Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Test-ExchAVExclusions.ps1 - Add AMSI detection #2280

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Test-ExchAVExclusions.ps1 - Add AMSI detection #2280

wants to merge 1 commit into from

Conversation

Ardasar
Copy link
Contributor

@Ardasar Ardasar commented Feb 10, 2025

Issue:
As you know, AMSI dll injection can occur in several ways in different antiviruses. By default, we believe that AMSI libraries should be injected using a supported approach (like AMSI providers, etc.).

However, many antiviruses make injections bypassing the standard approach.

The current version of the script does not allow engineers to determine whether the AMSI library was added as a legitimate provider or the antivirus simply scans the process (makes an injection) using the same library (very common).

Reason
When analyzing connectivity/performance issues, it is important to understand how exactly the antivirus is integrated into the w3wp processes (supported/unsupported way).

Fix:
The script will show the current injected AMSI dlls and providers settings on the server.
At the moment, the script only outputs the data to a file, but at the end of the script, several commented lines have been added that will allow the information to be output to the screen as well.

@Ardasar Ardasar requested a review from a team as a code owner February 10, 2025 12:33
@Ardasar
Copy link
Contributor Author

Ardasar commented Feb 10, 2025

@microsoft-github-policy-service agree company="Microsoft"

@dpaulson45
Copy link
Member

@iserrano76 please review and let's determine if we should be displaying the information or not.

@dpaulson45
Copy link
Member

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@dpaulson45
Copy link
Member

image

@iserrano76
Copy link
Contributor

It is an interesting solution but I want to clarify a few things about this:

First one, we have another script that verifies AMSI, Test-AMSI
https://microsoft.github.io/CSS-Exchange/Admin/Test-AMSI/
it includes verifications for AMSI registry keys and many more things, I don’t know if maybe we are mixing things or if it is better in this tool.

Second one, I think the main purpose of this script is to highlight any 3rd party product , that will help to support to point that something out of Microsoft is there, including if it is an AMSI module correctly configured.

Lastly with this method we are going to need a list of 3rd party product that has AMSI integration:

image

How we are going to maintain a list of products that we do not know and that could change constantly? If a 3rd party product is not in the list it is not going to appear.
We have the risk of transform this script in a management nightmare.

What do you think?

@dpaulson45
Copy link
Member

Yeah, I think this script should just call out anything that isn't out of the box default that is loaded into our process.

We should include information about the AMSI stuff to know if this is related to that from the registry, but I think that is all that we should be doing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ardasar @dpaulson45 @iserrano76