Kaspersky Endpoint Security 12 for Windows

AMSI Protection

25 April 2024

ID 176740

AMSI Protection component is intended to support Antimalware Scan Interface from Microsoft. The Antimalware Scan Interface (AMSI) allows third-party applications with AMSI support to send objects (for example, PowerShell scripts) to Kaspersky Endpoint Security for an additional scan and then receive the results from scanning these objects. Third-party applications may include, for example, Microsoft Office applications (see the figure below). For details on AMSI, please refer to the Microsoft documentation.

The AMSI Protection can only detect a threat and notify a third-party application about the detected threat. Third-party application after receiving a notification of a threat does not allow to perform malicious actions (for example, terminates).

AMSI operation example

AMSI Protection component may decline a request from a third-party application, for example, if this application exceeds maximum number of requests within a specified interval. Kaspersky Endpoint Security sends information about a rejected request from a third-party application to the Administration Server. The AMSI Protection component does not deny requests from those third-party applications for which continuous integration with the AMSI Protection component is enabled.

AMSI Protection is available for the following operating systems for workstations and servers:

  • Windows 10 Home / Pro / Pro for Workstations / Education / Enterprise / Enterprise multi-session;
  • Windows 11 Home / Pro / Pro for Workstations / Education / Enterprise;
  • Windows Server 2016 Essentials / Standard / Datacenter (including Core Mode);
  • Windows Server 2019 Essentials / Standard / Datacenter (including Core Mode);
  • Windows Server 2022 Standard / Datacenter / Datacenter: Azure Edition (including Core Mode).

    AMSI Protection settings



    Scan archives

    Scanning ZIP, GZIP, BZIP, RAR, TAR, ARJ, CAB, LHA, JAR, ICE, and other archives. The application scans archives not only by extension, but also by format. When checking archives, the application performs a recursive unpacking. This allows to detect threats inside multi-level archives (archive within an archive).

    Scan distribution packages

    This check box enables/disables scanning of third-party distribution packages.

    Scan files in Microsoft Office formats

    Scans Microsoft Office files (DOC, DOCX, XLS, PPT and other Microsoft extensions). Office format files include OLE objects as well. Kaspersky Endpoint Security scans office format files that are smaller than 1 MB, regardless of whether the check box is selected or not.

    Do not unpack large compound files

    If this check box is selected, the application does not scan compound files if their size exceeds the specified value.

    If this check box is cleared, the application scans compound files of all sizes.

    The application scans large files that are extracted from archives regardless of whether the check box is selected or not.

See also: Managing the application via the local interface

Enabling and disabling the AMSI Protection

Using AMSI Protection to scan compound files

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.