I’ve been getting warnings in the Event Viewer under Applications and Services Logs\Microsoft\Windows\Security-Mitigations\Kernel Mode. These started only about 6 weeks ago and I suspect that it started when updating Avast Free one or two versions back.
On each boot, I get this Event ID 12 warning repeated 10 times:
Process ‘\Device\HarddiskVolume8\Program Files\Windows Defender\MpCmdRun.exe’ (PID 10816) was blocked from loading the non-Microsoft-signed binary ‘\Program Files\AVAST Software\Avast\aswAMSI.dll’.
I’m also getting a few other messages, e.g.
Process ‘\Device\HarddiskVolume8\Windows\System32\dllhost.exe’ (PID 8536) was blocked from generating dynamic code.
Is Avast causing these events to be generated? Is it part of the new Ransomware protection?
We are aware of the aswAMSI.dll-related entries. This is a bug on Microsoft side; we’re reported this long time ago - but nothing is happening.
Technically, Avast is correctly registered as an AMSI (antimalware) provider. Some time ago, Defender started using JavaScript engine - which also attempts to load the current AMSI provider. However, due to the settings in the Defender process itself, it doesn’t “like” the module signed with an Avast (i.e. non-Microsoft) signature. So… it’s up to Microsoft to decide whether they want to actually use AMSI in their JavaScript engine (or rather in the engine used by Defender), and if they do, to accept further signatures, or provide another way to allow that DLL in their process.