Following on from the McAfee Protects against suspicious email attachments blog, this blog describes how the AMSI (Antimalware Scan Interface) is used within the various McAfee Endpoint products. The AMSI scanner within McAfee ENS 10.6 has already detected over 650,000 pieces of Malware since the start of 2019. This blog will help show you how to enable it, and explain why it should be enabled, by highlighting some of the malware we are able to detect with it.
ENS 10.6 and Above
The AMSI scanner will scan scripts once they have been executed. This enables the scanner to de-obfuscate the script and scan it using DAT content. This is useful as the original scripts can be heavily obfuscated and are difficult to generically detect, as shown in the image below:
Figure 1 – Obfuscated VBS script being de-obfuscated with AMSI
Enable the Scanner
By default, the AMSI scanner is set to observe mode. This means that the scanner is running but it will not block any detected scripts; instead it will appear in the ENS log and event viewer as show below:
Figure 2 – Would Block in the Event log
To actively block the detected threats, you need to de-select the following option in the ENS settings:
Figure 3 – How to enable Blocking
Once this has been done, the event log will show that the malicious script has now been blocked:
Figure 4 – Action Blocked in Event Log
In the Wild
Since January 2019, we have observed over 650,000 detections and this is shown in the IP Geo Map below:
Figure 5 – Geo Map of all AMSI detection since January 2019
We are now able to block some of the most prevalent threats with AMSI. These include PowerMiner, Fileless MimiKatz and JS downloader families such as JS/Nemucod.
The section below describes how these families operate, and their infection spread across the globe.
The PowerMiner malware is a cryptocurrency malware whose purpose is to infect as many machines as possible to mine Monero currency. The initial infection vector is via phishing emails which contain a batch file. Once executed, this batch file will download a malicious PowerShell script which will then begin the infection process.
The infection flow is shown in the graph below:
Figure 6 – Infection flow of PowerMiner
With the AMSI scanner, we can detect the malicious PowerShell script and stop the infection from occurring. The Geo IP Map below shows how this malware has spread across the globe:
Figure 7 – Geo Map of PS/PowerMiner!ams detection since January 2019
McAfee Detects PowerMiner as PS/PowerMiner!ams.a.
Mimikatz is a tool which enables the extraction of passwords from the Windows LSASS. Mimikatz was previously used as a standalone tool, however malicious scripts have been created which download Mimikatz into memory and then execute it without it ever being downloaded to the local disk. An example of a fileless Mimikatz script is shown below (note: this can be heavily obfuscated):
Figure 8 – Fileless Mimikatz PowerShell script
The Geo IP Map below shows how fileless Mimikatz has spread across the globe:
Figure 9 – Geo IP Map of PS/Mimikatz detection since January 2019
McAfee can detect this malicious script as PS/Mimikatz.a, PS/Mimikatz.b, PS/Mimikatz.c.
Figure 10 – Infection flow of Js/Downloader
Figure 11 – Example phishing email distributing JS/Downloader
Below is the IP Geo Map of AMSI JS/Downloader detections since January 2019:
Figure 12 – Geo Map of AMSI-FAJ detection since January 2019
The AMSI scanner detects this threat as AMSI-FAJ.
MVISION Endpoint and ENS 10.7
MVISION Endpoint and ENS 10.7 (Not currently released) will use Real Protect Machine Learning to detect PowerShell AMSI generated content.
This is done by extracting features from the AMSI buffers and running these against the ML classifier to decide if the script is malicious or not. An example of this is shown below:
Thanks to this detection technique, MVISION EndPoint can detect Zero-Day PowerShell threats.
We hope that this blog has helped highlight why enabling AMSI is important and how it will help keep your environments safe.
We recommend our customers who are using ENS 10.6 on a Windows 10 environment enable AMSI in ‘Block’ mode so that when a malicious script is detected it will be terminated. This will protect Endpoints from the threats mentioned in this blog, as well as countless others.
Customers using MVISION EndPoint are protected by default and do not need to enable ‘Block’ mode.
We also recommend reading McAfee Protects against suspicious email attachments which will help protect you against malware being spread via email, such as the JS/Downloaders described in this blog.
All testing was performed with the V3 DAT package 3637.0 which contains the latest AMSI Signatures. Signatures are being added to the V3 DAT package daily, so we recommend our customers always use the latest ones.