Anti-Malware Scanning Interface

A sensor event called the fileless scriptload event is recorded by the Carbon Black EDR Windows sensor.

Anti-Malware Scanning Interface (AMSI) support is available in Carbon Black EDR 7.2 and later releases, together with the Windows 7.1+ sensor.

The fileless scriptload event leverages the Anti-Malware Scanning Interface (AMSI) support that is available in Windows 10 and Windows 2016. Endpoints must be running Windows 10 RS2 or higher for Carbon Black EDR sensors to record AMSI data.

The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process on the endpoint. This consists only of fileless script content that was not stored in a file on the file system when that context was executed.

For example, you can detect when the PowerShell runtime was loaded into another process by malware, which obtains encoded PowerShell script content from a remote network server and then executes that script content directly from memory.

The sensor reports events to the Carbon Black EDR server only if they originate from an event that is not backed by an on-disk file. File-based scripts are logged locally.

Support for decoding fileless script content via AMSI is dependent on the script interpreter that integrates with the AMSI interface in Windows. Carbon Black EDR currently supports PowerShell. For information about the AMSI API, see https://docs.microsoft.com/en-us/windows/win32/amsi/dev-audience .

AMSI Data

AMSI data is part of process execution metadata. A generic event type is added as part of the AMSI data stream.

To see the raw AMSI data in Event Forwarder, you can expand the fileless_scriptload events . Other metadata that the fileless script events captures include the script length and the unique SHA256 hash of the fileless script event.

All AMSI content is logged locally on the endpoint as a text file. The log is located in the sensor installation directory and is named AmsiEvents.log . This log contains all AMSI content that is detected by the sensor, including events that are not reported to the Carbon Black EDR server due to privacy reasons.

AMSIEvents.log on the endpoint is capped at 50 MB, unzipped. After that limit is reached, the log contents are migrated to a new file ( AMSIEvents.old.log ) before recreating AMSIEvents.log . After the second 50 MB log fills up, Carbon Black overwrites AMSIEvents.old.log again. Therefore, no more than two 50 MB local log files exist.