AmsiNotifyOperation function (amsi.h)

Sends to the antimalware provider a notification of an arbitrary operation. The notification doesn't imply the request of an antivirus scan. Rather, IAntimalwareProvider2::Notify is designed to provide a quick and lightweight mechanism to communicate to the antimalware provider that an event has taken place. In general, the antimalware provider should process the notification, and return to the caller as quickly as possible.

Syntax

HRESULT AmsiNotifyOperation(
  HAMSICONTEXT amsiContext,
  PVOID        buffer,
  ULONG        length,
  LPCWSTR      contentName,
  AMSI_RESULT  *result
);

Parameters

amsiContext

Type: _In_ HAMSICONTEXT

The handle (of type HAMSICONTEXT) that was initially received from AmsiInitialize.

buffer

Type: _In_reads_bytes_(length) PVOID

The buffer that contains the notification data.

length

Type: _In_ ULONG

The length, in bytes, of the data to be read from buffer.

contentName

Type: _In_opt_ LPCWSTR

The filename, URL, unique script ID, or similar of the content being scanned.

result

Type: _Out_ AMSI_RESULT*

The result of the scan.

You should use AmsiResultIsMalware to determine whether the content should be blocked.

Return value

If this function succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.

Requirements

   
Minimum supported client Windows 10 [desktop apps only]
Minimum supported server Windows Server 2016 [desktop apps only]
Target Platform Windows
Header amsi.h
Library Amsi.lib
DLL Amsi.dll