4027 replies to this topic

[Robsoie]

Did more research into Microsoft AMSI due to the performance issues it's causing, AMSI is Microsofts way of stopping fileless attacks (VBScript, Powershell, etc) and it's an API that AV products can choose to use or not.

 

In Windows Defender it's been kind of hard implemented, it's tied to the Real-Time Protection setting, add exclusions in Windows Defneder does not affect Real-Time Protection only scans so only way to disable AMSI in Windows Defender is to toggle Real-Time Protection Off (bad).

 

In some products for example Sophos Home edition they haven't implemented AMSI integration (yet?) so it does not happen there even with Sophos version of real-time protection, I tried this.

 

In some premium products for example Kaspersky Total Security 2021 they are supposed to have AMSI exclusive options for disabling that specifically and being able add exclusions (see https://help.kaspers...n-US/186114.htm), since they are paid products I haven't tested that.

 

Hopefully we get more and better options for this in the future.

Very interesting explanation !

 

I was puzzled before that considering some games i have been running smoothly are more complex visually (higher polycounts in view, a lot more lights/explosions/animations) and some have lots more physics calculations (lots of objects affected at the same time instead of only a ball) than a pinball table in Visual Pinball.

 

It tis then making sense that i still see some stutter in a few vpx tables even after i edited their textures size (sometime even going to try 25% o ftheir original scale without the stutter being affected, only the loading time), regardless of low or high the video settings are, as those are very likely triggering that AMSI detection and checks.

 

Now i wonder then why some tables like Black Knight 2000 (though i did the 50% textures scaling so it load faster) despite having insane light shows (get the "black knight challenge", alias the multiball, i don't think i saw a vpx table with that big of a light show when the challenge start) do not seem to exhibit this stutter, maybe it's the way the scripts are wrote for that table ? I'm not knowledgable enough in vbs scripting to see exactly what it does differently than a table like 24

Edited by Robsoie, 08 July 2020 - 09:08 PM.

[toxie]

Yes, it's all depend on how a table is using the scripting, too.

Also older machine generations will usually trigger less script events than newer machines.

 

I'm also currently thinking up more ways how we could avoid some overhead by exposing PinMAME functionality differently to limit the needed interaction between VPX and VPM which would hopefully also help performance.

@Rawnei: Do you have any clue on which occasions AMSI is triggered? On each executed part of the script or only on "new" interactions via COM? I.e. are original tables like Serious Sam, Pokemon and the many many others showing less impact than the ones interacting with PinMAME?

It is a table not yet released, I can send it to you if you need it for testing.

Yes, please, otherwise its more complicated to fix by guessing things solely from your dump.

Edited by toxie, 08 July 2020 - 02:30 PM.

[Rawnei]

Yes, it's all depend on how a table is using the scripting, too.

Also older machine generations will usually trigger less script events than newer machines.

 

I'm also currently thinking up more ways how we could avoid some overhead by exposing PinMAME functionality differently to limit the needed interaction between VPX and VPM which would hopefully also help performance.

@Rawnei: Do you have any clue on which occasions AMSI is triggered? On each executed part of the script or only on "new" interactions via COM? I.e. are original tables like Serious Sam, Pokemon and the many many others showing less impact than the ones interacting with PinMAME?

It is a table not yet released, I can send it to you if you need it for testing.

Yes, please, otherwise its more complicated to fix by guessing things solely from your dump.

I think all the calls are analyzed, like every command performed to make sure it's not a malicious action.

[toxie]

This page is pretty interesting, as it lists the AMSI keywords (found at some point) that trigger a scan: https://github.com/s...tiv/AMSI-Bypass

[The Loafer]

I would have thought a modern Stern like Star Trek would be worse off than some of the Williams.  It has nice toys, some decent light effects, the toys look high poly but in VR, it's perfectly smooth while older tables will have micro stutter.  Maybe there are less flasher effects and large textures for those OR the script is written in such a way that it doesn't get hit so hard with the AMSI stuff, but it's really odd (but a good odd it doesn't seem to be so affected)

[toxie]

I think we all have to work together here, incl. all table authors, in order to find out what is more costly nowadays with AMSI. And in general how tables differ script-wise that show vastly different performance behavior, so that we can design guidelines what is good and what not, especially also with the interaction of VPX<->VPM.

 

Please just report any findings in here so that we could work towards less scripting overhead. I'm currently already revisiting the core scripts.

Edited by toxie, 09 July 2020 - 07:22 AM.

[Rawnei]

I think we all have to work together here, incl. all table authors, in order to find out what is more costly nowadays with AMSI. And in general how tables differ script-wise that show vastly different performance behavior, so that we can design guidelines what is good and what not, especially also with the interaction of VPX<->VPM.

 

Please just report any findings in here so that we could work towards less scripting overhead. I'm currently already revisiting the core scripts.

Good idea but we need more information about best practices too, my hope is that Microsoft will introduce a way to exclude executables from AMSI in Windows Defender sooner or later, I mean it's technically possible since it's just an API and other AV vendors are already doing things like that.

[toxie]

Still, even if that happens, i guess something like this can be beneficial as the efficiency of all the VPX<->VPM communication and script<->VPX/VPM hasn't been really tackled or deeply investigated in the last years.

[wrd1972]

Maybe i missed it. But can you just disable defender?

[Rawnei]

Maybe i missed it. But can you just disable defender?

Yes you missed it. And yes you can disable "Real-Time Protection" to disable AMSI.

 

I recommend only doing that while playing then enabling it so you have good protection while doing other stuff.

[toxie]

just for the fun of it, i reduced the filesize of the 4 biggest relevant core files dramatically, but i have no clue if this matters for AMSI (or in general the script compiler) or not.. so anybody (Rawnei? ) up for testing if this changes perf?

Oh, and Rawnei, another stupid idea that you may want to try (maybe you have already): https://support.micr...indows-security

Would it be enough to whitelist the VPX/VPM folders there??

Attached Files

•  core_compact.zip   20.3KB   8 downloads

Edited by toxie, 09 July 2020 - 02:02 PM.

[Rawnei]

just for the fun of it, i reduced the filesize of the 4 biggest relevant core files dramatically, but i have no clue if this matters for AMSI (or in general the script compiler) or not.. so anybody (Rawnei? ) up for testing if this changes perf?

Oh, and Rawnei, another stupid idea that you may want to try (maybe you have already): https://support.micr...indows-security

Would it be enough to whitelist the VPX/VPM folders there??

I don't think filesize matters as AMSI is scanning memory but I can test it tomorow, also those exclusions do not exclude from AMSI at the moment unfortunately.

[toxie]

But i'd think that the scan for keywords works on the original script and then passes that one on to AMSI if something is found (which should be the case as we use some keyword functions)? As for the data that is passed via COM, etc, yes, this will not change anything.  :/

[DJRobX]

But i'd think that the scan for keywords works on the original script and then passes that one on to AMSI if something is found (which should be the case as we use some keyword functions)? As for the data that is passed via COM, etc, yes, this will not change anything.  :/

If I had to guess, our problem is that we use "execute" a lot.   I.e. SolCallback stores a code in a variable, then we "execute" the code inside of it.      We do this for vpmTimer to call things on a delay also.  

AMSI probably is invoked to re-check each snippet that is dynamically called.   This would be why modulated solenoid routines seem so impacted - they hit SolModCallback hard, where regular light routines just go through a normal code path.    I'm not sure there's much we can do to fix it short of re-engineering how we handle solenoids, which will require table updates. 

 

It would be really nice if exclusions worked like they're supposed to, but they don't.   Even from other AV vendors.   I assume this is a limitation of Microsoft's API .  

Edited by DJRobX, 09 July 2020 - 02:38 PM.

[toxie]

If that's what it takes, why not? Do you have ideas/suggestions what we could do on the VPM or VPX side to make this more efficient to access?

[trizoneGB]

airborne seems to crash vpx on the newest 10.7 but works on 10.6. thanks for all the awesomeness fellas!!

[toxie]

was already fixed, so next beta will work, but thanks for the report!

[wrd1972]

Toxie, Fuzzle,

Would it be possible to have a "screen space reflections" enable/disable switch added to walls, ramps, prims?

[bord]

Second this!

[wrd1972]

Toxie, Fuzzle,

I have been playing a lot of VP recently and there is still a shortcoming that IMO, is greatly impacting game play. We have talked about this before, but I dont think it has been re-visytied recently. Could be wrong though. The issue is with "double-drops" or lack there of with drop target  banks. I now have a fully restored real Black Knight, and I have been playing Bord's BK in VP quite a bit. I have fine tuned Bords table and it plays very close to the real thing, except that a double-drop on a DT bank can not occur. Its just amazing how much longer it takes and how much harder it is to drop a 3-DT banks when double-drops are not possible. 

 

On my personal tables as well as many others from other authors tables with DT banks, we have added hacks that will allow a double-drop, and it works quite well. But ultimately I think we need have this double-drop function added to the engine if and  when its possible to do so.

 

Is it possible to take another look at this for 10.7? Or is it still very much out of scope and will have to be kicked down the road? I think if there were a list created with the most issues that truly impact gameplay, this issue would be near the very top. Just wondering if others agree.

 

Thanks