Antimalware Scan Interface Security Provider

what does this feature do? what impact does it have on performance and usability

Best Answer

  • Alex_Dr
    Alex_Dr BD Staff
    Answer ✓

    Hello @JEHC ,

    The new integration with Windows Antimalware Scan Interface (AMSI) technology provides an additional level of protection against dynamic malware such as script-based attacks.

    • The Command Line Scanner option allows you to detect fileless attacks at pre-execution stage.
    • The Antimalware Scan Interface (AMSI) option allows you to scan content (scripts, files, URLs etc.) sent by other services that require a security vendor to analyze it before accessing, running, or writing it to the disk.

    AMSI scanning is available with the Fileless Attack Protection feature for GravityZone Elite and Ultra products.

    If it affects Bitdefender or endpoint usability or performance, i strongly suggest you reach out to the Technical Support Team as some troubleshooting steps need to be performed in order to pinpoint a culprit.


    Thank you and do let me know how the above works out.

Answers

  • This is regards to gravityzone ultra

  • The Antimalware Scan Interface (AMSI) option allows you to scan content (scripts, files, URLs etc.) sent by other services that require a security vendor to analyze it before accessing, running, or writing it to the disk.

    This really does not explain what happens. What other services? What security vendors?

  • Andrei_S Enterprise
    edited August 2

    Hello @WaltrDE

    The Antimalware Scan Interface Security Provider is one of the features that are used to protect you against files attacks. As per our documentation https://www.bitdefender.com/business/support/en/77209-78199-gravityzone-control-center.html#UUID-782ef446-e7a8-2c58-e6a9-f1973851d835_UUID-2c6c5e2f-4c72-50a5-efd0-9376d15e5c7c:

    • Antimalware Scan Interface Security Provider scans content at a deeper level using Windows Antimalware Scan Interface (AMSI) integration. Scripts, files, URLs, and others are sent by different services that require a security analysis before accessing, running, or writing them to the disk. Additionally, you can control whether to report the outcome of the Antimalware module analysis further to the AMSI services or not.

    Windows Antimalware Scan Interface (AMSI) is a security feature in Windows with the role to help detect and prevent malicious software by allowing various security products(GravityZone in this case) to scan and analyze content in real-time. When a ****** or file is executed, AMSI can scan the content before it's run. This helps in detecting threats that might be hidden or obfuscated. For example, AMSI can work with PowerShell and other scripting languages to ensure that scripts are not executing malicious commands.

    https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

    In the article that I have shared, this feature(AMSI) is used by the GravityZone Antimalware module On-Execute which protects you against malware code from being executed.

    I hope that I was able to clarify this topic, if not please let me know.

    Kind Regards,

    Andrei

  • Are we able to get AMSI/BitDefender to notify via email when it detects and cleans a virus similar to when BitDefender without AMSI does?

  • Hello @KKG-Tech ,

    Yes, you can set up an email notification for this by enabling the ATC/IDS event from the configure Notifications section.
    More details about this can be found here:

    https://www.bitdefender.com/business/support/en/77209-94322-notification-types.html#UUID-e739330c-2f12-f77b-0b36-df0ae19a5429

    Kind Regards,

    Andrei

  • Ok thanks. That isn't working either. Below is the log from BitDefender's endpoint. All things point to this should work. Again, my notifications work on everything else when triggered.

    On-Access scanning has detected malicious behavior on C:\Users\username\Downloads\eicar.com.txt and identified it as EICAR-Test-File (not a virus). No action taken. The item will be handled further on by brave.exe (C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe). This is an Antimalware Scan Interface (AMSI) detection.

    What am I missing?

  • @KKG-Tech we would need to do an impersonation and check your configurations, because it should work if you have configured the notification and in the policy applied to the endpoint you have the ATC enabled :

    https://www.bitdefender.com/business/support/en/77209-342932-on-execute.html#UUID-86a918b2-9e8c-aee7-ec6e-dd4a5e937f34

    If you met these conditions and the issue is occurring we need to involve support to investigate so please open a support ticket on this.

    Kind Regards,

    Andrei