你的AMSI可能是废的（）

神代すみれ

前情提要：我在调试自己的游戏机时，意外发现事件管理器有这么几段。

1. Code Integrity determined that a process (\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.24090.11-0\MpCmdRun.exe) attempted to load \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbamsi64.dll that did not meet the Microsoft signing level requirements.

复制代码

1. Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Malwarebytes\Anti-Malware\mbamsi64.dll that did not meet the Microsoft signing level requirements.

复制代码

我本以为只是Malwarebytes一家的问题，但是问了一下别人，似乎这不是一家两家的问题。

因此请去事件管理器里找找你的安全软件的AMSI组件是不是也因为不符合代码完整性策略要求被毙了。

ELOHIM

1. 映像名称                       PID 模块
   
2. ========================= ======== ============================================
   
3. NVDisplay.Container.exe       2368 amsi.dll
   
4. AppHelperCap.exe              2932 amsi.dll
   
5. DiagsCap.exe                  2948 amsi.dll
   
6. SysInfoCap.exe                3040 amsi.dll
   
7. svchost.exe                   3440 amsi.dll
   
8. XtuService.exe                4876 amsi.dll
   
9. NVDisplay.Container.exe       7000 amsi.dll
   
10. WeChat.exe                   12320 amsi.dll
    
11. VirtualBox.exe               14768 amsi.dll
    
12. VBoxSVC.exe                  14236 amsi.dll
    
13. VBoxSDS.exe                   8452 amsi.dll
    
14. VirtualBoxVM.exe              3768 amsi.dll
    
15. powershell.exe               15492 amsi.dll
    
16. tasklist.exe                  5892 amsi.dll

复制代码

If you have a non-Microsoft antimalware service that's Windows Protected Process Light (PPL) or Antimalware Protected Process Light (Anti-malware PPL) that tries to load in an AMSI provider, you might see the following information in the Code Integrity event log:

1. Log Name: Microsoft-Windows-CodeIntegrity/Operational
   
2. 
   
3. Source: Microsoft-Windows-CodeIntegrity
   
4. 
   
5. Event ID: 3033
   
6. 
   
7. Description:
   
8. 
   
9. Code Integrity determined that a process (\Device\HarddiskVolume3\<Folder>\<Folder w/ the ISV name>\<Folder w/ the product name>\<ProcessName>.exe) attempted to load \Device\HarddiskVolume3\<Folder>\<Folder w/ the ISV name>\<Folder w/ the product name>\<Your Amsi Provider>.dll that did not meet the Custom 3 / Antimalware signing level requirements.

复制代码

To view the Code Integrity event log, follow these steps:

Open Event Viewer.

In the navigation pane, expand Applications and Services Logs > Microsoft > Windows > Code Integrity, and then select Operational.

Or if you have System Audit Integrity auditing enabled, look for this:

Log Name: Security
Source: Microsoft Windows Security
Event ID: 5038

ANY.LNK

MDAV，本机器，自此机器购买以来，暂未记录此种情况






或许是不能注入特定进程……？

Eunismal

这下尴尬了

zfc234

Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\fs protection\TOTAL\epp\Endpoint Protection SDK\amsi\x64\avamsi.dll because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

驭龙

卡巴没问题，AMSI组件正常运行在24H2系统上

King、暮光

Eunismal 发表于 2024-11-15 11:08
这下尴尬了

楼主写的事件ID不是3004吗？您这为什么搜的是3033

Eunismal

King、暮光 发表于 2024-11-15 16:45
楼主写的事件ID不是3004吗？您这为什么搜的是3033

我没搜，打开看到报错的就全是3033的，我也没注意看楼主的ID

blackmonster233

卡巴21.19  win11 23H2 22635.4445

awsl10000次

额，所以可不可以理解为，这些杀软在自己的amsi组件失效的情况下并没有提醒用户