning' event will be added to the Windows Application Event log:
The Events tab in a computer's details page displays events detected on the computer.
For more information, refer to Sophos Central Help: Home > Overview > Devices > Computers > Computer Events
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.