Following on from the McAfee Protects against suspicious email attachments blog, this blog describes how the AMSI (Antimalware Scan Interface) is used within the various McAfee Endpoint products. The AMSI scanner within McAfee ENS 10.6 has already detected over 650,000 pieces of Malware since the start of 2019. This blog will help show you how to enable it, and explain why it should be enabled, by highlighting some of the malware we are able to detect with it.
ENS 10.6 and Above
The AMSI scanner will scan scripts once they have been executed. This enables the scanner to de-obfuscate the script and scan it using DAT content. This is useful as the original scripts can be heavily obfuscated and are difficult to generically detect, as shown in the image below:
Figure 1 – Obfuscated VBS script being de-obfuscated with AMSI
Enable the Scanner
By default, the AMSI scanner is set to observe mode. This means that the scanner is running but it will not block any detected scripts; instead it will appear in the ENS log and event viewer as show below:
Figure 2 – Would Block in the Event log
To actively block the detected threats, you need to de-select the following option in the ENS settings:
Figure 3 – How to enable Blocking
Once this has been done, the event log will show that the malicious script has now been blocked:
Figure 4 – Action Blocked in Event Log
In the Wild
Since January 2019, we have observed over 650,000 detections and this is shown in the IP Geo Map below:
Figure 5 – Geo Map of all AMSI de ..
Support the originator by clicking the read the rest link below.
