Hi,
I'm testing an application that will leverage the Microsoft AMSI API. I have Norton 360 installed, and all recent updates have been applied. I'm using the AmsiScanBuffer function, so the compressed file in question is read into a buffer and passed to the scan function. When Norton 360 is installed and listed as the active anti-malware application in Defender, the scan result on my sample file is No Threat Detected (AMSI_RESULT_NOT_DETECTED). However, if Norton scans that file in a manual scan, the infected text file is removed, and Norton alerts me to the threat.
If I uninstall Norton and issue the same AmsiScanBuffer call with Defender enabled, the function returns AMSI_RESULT_DETECTED, and Defender alerts that a threat has been found.
In both cases, the compressed file contains a single text file with the EICAR sample string inside.
Is this a known issue? I didn't see anything about it in the community threads.