Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How does AMSI Fileless Scriptload Impact the Sensor's Performance?

EDR: How does AMSI Fileless Scriptload Impact the Sensor's Performance?

Environment

  • EDR Sensor: 7.2+

Question

How does the Fileless Scriptload feature impact the sensor's performance?

Answer

  • AMSI events could be pretty noisy, so there might be a slight impact to the sensor's performance with elevated CPU and/or Memory.
  • Sensors cap the script input to 64KB which provides critical ANSI information without overwhelming Solr indexing, ingesting and storage.
  • There is a switch on the Sensor group to disable the Fileless script loads functionality in case it becomes too noisy.
  • AV exclusions should be put into place. EDR: Which Sensor directories need exclusion from 3rd party anti-virus scans?

Additional Notes

  • Sensors report events to the Carbon Black EDR server only if they originate from an event that is not backed by an on-disk file.   File-based scripts are logged locally.
  • Support fro decoding fileless script content via AMSI is dependent on the script interpreter that integrates with the AMSI interface in Windows.  Carbon Black currently supports Powershell.
  • AMSI data is part of process execution metadata.  A generic event type is added as part of the AMSI data stream.
  • All AMSI content is logged locally on the endpoint as a text file named AmsiEvents.log.  The local file caps at 50 MB unzipped and only two AmsiEvents.log files exist.

Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-10-2021
Views:
161
Contributors