Anti-malware interface
Anti-Malware Scan Interface (AMSI) was introduced in Windows 10 as a security layer that sits between applications on your PC and your antivirus software. AMSI gives apps a way to conduct antivirus checks on files. They can pass information to AMSI to have it processed by the running antivirus engine. This might be Windows Defender or software supplied by a third-party vendor.
AMSI is invoked for several events that occur during usage of Windows systems. These include the execution of software scripts executed in PowerShell, Windows Script Host and other runtime software layers. A compromised script could give attackers an entrypoint to the device. For this reason, the contents of scripts are verified by AMSI before they’re allowed to run.
Security researcher Satoshi Tanda discovered this protection can be bypassed using a trivial technique. AMSI seemingly stops execution after encountering a null character in the file it’s processing. Attackers could create a compromised PowerShell script which starts with a null character. AMSI would immediately truncate the file’s contents, stopping execution after processing the character. It would report successful verification of the shortened file.
Script atack
With AMSI expressing approval of the script’s contents, PowerShell would go on to run its contents. Attackers could use specially crafted scripts to exercise control of the operating system and the apps that are running it. Adoption of script-based malware which exploits the capabilities of apps like PowerShell is on the rise, so this attack is more severe than it might seem.
Tanda reported the discovery of the flaw to Microsoft “a few months ago.” The company shipped a patch for the issue in last week’s monthly Patch Tuesday updates for Windows 10 systems. Users shouldn’t need to take any further action to secure their devices after installing the patch.
READ NEXT: Security flaws in Microosft software have doubled since 2013
There is still a risk that other antivirus software engines may be vulnerable to similar attacks. While AMSI is now protected, it’s possible that additional Windows antimalware components could be bypassed in a similar way. Third-party vendors may also be impacted by the simple technique. Tanda said providers should test their software to make sure it’s not vulnerable.
“Software vendors using AMSI to scan PowerShell contents should review whether it can handle null characters properly should they appear,” said Tanda. “Additionally, security researchers and users of security software can test if their AMSI providers are vulnerable to the bypass technique and ask vendors to address issues if needed. Also, it might be worth monitoring any appearance of a null character in PowerShell contents to detect attempts to exploit this issue.”