I want to scan for malware content directly in memory files and I want to know which is the best way to do it.
I’m in charge with the improvement of the website security policy for our web applications that were developed in .net core and Angular
I read the OWASP recommendations and one of them was to scan the files for malware I’ve identified two ways of scanning the files: calling a third party API from cloud or calling AMSI interface. Calling a third party over the internet is not an option for me because the client wants the verification to be done on-premise.
What is AMSI:
The Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product that's present on a machine. AMSI provides enhanced malware protection for your end-users and their data, applications, and workloads. The Windows AMSI interface is open. Which means that any application can call it; and any registered Antimalware engine can process the content submitted to it.
I opted for calling AMSI interface from .net core to analyze the http requests for malware content but my tests are not working on some servers where Symantec endpoint protection is installed as an Antivirus provider and subscriber to AMSI. AMSI seems to be bypassed.
When I test a call to AMSI with an eicar standard content, AMSI returns the result as if there is no detected malware even if I had a post with malware content. That is why it seems that AMSI is being bypassed.
Do you know what I could do to fix it? Why is it that the AMSI is being bypassed? What should I check or take into consideration?
Would it be better to develop a windows service that scans the files from a queue and runs a .bat in order to give commands to the antivirus programs to scan the files? Is there any third party web api that can be installed on premise?
