Endpoint Standard: What version of Sensor Supports AMSI Prevention?

Endpoint Standard: What version of Sensor Supports AMSI Prevention?

Environment

  • Endpoint Standard (was CB Defense)
  • Carbon Black Cloud Windows Sensor: 3.6 and Higher
  • Microsoft Windows 10 1703 and Higher
  • Microsoft Windows Server 2016: Version 1709 and Higher

Answer

AMSI prevention is now enabled by default on Endpoint Standard, but it is only supported on Windows 10 and greater and requires sensor version 3.6 and above. 

Additional Notes

  • In version 3.6.0.x and above, the Sensor must be able to access content.carbonblack.io in order to function correctly and offer coverage for Enterprise EDR, AMSI Prevention, and the Unified Binary Store (UBS)
  • If a software or hardware firewall or a proxy exists between the device and the internet, please ensure that outbound connections (Sensor to Cloud) are allowed to content.carbonblack.io and return connections are allowed from content.carbonblack.io and that SSL inspection is disabled or bypassed as well
  • Microsoft's Anti-Malware Scan Interface (AMSI) prevention and visibility extends default prevention capabilities for script-based Windows attacks by dynamically leveraging AMSI metadata to define and configure prevention logic
  • AMSI prevention rules are created and updated by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks
  • Although the VMware Carbon Black Cloud AMSI DLL (cbamsi.dll) is included and loads into AMSI-registered processes (e.g. powershell) in sensor version 3.5, it will not detect or block any AMSI activity until sensor version 3.6 and above

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-18-2020
Views:
2013
Contributors