Why does SYMAMSI.DLL injection into many Windows Processes?
search cancel

Why does SYMAMSI.DLL injection into many Windows Processes?


Article ID: 239903


Updated On:


Endpoint Protection Endpoint Protection Cloud Endpoint Protection for VDI


You notice the SYMAMSI.DLL file seems to attach or inject into many processes such as SCCM, CCMEXEC, PowerShell, Regedit and others on windows 10 and Server OS's, or are asked by a peer why this process injection occurs.   


All versions of Windows 10
All versions of Windows server 2008 to and including 2022


This is one of several hooks used to monitor the OS level operations for behavior monitoring to assist with protection from ransomware, zer0-days, slow infectors and assist with machine learning detections and tuning. 

The DLL monitors various calls that can help stop droppers from living off the land attempts, memory hallowing, process jumping etc to keep normal Windows operations from being hijacked or used to output malware code.


None,  this is normal injection by the SESC, SEP-cloud or SEP-Legacy performing inspection of Windows processes for living off the land and other forms of system level exploitation.