Win 10 anti-malware analyser will peer into memory to kill IM-and-game-borne viruses
Microsoft head software engineer Lee Holmes says Windows 10 applications will now be able to plug into installed anti-virus platforms to better malicious scripts.
Holmes says the Windows 10 Antimalware Scan Interface (AMSI) will allow apps and services to use anti-virus to find badness operating in memory.
He says most anti-malware platforms will write signatures against suspicious obfuscation and encoding tricks such as XOR, but this tends to fail when those tricks are so basic as to appear benign.
Efforts so far at best miss attacks that live in memory and at worse generate mass false positives by killing legitimate processes.
Holmes says “… the antivirus engine inspects files being opened by the user. If the malicious content lives only in memory, the attack can potentially go undetected.”
“While the malicious script might go through several passes of de-obfuscation, it ultimately needs to supply the scripting engine with plain, un-obfuscated code. When it gets to this point, the application can now call the new Windows AMSI APIs to request a scan of this unprotected content.
“Any application can call it (AMSI) and any registered anti-malware engine can process the content submitted to it.”
Holmes urges application developers to have their apps call AMSI and anti-virus vendors to build support for the feature.
He says the feature may be extended to kill malware through instant messaging platforms or video game plug-ins for example, and is focusing on scripts in its initial launch phase.
“There are plenty of more opportunities – this is just a start,” he says.
Windows Defender, Microsoft’s own anti-virus platform, is thanks to AMSI able to detect a XOR encoded malicious script dropped in command line using only “bog standard” signature. ®