Circumventing the Antimalware Scan Interface (AMSI)
A collection of Windows APIs known as the AMSI allows you to integrate any application with an antivirus product (assuming that the product functions as an AMSI provider). Naturally, Windows Defender functions as an AMSI provider, as do numerous third-party antivirus solutions.
AMSI functions as an intermediary that connects an application and an antivirus engine. Consider PowerShell as an example: before execution, PowerShell will submit any code that a user attempts to execute to AMSI. AMSI will generate a report if the antivirus engine identifies the content as malicious, preventing PowerShell from executing the code. This resolves the issue of script-based malware that operates exclusively in memory and never accesses the disk.
To provide an AMSI instance, an application is required to load amsi.dll into its address space and invoke a sequence of AMSI APIs that are exported from that DLL. By tying PowerShell to a tool such...
