/amsi

A library to integrate the Microsoft Windows Anti-Malware Scan Interface (AMSI) into any .NET application.

Primary LanguageC#MIT LicenseMIT

Antimalware Scan Interface for .NET

This is a .NET Standard library project providing functionality to integrate the Microsoft Windows Antimalware Scan Interface (AMSI) into any .NET application. Please find the AMSI documentation at: https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx

Usage

Scan a string for malware in C#.

const string appName = "myapp";
using (AmsiContext context = AmsiContext.Create(appName))
{
    const string input = "Pure air";
    AmsiScanResult result = context.Scan(input, "");
    if (result == AmsiScanResult.Clean)
    {
        // seems to be okay
    }
}

Scanning a buffer-full of content for malware is as easy as scanning a string; just use the overload that accepts a byte array.

MemoryStream stream = ...
byte[] buffer = stream.ToArray();
AmsiScanResult result = context.Scan(buffer, "");

Performing correlated scan requests are also possible. In the following example the ScanFile method is used to scan file contents for malware.

using (AmsiSession scanSession = AmsiSession.Create(context))
{
    string[] files = Directory.GetFiles(...);
    foreach (string file in files)
    {
        AmsiScanResult fileResult = scanSession.ScanFile(file)
        if (fileResult == AmsiScanResult.Block)
        {
            // this file should be blocked...
        }
    }
}