AMSI data is part of process execution metadata. A generic event type is added as part of the AMSI data stream.

To see the raw AMSI data in Event Forwarder, you can expand the fileless_scriptload events . Other metadata that the fileless script events captures include the script length and the unique SHA256 hash of the fileless script event.

All AMSI content is logged locally on the endpoint as a text file. The log is located in the sensor installation directory and is named AmsiEvents.log . This log contains all AMSI content that is detected by the sensor, including events that are not reported to the Carbon Black EDR server due to privacy reasons.

AMSIEvents.log on the endpoint is capped at 50 MB, unzipped. After that limit is reached, the log contents are migrated to a new file ( AMSIEvents.old.log ) before recreating AMSIEvents.log . After the second 50 MB log fills up, Carbon Black overwrites AMSIEvents.old.log again. Therefore, no more than two 50 MB local log files exist.