Applies to Sophos Home running Windows 10 computers .
This article describes the Sophos AMSI Protection feature, which is included for Sophos Home Windows 10 users.
- What is Sophos AMSI Protection?
- Does it protect against packed/encoded/encrypted scripts built in just-in-time memory?
- What data is collected by the Sophos Antimalware Scan Interface (AMSI) Protection?
- How can I test Sophos AMSI Protection?
- How can I add Sophos AMSI Protection exclusions or disable AMSI?
What is Sophos AMSI Protection?
Sophos AMSI Protection allows Sophos Home to protect against scripting attacks that hide themselves through obfuscation, encryption, or directly running in memory. It achieves this by by integrating with Windows 10 AMSI.
Sophos AMSI Protection provides malware scanning and protection techniques to each and every application that integrates support with the Windows 10 AMSI interface, scanning any type of data those applications will provide.
Does Sophos AMSI Protection detect packed/encoded/encrypted scripts that will be built just-in-time in memory?
AMSI Protection checks include whether scripts are safe to run, even if they’re obfuscated or only generated at runtime. Similar checks can be applied for code that is loaded from sources other than the local disk before it is executed from memory.
What data is collected by the Sophos Antimalware Scan Interface (AMSI) Protection?
Please refer to KB134333 What data is collected by the Sophos Antimalware Scan Interface (AMSI) Protection?
Test AMSI Protection functionality
Sophos AMSI Protection functionality can be tested using the EICAR test string, executed through Poweshell. The EICAR test string is not a virus, it is an industry standard detection test. Sophos AMSI Protection will report its presence as AMSI/Eicar-A2. Here are the steps to test it:
- Open Notepad and copy the following Base64 encoded Eicar string into a new document:
iex([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHJlc3AgPSBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICdodHRwOi8vc29waG9zdGVzdC5jb20vZWljYXIvaW5kZXguaHRtbCcKJGVpY2FyID0gW0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZyhbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCRyZXNwKSkKSUVYICdXcml0ZS1Ib3N0KFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZWljYXIpKSkn')))
- Save the document as Eicar.ps1
- Launch a PowerShell command prompt (Start > Run > Powershell) and execute Eicar.ps1
[to execute: powershell -ExecutionPolicy ByPass .\eicar.ps1 ] - The script will call the Invoke-Expression PowerShell expression, that accepts a string to be executed as code. This will decode the Base64 encoded version of the EICAR test string and execute it.
- Sophos AMSI Protection will block the execution and display a Toast message to the user:
Enable or Disable AMSI Protection
Sophos AMSI Protection can be disabled via the Sophos Home Dashboard >Desired computer > PROTECTION> General
Click on the blue slider to turn it off (switches to gray).
(click on the image to see it in full size)
To action detections and allow them to run (at your customer's own discretion):
1) Access your Sophos Home Dashboard
2) Locate the AMSI detection under your computer's activity and click Show Advanced Options
3) Click Did we get this wrong --> Allow
4) A popup will appear, asking for confirmation
5) Click Allow and re-try running your script/application.
If you believe a file was incorrectly detected, you may submit a sample to Sophos for review