Why is the error "Code integrity determined that the image hash of a file is not valid" logged for FortiAmsi.dll?

Question

Why is the error "Code integrity determined that the image hash of a file is not valid" logged for FortiAmsi.dll?

Scott 20

Our company uses Fortinet's FortiClient application and all of our computers run Windows 11 24H2. The Windows Security log for computers with FortiClient installed is flooded with errors like this:

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Program Files\Fortinet\FortiClient\FortiAmsi.dll

The error is logged in the Security log with event ID 5038.

This event can occur multiple times per second making it difficult to find other important events. Fortinet support reports the file is fine and I don't see anything wrong with the digital signatures of the file. Support recommends I reach out to Microsoft and reference Tracking ID #2310270060003398, but I'm not entitled to that level of Microsoft support.

Could Microsoft chime in here? Is there anything I can do to determine why Windows 11 generates this event in the log?

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Jason Nguyen Tran 12,250 Independent Advisor

Hi Scott Hodges,

This behavior has been observed with certain third-party security integrations, including Fortinet’s FortiClient, when the Antimalware Scan Interface (AMSI) DLL is loaded in a way that Windows code integrity cannot validate. Although the file itself may be correctly signed and not corrupted, Windows will still log an error if the hash validation process does not match expected values. This can occur due to how FortiClient hooks into AMSI, or if kernel-mode drivers load the DLL in a non-standard way.

The good news is that this does not necessarily indicate a compromised file. Fortinet has confirmed that FortiAmsi.dll is safe, and Microsoft is aware of the logging behavior. At present, the recommended steps are to ensure your systems are fully updated with the latest cumulative updates for Windows 11 24H2, and to confirm you are running the latest FortiClient release. If the issue persists, you may need to filter or forward these events to a separate log collector so they do not overwhelm your Security log.

I hope this guidance helps you move forward. If you find this answer helpful, please consider clicking Accept Answer so I know your concern has been resolved.

Jason.

Scott 20 Reputation points

2026-02-19T22:28:47.27+00:00

Hi Jason,

Thanks for the feedback. Any thoughts on who's responsibility it is to fix this issue? Should Fortinet do something different to avoid causing the issue or does Microsoft need to make a change to stop incorrectly flagging this file?

Would you know how I can redirect event ID 5038 to a log other than security? I assume that I can't suppress the error, not that it would be a good idea anyway.

Thanks,

Scott
Jason Nguyen Tran 12,250 Reputation points Independent Advisor

2026-02-19T23:08:28.53+00:00

In this case, the responsibility is shared. Fortinet’s FortiClient integrates with Windows’ Antimalware Scan Interface (AMSI) in a way that triggers code integrity checks, while Windows enforces strict validation rules. Because of this interaction, both vendors have a role: Fortinet may need to adjust how their AMSI module is registered, and Microsoft may refine how Windows 11 24H2 handles third-party AMSI modules to avoid unnecessary logging. Collaboration between the two is the most likely path to a permanent resolution.

Regarding event ID 5038, you are correct that suppressing the error is not recommended. However, you can redirect or filter these events using Windows Event Forwarding or custom Event Viewer subscriptions. For example, you can create a subscription that forwards event ID 5038 entries to a separate custom log, allowing you to keep the Security log clear for critical events. Group Policy and Windows Event Collector can also be used to manage where these events are stored.

I hope this guidance helps you move forward with confidence. Feel free to reply if you need further information and kindly click Accept Answer so I know your issue has been resolved.
Scott 20 Reputation points

2026-02-23T20:31:56.68+00:00

Thanks Jason. I appreciate all of your input.

Scott

Share via

Why is the error "Code integrity determined that the image hash of a file is not valid" logged for FortiAmsi.dll?

0 additional answers

Your answer