Win 10 Event Log - fsamsi64.dll - image hash of a file is not valid

I have completed two SAFE installs. I notice that after each install the MS Security icon in the lower right then shows a security issue. There is all green in the MS Security page.

The problem is perhaps this entry that is generated in the Security event log.

Source: Microsoft Windows security

Code integrity determined that the image hash of a file is not valid. 

The file could be corrupt due to unauthorized modification or the invalid

hash could indicate a potential disk device error.

File Name:   \Device\HarddiskVolume4\Program Files (x86)\F-Secure\SAFE\Ultralight\ulcore\1596540521\fsamsi64.dll   

Answers

  • I checked another pc that has SAFE installed. I see this same error in the Event Viewer Security log:

    Event 5038, Microsoft Windows security auditing

    Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

    File Name:   \Device\HarddiskVolume2\Program Files (x86)\F-Secure\SAFE\apps\Ultralight\ulcore\1596540

  • DawidFSDawidFS Posts: 73 Moderator

    Dear @Matroskin12


    Sorry for late answer, we are currently analyzing your question.

    We will get back to you as soon as we have an information about this topic.


    Greetings,

    Dawid

    Jaims
  • SethuSethu Posts: 657 Moderator

    Hi @Matroskin12

    Please see the following Statement from our developers:

    Antimalware Scan Interface (AMSI) is an API that allows applications to request antimalware products installed on the computer to scan their data for harmful content, provided that such antimalware products have exposed their scanning services via AMSI.

    Latest F-Secure products provide this scanning interface to the applications.

    One of such applications is Microsoft Defender. Its manual scanning feature makes use of AMSI, loading the AMSI modules registered with the system into its processes.

    However, Defender itself has a security measure that prevents any DLLs which are not signed by Microsoft from being loaded into its processes. This means that in case a non-Microsoft AMSI provider is registered to the system, Defender will try to load it, but will reject it because it does not have a Microsoft signature, and an error will be written to the event log.

    This appears to be an intentional design in Defender to only allow Microsoft's own AMSI DLLs to be used with it. The event log error is a result of this design and can be ignored by the customers.

    LakshJaimsDawidFSUkko
Sign In or Register to comment.