In the Carbon Black EDR Console, you can toggle the collection of AMSI events per sensor group. This is disabled by default.

To enable AMSI events for a sensor group:

  1. On the navigation bar, click Sensors.

  2. Select the sensor group.

  3. In the Event Collection Settings section, select the checkbox for Fileless script loads.

    cbr-sensor-groups-amsi

  4. Click Save Group.

See also "Sensor Groups" in the VMware Carbon Black EDR User Guide.