{
	"id": "bf7e7f27-6082-490a-9dfb-9fbad21dc2da",
	"created_at": "2026-04-06T00:06:51.578287Z",
	"updated_at": "2026-04-10T03:20:48.747643Z",
	"deleted_at": null,
	"sha1_hash": "09c31dc5eec6b1c93ef912227d25f326212e8705",
	"title": "Antimalware Scan Interface (AMSI) - Win32 apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36674,
	"plain_text": "Antimalware Scan Interface (AMSI) - Win32 apps\r\nBy GrantMeStrength\r\nArchived: 2026-04-05 13:26:53 UTC\r\nPurpose\r\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications\r\nand services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced\r\nmalware protection for your end-users and their data, applications, and workloads.\r\nAMSI is agnostic of antimalware vendor; it's designed to allow for the most common malware scanning and\r\nprotection techniques provided by today's antimalware products that can be integrated into applications. It\r\nsupports a calling structure allowing for file and memory or stream scanning, content source URL/IP reputation\r\nchecks, and other techniques.\r\nAMSI also supports the notion of a session so that antimalware vendors can correlate different scan requests. For\r\ninstance, the different fragments of a malicious payload can be associated to reach a more informed decision,\r\nwhich would be much harder to reach just by looking at those fragments in isolation.\r\nWindows components that integrate with AMSI\r\nThe AMSI feature is integrated into these components of Windows 10.\r\nUser Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)\r\nPowerShell (scripts, interactive use, and dynamic code evaluation)\r\nWindows Script Host (wscript.exe and cscript.exe)\r\nJavaScript and VBScript\r\nOffice VBA macros\r\nDeveloper audience, and sample code\r\nThe Antimalware Scan Interface is designed for use by two groups of developers.\r\nApplication developers who want to make requests to antimalware products from within their apps.\r\nThird-party creators of antimalware products who want their products to offer the best features to\r\napplications.\r\nFor more information, see Developer audience, and sample code.\r\nNote\r\nIn Windows 10, version 1903 and later, if your AMSI provider DLL is not Authenticode-signed, then it may not be\r\nloaded (depending on how the host machine is configured). For full details, see IAntimalwareProvider interface.\r\nhttps://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\r\nPage 1 of 2\n\nIn this section\r\nThe following topics provide information about AMSI and how to use it in your applications:\r\nRelated content\r\nIAntimalwareProvider interface\r\nSource: https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\r\nhttps://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"
	],
	"report_names": [
		"antimalware-scan-interface-portal"
	],
	"threat_actors": [],
	"ts_created_at": 1775434011,
	"ts_updated_at": 1775791248,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/09c31dc5eec6b1c93ef912227d25f326212e8705.pdf",
		"text": "https://archive.orkl.eu/09c31dc5eec6b1c93ef912227d25f326212e8705.txt",
		"img": "https://archive.orkl.eu/09c31dc5eec6b1c93ef912227d25f326212e8705.jpg"
	}
}