https://bugs.winehq.org/show_bug.cgi?id=46798
Bug ID: 46798 Summary: Multiple Microsoft applications need support for Antimalware Scan Interface (AMSI) 'AMSI.dll' Product: Wine Version: 4.3 Hardware: x86-64 OS: Linux Status: NEW Severity: normal Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: focht@gmx.net Distribution: ---
Hello folks,
to track the introduction of Antimalware Scan Interface component with recent commits. Search didn't return any Wine related bug reports hence I assume it's some sekrit stuff CodeWeavers works on. My guess would be it's Microsoft Office 2016/Office 365 that has AMSI integration for VBA Macro's (VBE7.dll).
Microsoft docs:
https://docs.microsoft.com/en-us/windows/desktop/amsi/antimalware-scan-inter...
https://www.microsoft.com/security/blog/2015/06/09/windows-10-to-offer-appli...
--- quote --- Antimalware Scan Interface (AMSI)
Purpose
The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads.
AMSI is agnostic of antimalware vendor; it's designed to allow for the most common malware scanning and protection techniques provided by today's antimalware products that can be integrated into applications. It supports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other techniques.
AMSI also supports the notion of a session so that antimalware vendors can correlate different scan requests. For instance, the different fragments of a malicious payload can be associated to reach a more informed decision, which would be much harder to reach just by looking at those fragments in isolation. Windows components that integrate with AMSI
The AMSI feature is integrated into these components of Windows 10.
User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation) PowerShell (scripts, interactive use, and dynamic code evaluation) Windows Script Host (wscript.exe and cscript.exe) JavaScript and VBScript Office VBA macros --- quote ---
Found an app that makes use of AMSI here:
https://github.com/wchen-r7/amsiscanner
--- quote --- AMSI Scanner
A C/C++ implementation of Microsoft's Antimalware Scan Interface. --- quote ---
--- snip --- $ wine ./amsiscanner.exe amsiscanner.exe 0009:fixme:amsi:AmsiInitialize L"\794d\6d41\6973\6353\6e61\656er", 0x33fdd4 0009:fixme:amsi:AmsiOpenSession 0xdeadbeef, 0x33fdd0 0009:fixme:amsi:AmsiScanBuffer 0xdeadbeef, 0x340000, 178688, L"\6d61\6973\6373\6e61\656e\2e72\7865er.\0188", 0xdeadbeef, 0x33fdcc 0009:fixme:amsi:AmsiUninitialize 0xdeadbeef Sample size: 178688 bytes Risk level = 1 (No threat detected) --- snip ---
$ sha1sum amsiscanner.exe 257626250fd91de2f853758c3cccc8e5f5830113 amsiscanner.exe
$ du -sh amsiscanner.exe 176K amsiscanner.exe
$ wine --version wine-4.3-188-gab7756619c
Regards