[issue26137] [idea] use the Microsoft Antimalware Scan Interface
Zachary Ware
report at bugs.python.org
Thu Jun 30 12:47:22 EDT 2016
Zachary Ware added the comment:
> But in that case, why hook into exec? The malware author can execute
> arbitrary Python so doesn't *need* exec.
As I understand it, the malware is distributed in encrypted form (probably encrypted differently each time it propagates) so as to be given a green-light by anti-malware software, then decrypted and run via exec so that the bad code is never actually on disk, and thus never scanned. Yes, the attacker can run arbitrary Python code, but if he just distributed the code in plain text, it could be detected and blocked. The unpacking code is simple and generic enough that it can't be blocked.
As far as actually enabling AMSI, I'm +0. I don't understand it well enough to be +1, and I share Paul's concerns about startup overhead. I'm also unsure that AMSI actually affords any protection: what's to stop the attacker from distributing their own interpreter that just doesn't use AMSI?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26137>
_______________________________________
More information about the Python-bugs-list
mailing list