Friday, December 9, 2016

Consume Antimalware Scan Interface (AMSI) from C#

Windows 10 have a new mechanism that will allow software developers to integrate their applications with whatever antimalware programs exist on users’ computers.

The goal of the new Antimalware Scan Interface (AMSI) is to let applications send content to the locally installed antivirus product to be checked for malware.

No C# sample code is available in msdn. Here is the sample C# code to communicate with antimalware product installed in your machine. I used Windows Defender here.

  public enum AMSI_RESULT   
 3:   {   
 4:    AMSI_RESULT_CLEAN = 0,   
 6:    AMSI_RESULT_DETECTED = 32768   
 7:   }   
 9:   [DllImport("Amsi.dll", EntryPoint = "AmsiInitialize", CallingConvention = CallingConvention.StdCall)]   
 10:   public static extern int AmsiInitialize([MarshalAs(UnmanagedType.LPWStr)]string appName, out IntPtr amsiContext);   
 12:   [DllImport("Amsi.dll", EntryPoint = "AmsiUninitialize", CallingConvention = CallingConvention.StdCall)]   
 13:   public static extern void AmsiUninitialize(IntPtr amsiContext);   
 15:   [DllImport("Amsi.dll", EntryPoint = "AmsiOpenSession", CallingConvention = CallingConvention.StdCall)]   
 16:   public static extern int AmsiOpenSession(IntPtr amsiContext, out IntPtr session);   
 18:   [DllImport("Amsi.dll", EntryPoint = "AmsiCloseSession", CallingConvention = CallingConvention.StdCall)]   
 19:   public static extern void AmsiCloseSession(IntPtr amsiContext, IntPtr session);   
 21:   [DllImport("Amsi.dll", EntryPoint = "AmsiScanString", CallingConvention = CallingConvention.StdCall)]   
 22:   public static extern int AmsiScanString(IntPtr amsiContext, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string @string, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)]string contentName, IntPtr session, out AMSI_RESULT result);   
 23:   [DllImport("Amsi.dll", EntryPoint = "AmsiScanBuffer", CallingConvention = CallingConvention.StdCall)]   
 24:   public static extern int AmsiScanBuffer(IntPtr amsiContext, byte[] buffer, ulong length, string contentName, IntPtr session, out AMSI_RESULT result);   
 26:   //This method apparently exists on MSDN but not in AMSI.dll (version 4.9.10586.0)   
 27:   [DllImport("Amsi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall)]   
 28:   public static extern bool AmsiResultIsMalware(AMSI_RESULT result);   
 30:   private void CallAntimalwareScanInterface()   
 31:   {   
 32:    IntPtr amsiContext;   
 33:    IntPtr session;   
 34:    AMSI_RESULT result = 0;   
 35:    int returnValue;   
 37:    returnValue = AmsiInitialize("VirusScanAPI", out amsiContext); //appName is the name of the application consuming the Amsi.dll. Here my project name is VirusScanAPI.   
 38:    returnValue = AmsiOpenSession(amsiContext, out session);   
 39:    returnValue = AmsiScanString(amsiContext, @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*", "EICAR", session, out result); //I've used EICAR test string.   
 40:    AmsiCloseSession(amsiContext, session);   
 41:    AmsiUninitialize(amsiContext);   
 42:   }   

DLLImport entry for Amsi.dll win32 APIs can be found here.

Happy coding!



  1. I am using "AmsiScanBuffer" method. This is working file for unzipped files. But not working if i am scanning a stream of a zip file which contains EICAR sample virus file. Please suggest if need to handle zip files differently.

  2. The postings on your site are always excellent. Thanks for the great share and keep up this great work!
    Get Free anti malware tool.