AMSI Protection Provider

AMSI Protection Provider is intended to support Antimalware Scan Interface from Microsoft. The Antimalware Scan Interface (AMSI) allows third-party applications with AMSI support to send objects (for example, PowerShell scripts) to Kaspersky Endpoint Security for an additional scan and then receive the results from scanning these objects. Third-party applications may include, for example, Microsoft Office applications (see the figure below). For details on AMSI refer to Microsoft documentation.

The AMSI Protection Provider can only detect a threat and notify a third-party application about the detected threat. Third-party application after receiving a notification of a threat does not allow to perform malicious actions (for example, terminates).

KES11_AMSI_Algorithm

AMSI operation example

AMSI Protection Provider may decline a request from a third-party application, for example, if this application exceeds maximum number of requests within a specified interval. Kaspersky Endpoint Security sends information about a rejected request from a third-party application to the Administration Server. The AMSI Protection Provider component does not reject requests from those third-party applications for which the Do not block interaction with AMSI Protection Provider check box is selected

The AMSI Protection Provider is available for the following operating systems for workstations and file servers:

See also: Managing the application via the local interface

Enabling and disabling the AMSI Protection Provider

Scanning compound files with the AMSI Protection Provider

Page top