When you want to check if a file is malicious, you usually right-click it and choose Scan with Microsoft Defender. That’s fine for everyday use, but what if you need to integrate malware scanning directly into your own application or analysis tools? In this post, I’ll show how to do that using AMSI – the Anti-Malware Scan Interface – and how this topic fits into your TrainSec learning journey.
AMSI (Anti-Malware Scan Interface) is a COM-based Windows interface that allows software to interact with the system’s installed security provider – such as Microsoft Defender, CrowdStrike, or SentinelOne. Developers and security researchers can send data or files to AMSI and receive a verdict indicating whether the content is safe, suspicious, or malicious.
In the demo I present here, I used C++ and the amsi.h API. The steps are straightforward:
- Initialize AMSI with AmsiInitialize.
- Open a scanning session with AmsiOpenSession.
- Read the target file into memory, commonly through file mapping for efficiency.
- Call AmsiScanBuffer to perform the scan.
- Evaluate the AMSI_RESULT to determine whether malware was detected.
You can also scan text or scripts (like PowerShell) using AmsiScanString, which is especially relevant in script-based threat detection exercises in TrainSec’s Malware Analysis and Development courses.
While debugging, you can observe which provider DLL AMSI loads. On my system, AMSI loaded Microsoft Defender’s core module. On other systems, it might load a third-party EDR provider. This behavior illustrates how AMSI acts as a universal security gateway in Windows – an important takeaway for students building custom security tools or researching detection evasion.
For testing, I scanned two examples:
- regedit.exe, which correctly returned “not malware.”
- MiniDrv.sys, a Mimikatz driver, which was detected as malicious by Defender.
This shows AMSI’s strength: it leverages the local security provider’s detection engine, letting you integrate professional-grade scanning capabilities into your own software or analysis workflows.
In the next lecture, we’ll move beyond the C API and explore the COM interface, which allows developers to enumerate registered providers and interact more flexibly with the AMSI infrastructure.
Pick Your Path and Join the Elite
Provides the necessary knowledge, understanding, and tools to be a successful Windows OS researcher.
Keep Learning with TrainSec
This content is part of the free TrainSec Knowledge Library, where students can deepen their understanding of Windows internals, malware analysis, and reverse engineering.Subscribe for free and continue learning with us: https://trainsec.net/library
Liked the content?
Subscribe to the free TrainSec knowledge library, and get insider access to new content, discounts and additional materials.
