Powershell: AMSI scan should be done outside the static lock

Created on 2 Jun 2017 · 6Comments · Source: PowerShell/PowerShell

Currently our AMSI code (https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/security/SecuritySupport.cs#L1672) calls the AmsiScanString() method within a static lock.

This is unnecessary because the AMSI API is thread safe and designed to process multiple scan requests.

But this code also needs to be refactored because it is unnecessarily un-initializing and re-initializing AMSI when multiple runspaces are used. In addition it is not tracking pipeline sessions correctly for multiple runspaces.

So I see the work items as:

Ensure AMSI is initialized and un-initialized only once (see related issue #2334).
Add concurrent dictionary to correctly track AMSI session per pipeline.
Don't call AmsiScanString within the static lock.

Issue-Bug Issue-Code Cleanup Size-Days WG-Engine WG-Engine-Performance

Source

PaulHigin

👍1

Most helpful comment

@iSazonov thanks for the reminder, I had forgotten about this. I don't know if I'll have time to make these changes for 7.0, but I'll make an effort.

PaulHigin on 12 Jul 2019

❤3

All 6 comments

It seems fixing this could seed up PowerShell so it would be nice to implement this before 7.0 release.

iSazonov on 12 Jul 2019

@iSazonov thanks for the reminder, I had forgotten about this. I don't know if I'll have time to make these changes for 7.0, but I'll make an effort.

PaulHigin on 12 Jul 2019

❤3

For reference #8713 - it is seem fixed (1).

iSazonov on 16 Jul 2020

AmsiScanString is never called. I wonder.

iSazonov on 16 Jul 2020

I forgot about this issue, but the work still needs to be done. We now call AmsiScanBuffer(), but still do it under a lock. I don't think this is high priority, but would be nice to do at some point.

https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/security/SecuritySupport.cs#L1422

GitHub
PowerShell/PowerShell
PowerShell for every system! Contribute to PowerShell/PowerShell development by creating an account on GitHub.

PaulHigin on 16 Jul 2020

👍1

As side note, the code PsUtils.GetMainModule(currentProcess); could be replaced with Assembly.GetEntryAssembly() for performance.

iSazonov on 16 Jul 2020

👍2

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Comment based help does not work for scripts that start with a shebang

abock · 3Comments

PowerShell core on Linux - Get-Service should mimic linux "service" command.

MaximoTrinidad · 3Comments

Can't Uninstall/Remove AzureRM module from PowerShell on Mac OS

Michal-Ziemba · 3Comments

Referencing System.Management.Automation in .NET Core / VS Code

concentrateddon · 3Comments

Parameter parsing/passing: unquoted tokens that look like named arguments with colon as the separator are broken in two when passed indirectly via $Args / @Args

mklement0 · 3Comments