Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 9456 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 support for AMSI?

Andrew Johnson

Does Sophos Anti-Virus (Endpoint Security and Control) make use of the Anti-Malware Scan Interface (AMSI) in Windows 10 so that it can intercept obfuscated malicious PowerShell before it can be executed?

Thanks.



This thread was automatically locked due to age.
  • 0

    I was eventually told through other channels that it does not.

    Will this support be added?  Microsoft don't mince their words when referring to antivirus that does not support it.

  • 0 in reply to Andrew Johnson

    Does anyone know if there has been any movement on this since 2017?  Performing some tests on machines with Sophos installed is throwing errors.  I suspect that Sophos still is barring access to AMSI.  Other posts mention Sophos do provide their own API to perform binary scans but documentation is scarce.  I suspect Sophos aren't keen for people to use AMSI as it can be easily bypassed and give false assurances.   If we could get an up-to-date response from Sophos themselves that would be great! :)

  • 0 in reply to Ian Hardman

    Response from Sophos 

    From: Sophos Support <support@sophos.com>
    Sent: 20 February 2019 13:35 To: Ian Hardman <Ian.Hardman@blackthorn.com>
    Subject: [#8641973] Sophos Central Admin Support Request - does sophos end point protection work with amsi? is there a way to scan a binary file in memory (byte array / stream).

    Hello Ian, Am afraid we don't use Microsoft's Antimalware Scan Interface (AMSI), we use our own code to detect threats.

    Sophos Endpoint Security employs multiple layers of protection against multiple files, each targeting a different aspect of the threat cycle. Modern threats are developed and tested against traditional pre-execution scanning then delivered via the Internet, requiring additional layers that catch these zero-day threats until pre-execution detection can be updated. Further information can be found within the document 113342  Comparison of Sophos's malicious file detection technologies https://community.sophos.com/kb/en-us/113342

    Regards,
    Senthil Kumar Sophos
    Technical Support
    https://www.sophos.com/en-us/support/contact-support.aspx

  • 0

    AMSI support is planned by the end of this year. There will be an early access program in Sophos Central to try it out in the next couple of months.

  • 0 in reply to JS

    Thanks for the good news and not forgetting this old thread.  This feature has been a very long time coming!

  • 0

    Hi Andrew,

    We will be releasing AMSI support in about two months. Meanwhile the Early Access Program is still running, so you can join that if you haven't already.

    Best regards,

    Vince

Unfiltered HTML