How to scan for malware using McAfee through AMSI

  • Thread starter Thread starter ebenroux
  • Start date Start date
E

ebenroux

Guest
We are attempting to determine whether an uploaded file (Excel in this case, but could be anything) contains malware. The solution is developed in C#.


To determine whether AMSI is available I am calling the following (only pertinent bits shown):


const string EicarTestString = @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";


AmsiNativeMethods.AmsiScanString(_context, EicarTestString, "EICAR", session, out scanResult)


When using Windows Defender the scanResult value correctly identifies the EICAR test string as malware.


However, when using McAfee the original issue was that the malware was detected and the test application was simply blocked and the process killed. After contacting McAfee our security department made some changes and then the test application could run without being killed but the scanResult is returned as 0. This would indicate that there is no malware which is incorrect.


We have been engaging with McAfee and sent all manner of logs. They have now suggested we engage with Microsoft which is why I am asking about this here for now.


Any ideas?

More...
 

Similar threads

K
ARR Configuration for backend sites with SNI binding on IIS
Replies
0
Views
273
Kiran_Angadi
K
M
Disable proxy output for /jsdebug or /js endpoint of WCF service consumed using Javascript or Ajax
Replies
0
Views
315
Meghali
M
M
Setting up Client Certificate Authentication for WCF Service hosted as an Azure Web App
Replies
0
Views
301
Meghali
M
I
3 simple ways to collect data for asp.net core applications post publishing to production
Replies
0
Views
303
Irfan
I
A
How to extract a single decrypted page from multi page file using AES256 algorithm
Replies
0
Views
144
Ankit Raman
A
Back
Top