AMSI support is available as a beta feature in Carbon Black EDR 7.2 and later releases, together with the Windows 7.1+ sensor.

The fileless scriptload event leverages the Anti-Malware Scanning Interface (AMSI) support that is available in Windows 10 and Windows 2016. Endpoints must be running Windows 10 RS2 or higher for our sensors to record AMSI data.

The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process on the endpoint. This consists only of fileless script content that was not stored in a file on the file system when that context was executed.

For example, you can detect when the PowerShell runtime was loaded into another process by malware, which obtains encoded PowerShell script content from a remote network server and then executes that script content directly from memory.

The sensor reports events to the Carbon Black EDR server only if they originate from an event that is not backed by an on-disk file. File-based scripts are logged locally.

Support for decoding fileless script content via AMSI is dependent on the script interpreter that integrates with the AMSI interface in Windows. Carbon Black EDR currently supports PowerShell. For information about the AMSI API, see https://docs.microsoft.com/en-us/windows/win32/amsi/dev-audience .