AmsiNotifyOperation function (amsi.h)
Sends to the antimalware provider a notification of an arbitrary operation. The notification doesn't imply the request of an antivirus scan. Rather, IAntimalwareProvider2::Notify is designed to provide a quick and lightweight mechanism to communicate to the antimalware provider that an event has taken place. In general, the antimalware provider should process the notification, and return to the caller as quickly as possible.
Syntax
HRESULT AmsiNotifyOperation(
HAMSICONTEXT amsiContext,
PVOID buffer,
ULONG length,
LPCWSTR contentName,
AMSI_RESULT *result
);
Parameters
amsiContext
Type: _In_ HAMSICONTEXT
The handle (of type HAMSICONTEXT) that was initially received from AmsiInitialize.
buffer
Type: _In_reads_bytes_(length) PVOID
The buffer that contains the notification data.
length
Type: _In_ ULONG
The length, in bytes, of the data to be read from buffer.
contentName
Type: _In_opt_ LPCWSTR
The filename, URL, unique script ID, or similar of the content being scanned.
result
Type: _Out_ AMSI_RESULT*
The result of the scan.
You should use AmsiResultIsMalware to determine whether the content should be blocked.
Return value
If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client | Windows 10 [desktop apps only] |
| Minimum supported server | Windows Server 2016 [desktop apps only] |
| Target Platform | Windows |
| Header | amsi.h |
| Library | Amsi.lib |
| DLL | Amsi.dll |