Endpoint Standard: What version of Sensor Supports AMSI Prevention?
Article ID: 286988
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
What version of Sensor Supports AMSI Prevention?
Environment
- Endpoint Standard (was CB Defense)
- Carbon Black Cloud Windows Sensor: 3.6 and Higher
- Microsoft Windows 10 1703 and Higher
- Microsoft Windows Server 2016: Version 1709 and Higher
Resolution
AMSI prevention is now enabled by default on Endpoint Standard, but it is only supported on Windows 10 and greater and requires sensor version 3.6 and above.
Additional Information
- In version 3.6.0.x and above, the Sensor must be able to access content.carbonblack.io in order to function correctly and offer coverage for Enterprise EDR, AMSI Prevention, and the Unified Binary Store (UBS)
- If a software or hardware firewall or a proxy exists between the device and the internet, please ensure that outbound connections (Sensor to Cloud) are allowed to content.carbonblack.io and return connections are allowed from content.carbonblack.io and that SSL inspection is disabled or bypassed as well
- Microsoft's Anti-Malware Scan Interface (AMSI) prevention and visibility extends default prevention capabilities for script-based Windows attacks by dynamically leveraging AMSI metadata to define and configure prevention logic
- AMSI prevention rules are created and updated by VMware Carbon Black’s Threat Analysis Unit to include frequently used off-the-shelf attacker frameworks that are regularly seen in script-based attacks
- Although the VMware Carbon Black Cloud AMSI DLL (cbamsi.dll) is included and loads into AMSI-registered processes (e.g. powershell) in sensor version 3.5, it will not detect or block any AMSI activity until sensor version 3.6 and above
Feedback
Yes
No
Powered by
