Jump to content

Antimalware Scan Interface (AMSI) integration has failed, Part II


Recommended Posts

System: Dell XPS 15 L501X (10+ years old)

OS: Windows 10 Pro 22H2 19045.3996 (Fully patched with latest updates, including recent preview update)

Issue: On cold bootup (from a powered off state), approximately 50% of the time, ESET displays the following warning:

ESETAMSIWarning0128241030.png.1aa86ff85244db9a0c79a5ff13777b2b.png

Clicking "Restart device" resolves the issue 100% of the time.

Before restarting, I checked Windows Security to see if it detects any issues, and it does not:

ESETAMSIWarningWindowsSecurity0128241030.png.da29784f7edff2ce8715b1d4988b0afb.png

Have performed a full scan and no threats have been detected.

I have another newer system (Inspiron 7353 2-in-1) with the same OS and updates installed, running on the same network with nearly identical software (some additional apps compared to the system in question) installed. which has never experienced this glitch. The computer experiencing the error is used for very limited tasks (Amazon Music, Chrome for weather radar via the National Weather Service, etc.), and therefore is not exposed to suspect websites, etc.

My hypothesis is this is a timing issue (old laptop, with a mechanical hard-drive which takes some time to boot, where the error is triggered prior to the integration taking place, but then the app is not refreshed to to display the actual status).

Is there any way to resolve this? This began with v17 (I don't believe this error ever displayed with v16 and earlier). It is time consuming to reboot this laptop (because of its age).

I am not going to replace the laptop, I understand it's beyond old - when it dies, it dies. But in the meantime, it works for what I use it for.

Thank you for any thoughts/suggestions.

Link to comment
Share on other sites

  • Administrators

If you can reproduce the error after a computer restart:

  1. Disable Protected service in the HIPS setup
  2. Restart the computer and make sure there is no problem with AMSI
  3. Create a Procmon boot log
  4. After the reboot, stop logging and make sure the problem with AMSI occurs
  5. Save the Procmon log unfiltered in the PML format, compress it and supply it for perusal.
Link to comment
Share on other sites

24 minutes ago, Marcos said:

If you can reproduce the error after a computer restart:

  1. Disable Protected service in the HIPS setup
  2. Restart the computer and make sure there is no problem with AMSI
  3. Create a Procmon boot log
  4. After the reboot, stop logging and make sure the problem with AMSI occurs
  5. Save the Procmon log unfiltered in the PML format, compress it and supply it for perusal.

Marcos, thank you for the quick response.

I don't think this plan will work. The issue only occurs on first boot up from a powered down state (never an issue when 'restarting' from a powered on state), and it does not manifest every time. I don't want to run the computer for an indefinite amount of time with protected service disabled until the problem reoccurs (nor do I want to create an extremely large log). Any other paths forward?

Edited by howardagoldberg
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...