Endpoint Standard: What version of Sensor Supports AMSI Prevention?
Endpoint Standard (was CB Defense)
Carbon Black Cloud Windows Sensor: 3.6 and Higher
Microsoft Windows 10 1703 and Higher
Microsoft Windows Server 2016: Version 1709 and Higher
AMSI prevention is now enabled by default on Endpoint Standard, but it is only supported on Windows 10 and greater and requires sensor version 3.6 and above.
In version 3.6.0.x and above, the Sensor must be able to access content.carbonblack.io in order to function correctly and offer coverage for Enterprise EDR, AMSI Prevention, and the Unified Binary Store (UBS)
If a software or hardware firewall or a proxy exists between the device and the internet, please ensure that outbound connections (Sensor to Cloud) are allowed to content.carbonblack.io and return connections are allowed from content.carbonblack.io and that SSL inspection is disabled or bypassed as well
Microsoft's Anti-Malware Scan Interface (AMSI) prevention and visibility extends default prevention capabilities for script-based Windows attacks by dynamically leveraging AMSI metadata to define and configure prevention logic
AMSI prevention rules are created and updated by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks
Although the VMware Carbon Black Cloud AMSI DLL (cbamsi.dll) is included and loads into AMSI-registered processes (e.g. powershell) in sensor version 3.5, it will not detect or block any AMSI activity until sensor version 3.6 and above