support.home.sophos.com Open in urlscan Pro
104.16.53.111  Public Scan

Form analysis
1 forms found in the DOM

GET /hc/en-us/search

<form role="search" class="search" data-search="" action="/hc/en-us/search" accept-charset="UTF-8" method="get"><input name="utf8" type="hidden" value="✓" autocomplete="off"><input type="hidden" name="category" id="category" value="115001242683"
    autocomplete="off">
  <input type="search" name="query" id="query" placeholder="Search" aria-label="Search">
</form>

Text Content

SUPPORT

Free Trial Sign in Submit a request


CONFIGURATION AND SETTINGS

 1. Sophos Home Help
 2. Configuring Sophos Home
 3. Configuration and Settings




ARTICLES IN THIS SECTION

 * HTTPS Website Decryption
 * Configuring Real-Time Protection
 * [Web Filtering] Controlling websites my family can access
 * Sophos Home - Windows security center integration
 * Direct Access or Single Sign On
 * How to change the Sophos Home Dashboard language
 * Disabling web protection
 * Disabling webcam and/or microphone protection
 * Privacy Protection- Handling camera detections on Windows computers
 * Firewall considerations for Sophos Home

See more


SOPHOS HOME - SOPHOS ANTIMALWARE SCAN INTERFACE (AMSI) - FAQ

Sophos Home Support
 * 23 days ago
 * Updated

Applies to Sophos Home running Windows 10 computers . 

This article describes the Sophos AMSI Protection feature, which is included for
Sophos Home Windows 10 users. 

 * What is Sophos AMSI Protection?
 * Does it protect against packed/encoded/encrypted scripts built in
   just-in-time memory?
 * What data is collected by the Sophos Antimalware Scan Interface (AMSI)
   Protection?
 * How can I test Sophos AMSI Protection?
 * How can I add Sophos AMSI Protection exclusions or disable AMSI? 


WHAT IS SOPHOS AMSI PROTECTION? 

Sophos AMSI Protection allows Sophos Home to protect against scripting attacks
that hide themselves through obfuscation, encryption,  or directly running in
memory. It achieves this by by integrating with Windows 10 AMSI. 

Sophos AMSI Protection provides malware scanning and protection techniques to
each and every application that integrates support with the Windows 10 AMSI
interface,  scanning any type of data those applications will provide.


DOES SOPHOS AMSI PROTECTION DETECT PACKED/ENCODED/ENCRYPTED SCRIPTS THAT WILL BE
BUILT JUST-IN-TIME IN MEMORY?

AMSI Protection checks include whether scripts are safe to run, even if they’re
obfuscated or only generated at runtime. Similar checks can be applied for code
that is loaded from sources other than the local disk before it is executed from
memory.


WHAT DATA IS COLLECTED BY THE SOPHOS ANTIMALWARE SCAN INTERFACE (AMSI)
PROTECTION?

Please refer to KB134333 What data is collected by the Sophos Antimalware Scan
Interface (AMSI) Protection?


TEST AMSI PROTECTION FUNCTIONALITY

Expand


Sophos AMSI Protection functionality can be tested using the EICAR test string,
executed through Poweshell. The EICAR test string is not a virus, it is an
industry standard detection test. Sophos AMSI Protection will report its
presence as AMSI/Eicar-A2. Here are the steps to test it: 

 1. Open Notepad and copy the following Base64 encoded Eicar string into a new
    document:
    
    iex([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHJlc3AgPSBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICdodHRwOi8vc29waG9zdGVzdC5jb20vZWljYXIvaW5kZXguaHRtbCcKJGVpY2FyID0gW0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZyhbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCRyZXNwKSkKSUVYICdXcml0ZS1Ib3N0KFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZWljYXIpKSkn')))
     
 2. Save the document as Eicar.ps1   
 3. Launch a PowerShell command prompt (Start > Run > Powershell) and execute
    Eicar.ps1
    [to execute:  powershell -ExecutionPolicy ByPass .\eicar.ps1 ]
 4. The script will call the Invoke-Expression PowerShell expression, that
    accepts a string to be executed as code. This will decode the Base64 encoded
    version of the EICAR test string and execute it.
 5. Sophos AMSI Protection will block the execution and display a Toast message
    to the user:
    

 


ENABLE OR DISABLE AMSI PROTECTION

Expand


Sophos AMSI Protection can be disabled via the Sophos Home Dashboard >Desired
computer > PROTECTION> General

Click on the blue slider to turn it off (switches to gray). 

(click on the image to see it in full size)

To action detections and allow them to run (at your customer's own discretion):

1) Access your Sophos Home Dashboard
2) Locate the AMSI detection under your computer's activity and click Show
Advanced Options



3) Click Did we get this wrong --> Allow 

4) A popup will appear, asking for confirmation

5) Click Allow and re-try running your script/application.

If you believe a file was incorrectly detected, you may submit a sample to
Sophos for review


 * Facebook
 * Twitter
 * LinkedIn

Was this article helpful?

25 out of 36 found this helpful
Didn't find this helpful? Click here to leave feedback!

Every comment submitted via this form is read (by a human) but we do not reply
to specific technical questions. For technical support, please see Contacting
Sophos Home Support

Return to top


RELATED ARTICLES

 * How to change the Sophos Home Dashboard language
 * Turn off AMSI logging to resolve compatibility issues
 * Support for macOS 11- Big Sur
 * Sophos Home features
 * Sophos Home – Activating Premium License keys

Sophos Home
 * Free Trial
 * Company
 * Support
 * Business Solutions
 * Security Center
 * Affiliates

--------------------------------------------------------------------------------

Stay Connected

 * Facebook
 * Instagram
 * Linkedin
 * RSS feed
 * Twitter
 * YouTube

©1997-2022 Sophos Ltd. All rights reserved.

 * Legal
 * Privacy
 * Cookies