EDR: Does the Fileless_Scriptloads Data Impact the EDR Server Performance?
search cancel

EDR: Does the Fileless_Scriptloads Data Impact the EDR Server Performance?

book

Article ID: 287666

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Does the fileless_scriptloads event data impact the EDR Server's performance?

Environment

  • EDR Server: 7.6+

Resolution

  • During fileless_script data ingress, Solr may use more CPU/memory to process and index large chunks of data (up to 32KB).
  • During a¬†fileless Process Search, Solr index should be efficient to handle searches of large as well as small fields. Optionally, use the SHA256 hash of the text instead of text itself.

Additional Information

  • The AMSI fileless_script is configurable within the sensor group settings, allowing customization of endpoints that require AMSI collection.
  • The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process.
  • Only the fileless script content that was not stored in a file on the file system when the context was executed is sent to the EDR server.
  • The fileless_scriptload data is a new event type stored and indexed in Solr.
  • The fileless_scriptload event leverages the Anti-Malware Scanning Interface (AMSI)support that is available in Windows 10 RS2+ and Windows 2016.
  • To forward the information to the SIEM, check the box in the Event Forwarder > Events > Sensor > ingress.event.filelessscriptload.