Attackers are using these tricks to bypass Microsoft anti-malware protections

Kingston
(Image credit: Kingston)

Cybercriminals and security researchers looking to bypass Microsoft’s Antimalware Scan Interface (AMSI) usually go for one of four commonly-used methods, analysis from cybersecurity analysts at Sophos has shown. 

AMSI is Microsoft’s “anti-malware traffic cop”, as Sophos describes it, enabling software to scan files, memory or streams for malicious code, regardless of the software vendor.

With AMSI, antivirus programs get to analyze Microsoft components and applications such as PowerShell engine and script hosts, Office document macros (one of the most popular methods of spreading malicious code among workers), .NET Framework components, or Windows Management Instrumentation (WMI) components.

Sophos says there are four key ways hackers (both malign and benign) usually bypass AMSI: either with PowerShell code (an old, but incredibly prevalent method), by messing with the code of the AMSI library that’s already loaded into memory (more than 98% of the bypass attempts focus on this method), by loading a counterfeit version of amsi.dll, or by downgrading scripting engines to versions older than AMSI. 

AMSI hacks

While these are the four most prevalent methods, Sophos says there are others that also revolve around “staying away from processes that interact with AMSI”. In some extreme cases, such as the Ragnar Locker one, attackers brought entire virtual machines to hide their scripts from being detected.

One of AMSI’s main goals is to defend its premises from living-off-the-land (LOL) tactics that use Microsoft’s own components, as well as to help developers strengthen the cybersecurity posture of their own tools, the researchers are saying. 

Ransomware’s increasing popularity has made AMSI super important in keeping Windows 10 and Windows Server systems secure.

“But AMSI is not a panacea,” Sophos concludes. It’s a great addition to anyone’s cybersecurity arsenal, but “a defense in depth”, that leverages a blend of detections at the endpoint and on the network, is crucial in safeguarding one’s premises.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Mustang Panda
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc
A person in a wheelchair working at a computer.
Why betting on Mac security could put your organization at risk
email
A Windows filetype update may have complicated cyber threat detection efforts
Fraud
Hackers are tricking victims into scam-yourself attacks with fake tutorials, CAPTCHAs, and updates
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)