EDR: How does AMSI Fileless Scriptload Impact the Sensor's Performance?
search cancel

EDR: How does AMSI Fileless Scriptload Impact the Sensor's Performance?

book

Article ID: 285646

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How does the Fileless Scriptload feature impact the sensor's performance?

Environment

  • EDR Sensor: 7.2+

Resolution

  • AMSI events could be pretty noisy, so there might be a slight impact to the sensor's performance with elevated CPU and/or Memory.
  • Sensors cap the script input to 64KB which provides critical ANSI information without overwhelming Solr indexing, ingesting and storage.
  • There is a switch on the Sensor group to disable the Fileless script loads functionality in case it becomes too noisy.
  • AV exclusions should be put into place. EDR: Which Sensor directories need exclusion from 3rd party anti-virus scans?

Additional Information

  • Sensors report events to the Carbon Black EDR server only if they originate from an event that is not backed by an on-disk file.   File-based scripts are logged locally.
  • Support fro decoding fileless script content via AMSI is dependent on the script interpreter that integrates with the AMSI interface in Windows.  Carbon Black currently supports Powershell.
  • AMSI data is part of process execution metadata.  A generic event type is added as part of the AMSI data stream.
  • All AMSI content is logged locally on the endpoint as a text file named AmsiEvents.log.  The local file caps at 50 MB unzipped and only two AmsiEvents.log files exist.
Powered by Wolken Software