Merge pull request #4895 from DeCohen/WI449590-amsi-demonstrations-mde-switch-image-code-snippet

convert amsi demonstration script images into code snippets

Author: aditisrivastava07

defender-endpoint/mde-demonstration-amsi.md

@@ -11,7 +11,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 ms.topic: how-to
-ms.date: 08/19/2025
+ms.date: 09/01/2025
 search.appverid: met150
 ms.custom: 
 - partner-contribution
@@ -52,17 +52,34 @@ In this demonstration article, you have two engine choices to test AMSI:
    ```powershell
    $testString = "AMSI Test Sample: " + "7e72c3ce-861b-4339-8740-0ac1484c1386"
    Invoke-Expression $testString
-   ```
+   ```powershell
    
-2. On your device, open PowerShell as an administrator.
+1. On your device, open PowerShell as an administrator.
 
-3. Type `Powershell -ExecutionPolicy Bypass AMSI_PoSh_script.ps1`, and then press **Enter**.
+1. Type `Powershell -ExecutionPolicy Bypass AMSI_PoSh_script.ps1`, and then press **Enter**.
 
    The result should be as follows:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-powershell-results.png" alt-text="Screenshot showing the results of the AMSI test sample. It should show a threat was detected." lightbox="media/mde-demonstrations-amsi/test-amsi-powershell-results.png":::
+    ```powershell
+       Invoke-Expression : At line:1 char:1
+
+       + AMSI Test Sample: 7e72c3ce-861b-4339-8740-8ac1484c1386
+
+       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+       This script contains malicious content and has been blocked by your antivirus software.
+
+       At C:\Users\Admin\Desktop\AMSI_PoSh_script.ps1:3 char:1
+
+       + Invoke-Expression $testString
+
+       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+       + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
+       
+       + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
+        ```
 
-   
 ### Testing AMSI with VBScript
 
 1. Save the following VBScript as `AMSI_vbscript.vbs`:
@@ -74,20 +91,63 @@ In this demonstration article, you have two engine choices to test AMSI:
    WScript.Echo result
    ```
 
-2. On your Windows Device, open Command Prompt as an administrator.
+1. On your Windows Device, open Command Prompt as an administrator.
 
 1. Type `wscript AMSI_vbscript.vbs`, and then press **Enter**.
 
    The result should be as follows:
 
-      :::image type="content" source="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png" alt-text="Screenshot showing the AMSI test results. It should show that antivirus software blocked the script." lightbox="media/mde-demonstrations-amsi/test-amsi-vbscript-results.png":::
+    ```vbscript
+    Windows Script Host
+
+    Script: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+    Line: 3
+
+    Char: 1
+
+    Error: This script contains malicious content and has been blocked by your antivirus software.: 'eval'
 
+    Code: 800A802D
+
+    Source: Microsoft VBScript runtime error
+   ```
 
 ### Verifying the test results
 
 In your protection history, you should be able to see the following information:
 
-:::image type="content" source="media/mde-demonstrations-amsi/verifying-results.png" alt-text="Screenshot showing the AMSI test results. The information should show that a threat was blocked and cleaned." lightbox="media/mde-demonstrations-amsi/verifying-results.png":::
+```vbscript
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+
+Details: This program is dangerous and replicates by infecting other files.
+
+Affected items:
+
+amsi: \Device\HarddiskVolume3\Windows\System32\WindowsPowershell\v1.0\powershell.exe
+
+or
+
+amsi: C:\Users\Admin\Desktop\AMSI_vbscript.vbs
+
+and/or you might see:
+
+Threat blocked
+
+Detected: Virus: Win32/MpTest!amsi
+
+Status: Cleaned
+
+This threat or app was cleaned or quarantined before it became active on your device.
+
+Details: This program is dangerous and replicates by infecting other files
+```
 
 ### Get the list of Microsoft Defender Antivirus threats
 
@@ -101,17 +161,68 @@ You can view detected threats by using the Event log or PowerShell.
 
 3. Look for `event ID 1116`. You should see the following information:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/eventid1116.png" alt-text="Screenshot showing Event ID 1116, which says malware or unwanted software was detected." lightbox="media/mde-demonstrations-amsi/eventid1116.png":::
+```powershell
+
+Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
+
+For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/MpTest!amsi&t
+
+Name: Virus:Win32/MpTest!amsi
+
+ID: 2147694217
+
+Severity: Severe
+
+Category: Virus
+
+Path: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Users\Admin\Desktop\AMSI_jscri
+
+Detection Origin: Local machine or Unknown
+
+Detection Type: Concrete
+
+Detection Source: System
+
+User: NT AUTHORITY\SYSTEM
 
-##### Use PowerShell
+Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe or C:\Windows\System32\cscript.exe or C:\Windows\Sy
+
+Security intelligence Version: AV: 1.419.221.0, AS: 1.419.221.0, NIS: 1.419.221.0
+
+Engine Version: AM: 1.1.24080.9, NIS: 1.1.24080.9
+```
+
+#### Use PowerShell 
 
 1. On your device, open PowerShell.
 
-2. Type the following command: `Get-MpThreat`.
+1. Type the following command: `Get-MpThreat`.
 
    You might see the following results:
 
-   :::image type="content" source="media/mde-demonstrations-amsi/get-mpthreat-results.png" alt-text="Screenshot showing the results of the Get-MpThreat command. It should show that an AMSI threat was detected." lightbox="media/mde-demonstrations-amsi/get-mpthreat-results.png":::
+    ```powershell
+    CategoryID     : 42
+
+    DidThreatExecute : True
+
+    IsActive       : True
+
+    Resources      :
+
+    RollupStatus   : 97
+
+    SchemaVersion  : 1.0.0.0
+
+    SeverityID     : 5
+
+    ThreatID       : 2147694217
+
+    ThreatName     : Virus:Win32/MpTest!amsi
+
+    TypeID         : 0
+
+    PSComputerName :
+    ```
 
 
 ## See also