AmsiNotifyOperation function (amsi.h)
Sends to the antimalware provider a notification of an arbitrary operation. The notification doesn't imply the request of an antivirus scan. Rather, IAntimalwareProvider2::Notify is designed to provide a quick and lightweight mechanism to communicate to the antimalware provider that an event has taken place. In general, the antimalware provider should process the notification, and return to the caller as quickly as possible.
HRESULT AmsiNotifyOperation( HAMSICONTEXT amsiContext, PVOID buffer, ULONG length, LPCWSTR contentName, AMSI_RESULT *result );
Type: _In_ HAMSICONTEXT
The handle (of type HAMSICONTEXT) that was initially received from AmsiInitialize.
Type: _In_reads_bytes_(length) PVOID
The buffer that contains the notification data.
Type: _In_ ULONG
The length, in bytes, of the data to be read from buffer.
Type: _In_opt_ LPCWSTR
The filename, URL, unique script ID, or similar of the content being scanned.
Type: _Out_ AMSI_RESULT*
The result of the scan.
You should use AmsiResultIsMalware to determine whether the content should be blocked.
If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.
|Minimum supported client||Windows 10 [desktop apps only]|
|Minimum supported server||Windows Server 2016 [desktop apps only]|