• Windows Security Event log show an error:

  Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
  
  File Name:	\Device\HarddiskVolume3\Windows\System32\CbAMSI.dll

• Potential failed logins with the error “The security log on this system is full. Only administrators can log on to fix the problem”
• What is CbAMSI.dll?
  • CbAMSI.dll is the binary that Carbon Black has registered as the Antimalware Scan Interface (AMSI) provider. AMSI is a built-in Windows security feature that acts as a bridge between applications (like PowerShell, Office macros, or VBScript) and antivirus/security software installed on the machine. When a script is executed, Windows calls upon the registered AMSI provider to scan the script's content for malicious behavior before allowing it to run.

Windows uses Signing Levels to enforce system security and control which AMSI provider can load into which processes. The Carbon Black AMSI binary (CbAMSI.dll) is signed at Level 8, meaning Windows allows it to load into AM-PPL processes, but not OS-protected processes which are Signing Level 11 or higher. When an OS-protected process attempts to run a script or macro, Windows attempts to load CbAMSI.dll, but its code integrity check blocks the DLL from loading and generates the Windows Security Event log error. This process outside of Carbon Blacks control and is managed natively by the Windows operating system, which dictates the loading sequence and integrity requirements for all AMSI providers.

This is an expected behavior controlled and enforced by Microsoft. The event indicates that Windows is functioning as currently designed by preventing a lower-level signed DLL from loading into a highly protected OS process. This does not impact Carbon Black's ability to scan standard processes and scripts. We have seen customers implement the below workarounds for login issues:

Option 1: Disable the Code Integrity events

1. Open Event Viewer
2. Expand Applications and Services Logs > Microsoft -> Windows -> CodeIntegrity -> Operational -> Right Click > Disable Log
   

Option 2: Configure "Maximum Log Size" and "Overwrite events as needed (oldest events first)"

1. Open Event Viewer
2. Expand Applications and Services Logs > Microsoft -> Windows -> CodeIntegrity -> Operational -> Right Click > Properties
3. Set the maximum log value size to the desired value (1028 KB is the default)
4. If desired, set the "Overwrite events as needed (oldest events first)" setting.