Disable AMSI (Antimalware Scan Interface) and/or command-line scanning due to false positive detections
search cancel

Disable AMSI (Antimalware Scan Interface) and/or command-line scanning due to false positive detections

book

Article ID: 188735

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

For an emergency situation where false positive mitigation is required with the AMSI (Antimalware Scan Interface) and/or command-line scanning features, you need steps to disable these features.

Environment

SEP 14.3

Resolution

Caution: Before you begin, you should make a backup of the Windows Registry. See the Microsoft article Back up the registry.

Note: You must disable the Tamper Protection feature before you follow this process. If you do not disable Tamper Protection, it will block the required registry key modifications. To disable Tamper Protection, see the following article: Disable Tamper Protection.

To disable AMSI and/or command-line scanning via the Windows Registry

  1. Open Regedit and navigate to the following Windows registry key:

    - On 32-bit computers: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan

    - On 64-bit computers (14.3 RU4 or earlier clients): 
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan

    - On 64-bit computers (14.3 RU5 or later clients): 
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan

  2. Create a new DWORD value as shown for each feature you wish to disable
    • AMSIEnabled = 0x00000000
    • CommandLineScanEnabled = 0x00000000
  • The settings take effect immediately after adding the values. Neither the computer nor SEP need to be restarted.

 

To re-enable AMSI and/or command-line scanning via the Windows Registry

  1. Open Regedit and navigate to the following Windows registry key:

    - On 32-bit computers: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan

    - On 64-bit computers (14.3 RU4 or earlier clients): 
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan

    - On 64-bit computers (14.3 RU5 or later clients): 
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan

  2. Delete the DWORD value associated with the feature you wish to re-enable
    • AMSIEnabled
    • CommandLineScanEnabled
  • The settings take effect immediately after removing the values. Neither the computer nor SEP need to be restarted.

 

Do we have a supported way to test AMSI is enabled and working?

You may use the following commands to test SEP AMSI and command line scan components:

    • powershell -command "& {write-output 'Am I evil? Yes I am!!'}"

Will be detected only if registry value AMSIEnabled = 1 or is absent

    • cmd/C ECHO Am I evil? Yes I am!!

Will be detected only if reg value CommandLineScanEnabled = 1 or is absent

AMSI tests are going to be vendor-specific; e.g. the powershell test above will trigger SEP AMSI but won't trigger Windows Defender. And a Microsoft test from https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps will trigger Windows Defender, but not SEP:

    • powershell "Invoke-Expression (Invoke-WebRequest http://pastebin.com/raw.php?i=JHhnFV8m)"