With null characters, Malicious code bypassed security checking in Windows 10

BUGs in Anti-Malware Scanner Interface (AMSI) on Windows 10 systems can skip malware detection if the code contains null characters. AMSI for Windows 10 systems is a security setting that acts as a mediator between applications and anti-virus software. It allows programs to send antivirus software to check if the files they use are safe.

The most important feature of AMSI is that it detects executables at application startup and scans for subsequent resource files that may open after startup. Attackers can disguise themselves using PowerShell scripting programs running on other legitimate software to circumvent traditional signature-based antivirus engines and are increasingly being attacked by hackers.

Researcher Satoshi Tanda found that this bug caused the AMSI-scanned file to be truncated to a null character. This means that an attacker could easily hide the malicious code in the script by placing the malicious code behind a null character. Because AMSI will never read this code, the malware passes without warning.

This bug has been fixed during the most recent patch Tuesday.