EDR: Fileless Scriptload Events Displays <Corrupt command line data found>
search cancel

EDR: Fileless Scriptload Events Displays <Corrupt command line data found>


Article ID: 287621


Updated On:


Carbon Black EDR (formerly Cb Response)


On the Process Analysis page, a fileless_scriptload event displays “<Corrupt command line data found>” rather than the expected script.


  • EDR Server: 7.6.0


The sensor may incorrectly truncate large scripts (> 64KB) within the fileless_scriptload (AMSI) event data. 


The error is fixed in win-7.3.0.  The upcoming fix includes the ability to view the 64KB truncated script along with the hash and character length of the entire command.

Additional Information

  • Other metadata that the fileless script events captures include the script length and the unique SHA256 hash of the fileless_script event data.
  • File-based scripts are logged locally.
  • The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process.
  • Only the fileless script content that was not stored in a file on the file system when the context was executed is sent to the EDR server.
  • The fileless_scriptload data is a new event type stored and indexed in Solr.