Support

Why does my antivirus flag Ambih?

Ambih is a developer tool that throttles, monitors and inspects processes. The same Windows APIs it uses for that — Job Objects, firewall rules, TCP-table enumeration, DPAPI, pseudo-consoles — are also used (and abused) by malware. Some antivirus engines pattern-match on those APIs even when the calling app is legitimate. This page explains exactly what Ambih does, why, and what to do if your AV gets in the way.

Last updated: 2026-05-28

1.The "Windows protected your PC" warning

When you download Ambih from this website and double-click the installer, Windows may show a blue dialog titled "Windows protected your PC". This is SmartScreen, not a virus detection. It appears for any installer that has not yet accumulated enough downloads to build a reputation with Microsoft.

  • Click "More info".
  • Click "Run anyway".

2.Windows APIs Ambih uses (and why)

Heuristic antivirus engines (Norton, McAfee, Kaspersky, Bitdefender, and others) sometimes flag combinations of legitimate APIs as suspicious. Below is every API Ambih touches that an engine could pattern-match, with the reason it is used. Nothing on this list installs persistence, exfiltrates data, modifies other processes, or runs unsigned downloaded code.

API / behavior What Ambih does with it Why it might trigger AV
JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE
(Job Object throttling)		 Enforces CPU and memory caps you configure for a launched project. When Ambih exits, the launched processes exit with it — no orphaned children. Resembles "process containment" patterns malware uses to confine victim processes.
netsh advfirewall add rule
(Windows Firewall manipulation)		 Optional per-session outbound block, requested by you. Only invoked when you are signed in on the Pro tier; Free users get an application-layer soft-block with no firewall write. Firewall changes are a persistence / evasion vector when malware uses them.
GetExtendedTcpTable
(TCP connection enumeration)		 Powers the per-process TCP connections table you see in the network panel. Read-only — Ambih never opens, modifies or sniffs any other process's traffic. Reconnaissance APIs are read by malware for lateral movement; Ambih reads them for the monitor UI.
ProtectedData.Protect / Unprotect
(DPAPI)		 Stores your Pro-tier OAuth tokens at %LOCALAPPDATA%\Ambih\auth.bin, encrypted to your Windows user. DPAPI is the Microsoft-recommended way to store secrets on Windows. Paranoid heuristics flag DPAPI calls as "credential theft preparation," even though DPAPI is the secure pattern.
HKCU\Environment PATH write
(CLI installer)		 When you opt-in to install the ambih CLI, this adds the install folder to your user-scope PATH. No system-wide change, no admin required. PATH modification is a classic persistence vector when done by malware. Ambih does it only on explicit request from the CLI installer screen.
CreatePseudoConsole
(ConPTY)		 Hosts the in-app terminal view that mirrors stdout/stderr of your launched project. Pseudo-console creation is occasionally flagged as "suspicious terminal spawn" by aggressive AVs.
Process.GetProcesses() + parent-PID walk
(Process tree)		 Builds the per-session process tree you see in the monitor UI. Read by malware to find target processes; Ambih reads it to render the tree for you. Most modern AVs whitelist this because every monitoring tool does it.
HTTPS POST /api/heartbeat
(licensing)		 Sent every 5 minutes when you are signed in on the Pro tier, to confirm your subscription is still valid. Always HTTPS. Free users send nothing. Periodic outbound POSTs can resemble command-and-control beaconing to crude heuristics. Ambih's requests are visible in the application log and target a single, documented endpoint.

3.What Ambih never does

For completeness, here is what Ambih does not contain — the actual malware patterns a security analyst looks for:

  • No process injection — no CreateRemoteThread, WriteProcessMemory, SetWindowsHookEx, NtMapViewOfSection, or similar.
  • No download-and-execute of remote code at runtime.
  • No unsigned native loader, no packer, no obfuscation.
  • No registry Run-key, no scheduled task, no service installation — Ambih starts only when you launch it.
  • No reading of other applications' memory, files outside its install/data folders, or browser credential stores.
  • No telemetry or analytics beacons. The only outbound HTTPS traffic is the Pro-tier heartbeat described above.

4.Verifying your download is authentic

Three ways to confirm the Ambih binary you have is the one we published, in order of effort:

  1. Install via Microsoft Store or winget install --source msstore Ambih — Microsoft signs the binary on their servers; SmartScreen will never warn.
  2. Check the SHA-256 hash against the value published on the download page. From PowerShell: Get-FileHash .\AmbihSetup-latest.msi -Algorithm SHA256.
  3. Inspect the binary with VirusTotal at virustotal.com. Ambih is uploaded with every release; you should see a small number of heuristic flags from aggressive engines and zero detections from Microsoft Defender.

5.If your antivirus blocks Ambih

If your AV quarantines the installer or stops the app from launching, you have two options:

Add an exclusion

Add the Ambih install folder (default: %LOCALAPPDATA%\Programs\Ambih) and the AmbihMonitor.exe binary to your AV's exclusion list. The exact menu varies by product — search your AV's help for "add exclusion" or "whitelist a folder".

Submit a false-positive report

This helps everyone — once your AV vendor confirms the file is clean, the detection is removed for all of their customers within a few days. Direct submission pages:

  • Microsoft Defender — microsoft.com/en-us/wdsi/filesubmission
  • Norton / Symantec — submit.symantec.com/false_positive
  • McAfee — mcafee.com/enterprise/en-us/threat-center/false-positive-submission.html
  • Bitdefender — bitdefender.com/consumer/support/answer/29358
  • Kaspersky — opentip.kaspersky.com

6.Why Free does not touch the Windows Firewall

The single highest AV-heuristic flag in any developer tool is "spawns netsh.exe on a fresh install." Even though Ambih's use of netsh advfirewall is legitimate (an opt-in per-session outbound block you configured yourself), the pattern of install → spawn netsh on first launch trips heuristic engines during the early SmartScreen reputation-build window.

To make the first-run experience as clean as possible, the OS-level firewall rule is only installed when you are signed in on the Pro tier. Free users who toggle "block outbound" get an application-layer soft-block: Ambih records the intent and surfaces it in the UI, but no netsh command runs. This is honest — the UI shows a yellow shield, not a green check — and it keeps the Free-tier install footprint identical to a pure-monitor app.

If you need real OS-level outbound enforcement (sandboxing an untrusted project, for example), upgrade to Pro and the rule is installed automatically. Either way, the choice is yours and the behavior is documented.