Product: Norton Security. Version: 22.21.5.44

Problem:
Constant and regular Windows 10 Event ID 3033, reporting a Code integrity issue with Norton/Symantrec developed AMSI service module symamsi.dll.

I have recently (last month) installed the latest product update (Via LU), to my Norton Security. Sadly, there has STILL been no solution to this reported issue, that I have previously reported back in November 2020. That one was closed due to no activity for 30 days (and no input or commitment to fix, from Norton).

Before any one asks, I DID reboot to ensure all valid updated objects were in place, and in memory as required. Here is the usual Event 3033 in all its glory!:

"Code Integrity determined that a process (\Device\HarddiskVolume1\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume1\Program Files\Norton Security\Engine\22.21.5.44\symamsi.dll that did not meet the Windows signing level requirements."

To get better background and information on the AMSI (the Anti-Malware Scan Interface), here is a definitive Microsoft document on this subject:

https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

"The Antimalware Scan Interface is designed for use by two groups of developers.

  1)  Application developers who want to make requests to antimalware products from within their apps.
  2)  Third-party creators of antimalware products who want their products to offer the best features to applications.

Note:
Starting in Windows 10, version 1903, if your AMSI provider DLL is not Authenticode-signed, then it may not be loaded (depending on how the host machine is configured)."

An anti-virus program creating CODE INTEGRITY ERRORS like this, after loading attempts brings the whole integrity and proper functionalty into doubt.

This needs a fix. If it is ONLY due to an Authenticode-signing issue, I cannot understand why there is no simple solution forthcoming, so that I can be sure that my Norton Security is actually properly protecting my systems properly.

The symamsi.dll is Antimalware Scan Interface implemented by Norton.

Please see below url for amsi function.

https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

You can check whether amsi is working properly by running below command at the command prompt.

powershell -command "& {write-output 'Am I evil? Yes I am!!'}"

If norton blocks, amsi is working properly. You can see the pop-up of blocked messages.

FYI: Now that the subscription has lapsed on Norton Security on all my systems, I have NOT renewed any of them, and have uninstalled the product.

Because mainly "techies" and some power-users check the Windows event logs, I don't think this issue has had the exposure it deserves, and so most users are blisfully unaware of this problem. As Windows is actively blocking the symamsi.dll, I fail to see HOW it could be actually doing its job (i.e. anti-malware checking), so, with the evidence from the regular 3033 event logs, I suspect it is NOT.  I am therefor NOT going to renew a subscription for AV software that purports to have "anti-malware" capabilities, but shows a failure to load its main DLL to do the job.

I had already been using MalwareBytes Premium AV as a second layer defence, for a couple of years alongside Norton, and as  it has the 4 main modules important to any robust AV solution (Web Protection, Malware Protection, Ransomware Protection, and Exploit Protection), I am going to continue with that.

After another large product update (181MB or so) today, to Norton Security 22.21.9.25 (and 2 restarts to get it to fully install), guess what:

EVENT ID 3033: "Code Integrity determined that a process (\Device\HarddiskVolume1\Windows\System32\svchost.exe) attempted to load           \Device\HarddiskVolume1\Program Files\Norton Security\Engine\22.21.9.25\symamsi.dll that did not meet the Windows signing level requirements."

This leaves me dissapointed, and at a loss to understand why this (seemingly) basic issue, reported as far back as 2019, has STILL not been fixed.

So, I STILL have no confidence that the Norton product that I pay for, has a properly functioning Anti-Malware interface!

@BlakeCan many thanks for that suggestion, I tried that under admin CMD shell, and got this back:

C:\WINDOWS\system32>certutil -verify "C:\Program Files\Norton Security\Engine\22.21.8.62\symamsi.dll" LoadCert(Cert) returned ASN1 bad tag value met. 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG) CertUtil: -verify command FAILED: 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG) CertUtil: ASN1 bad tag value met.

So, it seems that Norton, BitDefender, and McAfee are having similar issues (I see 3033 on my new laptop that currently has a trial McAfee - going soon to MalWareBytes).

This seems a bit strange, almost as if the AV vendors are using an older Cert Signing method (Authenticode signing software changed at some point), or are not doing it correctly. If that is the cause of the issue, why can't they sort it out, or liaise with Microsoft to find what they are going wrong.

There seems to be a BIG disconnect here somewhere, but I would be livid if the MS Cert checking is buggy and flagging Authenticode certs when it should not!!

When windows starts, it loads Code Integrity and then Code Integrity Says (Code Integrity will enable WHQL driver enforcement for this boot session.  Settings 0x0. Exemption 1.) This is Event ID 3084

Then Code Integrity says (Refreshed and activated Code Integrity policy {d2bda982-ccf6-4344-ac5b-0b44427b6816} Microsoft Windows Driver Policy. id 10.0.19014.0. Status 0x0) This is Event ID 3099

Then C I says (Signature information for another event. Match using the Correlation Id.)

Under the DETAILS tab, it shows the Cert. being used

(PublisherNameBitdefender SRL

IssuerNameLength40

IssuerNameDigiCert SHA2 Assured ID Code Signing CA

PublisherTBSHashSize32)

@td47 try verifying the Certificate being used for the symamsi.dll file with certutil -verify

Im having the SAME problem with Bit-Defender Total Security and their NON-ELAM approved dll.

In event viewer Under (Aplications and Services Logs\Microsoft\Windows\Codeintegrity\Operations) it says

(Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bitdefender\Bitdefender Security\bdamsi\antimalware_provider64.dll) that did not meet the Windows signing level requirements.)

it logs this SEVERAL times a second!

In my case svchost.exe makes up about 99% of the log entries, other services, dlls, etc like Microsoft Defender extentions, MP* dll files and WindowsHealthServices.exe also have had the same problem, however theirs is a small hand full of times in a day....svchost.exe is 2-5 times a second!

It has something to do with svchost.exe "hardening policy"....In group policy editor, Under (System Configuration\Administrative Templates\System\Service Control Manager Settings\Security Settings) you can ENABLE "Hardening" of svchost.exe BUT if you DISABLE it in group policy editor the registry entry still remains because it is not saved as a "policy key" because it is considered a "Preference".

So if its enabled via Group Policy Editor....it cant be DISABLED in group policy editor....(even though there is a "Disable" option)

Im still trying to find the location of the Registry string that the GP editor inputs.

Ill post it here when i find it.

Also I think a recent OSX update also had a similar problem with symantec and a few other Signings/Certs.

oh and btw.. my relevant Sys info is:

Windows10 Pro 21H1 (Build 19043.1237)

Bit Defender is 25.0.26.89

(BOTH are the Most current release versions as of this post)

FYI: after today's update via a Live Update 174MB download, to version 22.21.8.62 - Have a wild guess? Issue still not fixed:

"Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MpCmdRun.exe) attempted to load \Device\HarddiskVolume1\Program Files\Norton Security\Engine\22.21.8.62\symamsi.dll that did not meet the Microsoft signing level requirements."

After reporting to Malwarebytes about it (possibly) trying to look at or load the still troublesome symamsi.dll, here is their reply:
"After much digging by our Researchers and Engineering department, this is not a bug on our end.
It is not Malwarebytes looking at nor loading the Symantec .dll. Symantec is trying to load itself into our process (and probably other processes as well) and Windows blocks it because Symantec’s certificate is not ELAM approved for our protected process. [Norton PLEASE NOTE THIS]

Please see this topic at Symantec where another person is noticing this type of error in the Windows Event logging. In his case, it was svchhost, but it’s the same principle. Symantec is injecting and the error occurs due to the signing. https://community.norton.com/en/forums/symantec-antimalware-scan-interface-amsi-dll-signing"

So, I will probably take the same tardy route as Norton, to renew my subscription, as this has NO indication of being fixed, and reports started in 2019 on this issue. Incredible.

@Peterweb - thanks for your input. Although I understand the "business logic" of what you are saying, what I CANNOT understand, is why we are nearly 10 months down the line with this issue, and there have been several product updates, but NO fix for this specific issue. It is irritating to say the least, and the message throws doubt into the functionality of the AMSI protection within the Norton product.

As only techies would tend to read the Event Logs, very few users report it, and any lack of AV functionality could be hidden, and be leaving users vulnerable. Surely a worrying event log like this SHOULD be seen as an important issue to fix, with what looks like (on the surface anyway) just a badly created internal software certification, by this vendor? Right now I have little confidence that the Norton Security AV that I pay for, is giving me all the protections it advertises!

Norton is never going to give an ETA on any fix. This is because of the backlash they would get if they say it will be out on dd/mm/yy, and they are not able to provide the update on that date due to bugs found during validation and testing. All you will ever get is it will be released when it is ready.

Duplicated in error. Removed.

It is 9th August 2021, still happening:

FYI: The latest version of Norton Security (22.21.6.51) is still creating Event 3033 errors. Please provide an ETA for the fix to this irritating bug:

“Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MpCmdRun.exe) attempted to load \Device\HarddiskVolume1\Program Files\Norton Security\Engine\22.21.6.51\symamsi.dll that did not meet the Microsoft signing level requirements.”

FYI: The latest version of Norton Security (22.21.6.51) is still creating Event 3033 errors. Please provide an ETA for the fix to this irritating bug:

"Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MpCmdRun.exe) attempted to load \Device\HarddiskVolume1\Program Files\Norton Security\Engine\22.21.6.51\symamsi.dll that did not meet the Microsoft signing level requirements."