Understanding Windows audit log events for Datto AV (avamsi.dll)
Overview
Administrators may observe Windows audit log entries or Code Integrity events that reference avamsi.dll, a component of Datto AV. While these events can appear concerning, they are expected behavior in most environments and do not indicate a security threat or a malfunction of Datto AV.
This article explains what the Antimalware Scan Interface (AMSI) is, why avamsi.dll generates these events, which Windows conditions trigger them, how to validate the DLL’s authenticity, and when action is required.
What Is AMSI?
AMSI is a Windows framework that allows antivirus and security products to inspect application content at runtime before execution. AMSI commonly scans:
- PowerShell scripts
- VBScript and JScript
- WMI and WScript content
- Other dynamically generated or interpreted code
To participate in AMSI scanning, a security product registers an AMSI provider DLL with Windows. Datto AV registers avamsi.dll as its AMSI provider. Windows loads this DLL into supported processes so Datto AV can scan script content in real time.
How it works
The file avamsi.dll is a legitimate, digitally signed component of Datto AV. It is signed by Avira Operations GmbH through the Microsoft ID Verified Code Signing trust chain.
Microsoft acts as the root of trust and verifies Avira’s organizational identity, making this a stronger trust signal than a standard third‑party or self‑signed certificate.
Seeing “Avira Operations GmbH” as the signer is correct and expected. Datto AV is built on Avira’s Endpoint Protection SDK, which is why Avira appears as the certificate owner rather than Datto.
Certification path
The full certification path is:
Microsoft Identity Verification Root CA 2020
> Microsoft ID Verified Code Signing PCA 2021
> Microsoft ID Verified CS EOC CA 01
> Avira Operations GmbH
Despite being signed through a Microsoft‑rooted trust chain, Windows still classifies avamsi.dll as third‑party code. Certain protected or restricted Windows processes apply additional scrutiny to third‑party DLLs. When Windows evaluates avamsi.dll in these contexts and declines to load it, an audit event is generated by design.
Expected behavior
The following behavior is normal and does not require intervention:
- avamsi.dll loads successfully in standard user‑mode processes such as PowerShell, WScript, and supported application hosts.
- Windows may decline to load the DLL in certain protected processes and log an audit event.
- These events do not mean the DLL is unsafe, corrupted, or malfunctioning.
Relevant Event IDs
When troubleshooting, filter Windows Event Viewer for the following:
| Event ID | Source | Description |
|---|---|---|
| 3033 | Microsoft‑Windows‑CodeIntegrity | A file did not meet signing requirements. |
| 3034 | Microsoft‑Windows‑CodeIntegrity | A file was not allowed to load. |
| 5038 | Microsoft‑Windows‑CodeIntegrity | Code Integrity audit‑mode evaluation. |
These events are typically found in the Event Viewer by navigating to Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational.
Windows conditions that can trigger these events
The following configurations may cause avamsi.dll audit events to appear or increase in frequency:
- Windows Defender Application Control (WDAC) or AppLocker: Organizations enforcing application control policies may log or block any DLL not explicitly allowlisted, regardless of its signing status. If a WDAC policy is in audit mode, it will generate Code Integrity events for every DLL evaluation, including legitimate ones like avamsi.dll.
- Code Integrity Audit Logging enabled: Enabling the Code Integrity operational log (or the "Other System Events" audit subcategory) surfaces evaluations that were previously silent, which may appear as a sudden increase in events.
- Windows Credential Guard: Credential Guard protects LSA (Local Security Authority) and other sensitive processes using virtualization-based security. Third-party DLLs, including AMSI providers, cannot load into these protected contexts, which produces a load-failure event by design.
- Recent Windows feature updates: Microsoft has progressively tightened AMSI provider validation requirements in newer Windows builds. A Windows update may cause a DLL that previously loaded silently to begin generating audit events without any change to the DLL itself.
- Recent Datto AV installation or update: Initial AMSI registration or DLL updates can trigger a burst of evaluations as Windows re‑validates the provider.
-
Protected Process Light (PPL): PPL processes restrict which DLLs can be injected or loaded into them. Third-party code, even when signed, is not permitted in PPL contexts. Audit events generated in these contexts are expected and do not require remediation.
NOTE avamsicli.dll Code Integrity Events: Some administrators may encounter Code Integrity events referencing avamsicli.dll. These were caused by a Windows code inspection bug, resulting in incorrect evaluations and invalid log entries.
Microsoft has released a fix. Ensure systems are fully up to date. If events persist after updating, contact Datto Support.
How to verify the DLL is legitimate
To confirm avamsi.dll is properly signed, you can verify the file directly. The signer will show as Avira Operations GmbH, as Datto AV is built on Avira's Endpoint Protection SDK.
Using PowerShell
In PowerShell, enter the following:
Get-AuthenticodeSignature "C:\Program Files\infocyte\agent\dattoav\Endpoint Protection SDK\amsi\x64\avamsi.dll"
A valid file returns:
- Status: Valid
- SignerCertificate Subject: Avira Operations GmbH
- Root CA: Microsoft Identity Verification Root CA 2020
Using Windows Explorer
- Navigate to: C:\Program Files\infocyte\agent\dattoav\Endpoint Protection SDK\amsi\x64\.
- Right‑click avamsi.dll > Properties.
- Open the Digital Signatures tab.
- Select Avira Operations GmbH and click Details.
- Confirm the signature status is “This digital signature is OK.”
- Click View Certificate.
- Click the Certification Path tab and confirm it chains to the Microsoft Identity Verification Root CA.
If the signer is not Avira Operations GmbH, the signature is missing, or the certificate is invalid, treat the file as potentially compromised and contact Datto Support immediately.
Summary
Audit log events referencing avamsi.dll reflect standard Windows behavior when evaluating third‑party AMSI provider DLLs in restricted or protected contexts. These events are benign in the vast majority of cases.
Verifying the digital signature is sufficient to rule out a security concern. For persistent or unexpected behavior, contact Datto Support.
| Revision | Date |
|---|---|
| Initial release | 6/2/26 |
