Antimalware Scan Interface

A sensor event called the fileless script load event is recorded by the Carbon Black EDR Windows sensor.

Antimalware Scan Interface (AMSI) support is available in Carbon Black EDR Server 7.2 and later releases, together with the Carbon Black EDR Windows 7.1+ sensor.

The fileless script load event leverages the Antimalware Scan Interface (AMSI) (external link) support that is available in Windows 10 and Windows 2016. Endpoints must be running Windows 10 RS2 or higher for Carbon Black EDR sensors to record AMSI data.

The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process on the endpoint. This consists only of fileless script content that was not stored in a file on the file system when that content was executed.

For example, you can detect when the PowerShell runtime was loaded into another process by malware, which obtains encoded PowerShell script content from a remote network server and then executes that script content directly from memory.

The sensor reports a fileless script load event to the Carbon Black EDR Server only if it originates from a script load that is not backed by an on-disk file. File-based scripts are logged locally.

Support for decoding fileless script content through AMSI is dependent on the script interpreter that integrates with the AMSI interface in Windows. Carbon Black EDR currently supports PowerShell. For information about the AMSI API, see https://docs.microsoft.com/en-us/windows/win32/amsi/dev-audience (external link).

AMSI Data

AMSI data is part of process execution metadata. A generic event type is added as part of the AMSI data stream.

All AMSI content is logged locally on the endpoint as a text file. The log is located in the sensor installation directory and is named AmsiEvents.log . This log contains all AMSI content that is detected by the sensor, including events that are not reported to the Carbon Black EDR server due to privacy reasons.

AMSIEvents.log on the endpoint is capped at 50 MB, unzipped. After that limit is reached, the log contents are migrated to a new file ( AMSIEvents.old.log ) before recreating AMSIEvents.log. After the second 50 MB log fills up, Carbon Black overwrites AMSIEvents.old.log again. Therefore, no more than two 50 MB local log files exist.