Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Does the Fileless_Scriptloads Data Impact the EDR Server Performance?

EDR: Does the Fileless_Scriptloads Data Impact the EDR Server Performance?

Environment

  • EDR Server: 7.6+

Question

Does the fileless_scriptloads event data impact the EDR Server's performance?

Answer

  • During fileless_script data ingress, Solr may use more CPU/memory to process and index large chunks of data (up to 32KB).
  • During a fileless Process Search, Solr index should be efficient to handle searches of large as well as small fields. Optionally, use the SHA256 hash of the text instead of text itself.

Additional Notes

  • The AMSI fileless_script is configurable within the sensor group settings, allowing customization of endpoints that require AMSI collection.
  • The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process.
  • Only the fileless script content that was not stored in a file on the file system when the context was executed is sent to the EDR server.
  • The fileless_scriptload data is a new event type stored and indexed in Solr.
  • The fileless_scriptload event leverages the Anti-Malware Scanning Interface (AMSI)support that is available in Windows 10 RS2+ and Windows 2016.
  • To forward the information to the SIEM, check the box in the Event Forwarder > Events > Sensor > ingress.event.filelessscriptload.

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-10-2021
Views:
113
Contributors