search cancel

Why does SYMAMSI.DLL injection into many Windows Processes?

book

Article ID: 239903

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Protection Cloud Endpoint Protection for VDI

Issue/Introduction

You notice the SYMAMSI.DLL file seems to attach or inject into many processes such as SCCM, CCMEXEC, PowerShell, Regedit and others on windows 10 and Server OS's, or are asked by a peer why this process injection occurs.   

Cause

This is one of several hooks used to monitor the OS level operations for behavior monitoring to assist with protection from ransomware, zer0-days, slow infectors and assist with machine learning detections and tuning. 

The DLL monitors various calls that can help stop droppers from living off the land attempts, memory hallowing, process jumping etc to keep normal Windows operations from being hijacked or used to output malware code.

Environment

All versions of Windows 10
All versions of Windows server 2008 to and including 2022

Resolution

None,  this is normal injection by the SESC, SEP-cloud or SEP-Legacy performing inspection of Windows processes for living off the land and other forms of system level exploitation.