Microsoft head software engineer Lee Holmes says Windows 10 applications will now be able to plug into installed anti-virus platforms to better combat malicious scripts.
Holmes says the Windows 10 Antimalware Scan Interface (AMSI) will allow apps and services to use anti-virus to find badness operating in memory.
More ReadingNOD32 AV remote root wormable hack turns corporate fleets to meatFeature-rich work in progress: Windows Mobile 10 build 10136What's broken in this week's build of Windows 10? Installing it, for oneFanbois designing Windows 10 – where's it going to end?Microsoft: Here's what you'll cough up for Windows 10 next year
He says most anti-malware platforms will write signatures against suspicious obfuscation and encoding tricks such as XOR, but this tends to fail when those tricks are so basic as to appear benign.
Efforts so far, at best, miss attacks that live in the memory and, at worse, generate mass false positives by killing legitimate processes.
Holmes says "... the antivirus engine inspects files being opened by the user. If the malicious content lives only in memory, the attack can potentially go undetected."
"While the malicious script might go through several passes of de-obfuscation, it ultimately needs to supply the scripting engine with plain, un-obfuscated code. When it gets to this point, the application can now call the new Windows AMSI APIs to request a scan of this unprotected content.
"Any application can call it (AMSI) and any registered anti-malware engine can process the content submitted to it."
Holmes urges application developers to have their apps call AMSI and anti-virus vendors to build support for the feature.
He says the feature may be extended to kill malware through instant messaging platforms or video game plug-ins for example, and is focusing on scripts in its initial launch phase.
"There are plenty of more opportunities - this is just a start," he says.
Windows Defender, Microsoft's own anti-virus platform, is thanks to AMSI able to detect a XOR encoded malicious script dropped in command line using only "bog standard" signature. ®