Many Events 5038 fsamsi64.dll

SKRE
SKRE W/ Alumni Posts: 1 Security Scout

Hello all,

I have a problem with many 5038 events on our clients. The problem seems to come from the fsamsi64.dll which is reported as corrupted by Defender. It seems to be related to the digital signature of the file, which is not from Microsoft but from F-Secure.

Is there a way to suppress this event? The important events 5038 are completely lost in our client monitoring. Here is the event from a German client:

We use the following F-Sscure product: F-Secure Client Security Premium - Version 15.11

Thanks for your help!

Many greetings

Best Answer

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff
    Answer ✓

    Hi,

    Antimalware Scan Interface (AMSI) is an API that allows applications to request antimalware products installed on the computer to scan their data for harmful content, provided that such antimalware products have exposed their scanning services via AMSI.


    Latest F-Secure products provide this scanning interface to the applications.


    One of such applications is Microsoft Defender. Its manual scanning feature makes use of AMSI, loading the AMSI modules registered with the system into its processes.


    However, Defender itself has a security measure that prevents any DLLs which are not signed by Microsoft from being loaded into its processes. This means that in case a non-Microsoft AMSI provider is registered to the system, Defender will try to load it, but will reject it because it does not have a Microsoft signature, and an error will be written to the event log.


    This appears to be an intentional design in Defender to only allow Microsoft's own AMSI DLLs to be used with it. The event log error is a result of this design and can be ignored by the customers.


    Current information from developers:

    1) We think it is false positive from Windows. All our modules signed properly

    2) We believe this is not a problem, just a mitigation in Defender working as designed.

This discussion has been closed.