cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
robg3381
Level 9
Report Inappropriate Content
Message 1 of 5
‎03-11-2019 02:05 PM

Querying for AMSI Scan Events

Jump to solution

I'm hoping someone else has figured this out, but is there a way to scan for AMSI Scan events.  Apparently AMSI is a new feature in Win10/2016 and is now part of ENS 10.6 and later.  As such, there is a setting to turn on observe mode for AMSIScan.  Before turning Observe mode off and to start blocking, I'd like to know what events are getting triggered by AMSI, so I want to filter them.  I can't find the right mixture of properties.  Any guidance would be helpful.

 

Labels (3)
0 Kudos
Reply
2 Solutions

Accepted Solutions
akatt
Employee
Employee
Report Inappropriate Content
Message 2 of 5
‎03-11-2019 02:34 PM

Re: Querying for AMSI Scan Events

Jump to solution

This KB could help:

https://kc.mcafee.com/corporate/index?page=content&id=KB85494

Expand the bottom section "Event IDs Index," and then do a control+f for AMSI. Should hit on a couple of event IDs.

In terms of testing, we did have a beta phase where we provided some testing examples. I have hosted those testing scenarios here, as these are the same that we provided externally for a time:

ftp://custftp2.nai.com/outgoing/akattawar/ENS_10.6_Beta_Test_Scenario_Content.zip


NOTE: This FTP is scrubbed automatically, so the package will not remain indefinitely

NOTE:  This beta package for the testing scenarios is not something that we can address any discovered issues with, via a support ticket.

Since it could prove beneficial to have a public-facing KB with this information, we will check with the internal teams and see about its content creation and publication for the future.


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

0 Kudos
Reply
akatt
Employee
Employee
Report Inappropriate Content
Message 4 of 5
‎03-12-2019 11:55 AM

Re: Querying for AMSI Scan Events

Jump to solution

These are listed within the KB above (KB85494):

 

34935:

event_name_34935=Script security violation detected and blocked by AMSI
event_desc_34935=Script security violation detected and blocked by AMSI Threat Prevention

34936:

event_name_34936=Script security violation detected and deleted by AMSI
event_desc_34936=Script security violation detected and deleted by AMSI Threat Prevention

34937:

event_name_34937=Script security violation detected, AMSI would block
event_desc_34937=Script security violation detected, AMSI would block Threat Prevention

34938:

event_name_34938=Script security violation detected, AMSI would delete
event_desc_34938=Script security violation detected, AMSI would delete Threat Prevention

 

These are the event ID's for AMSI events.  Is that what you are looking for?

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 



View solution in original post

0 Kudos
Reply
4 Replies
akatt
Employee
Employee
Report Inappropriate Content
Message 2 of 5
‎03-11-2019 02:34 PM

Re: Querying for AMSI Scan Events

Jump to solution

This KB could help:

https://kc.mcafee.com/corporate/index?page=content&id=KB85494

Expand the bottom section "Event IDs Index," and then do a control+f for AMSI. Should hit on a couple of event IDs.

In terms of testing, we did have a beta phase where we provided some testing examples. I have hosted those testing scenarios here, as these are the same that we provided externally for a time:

ftp://custftp2.nai.com/outgoing/akattawar/ENS_10.6_Beta_Test_Scenario_Content.zip


NOTE: This FTP is scrubbed automatically, so the package will not remain indefinitely

NOTE:  This beta package for the testing scenarios is not something that we can address any discovered issues with, via a support ticket.

Since it could prove beneficial to have a public-facing KB with this information, we will check with the internal teams and see about its content creation and publication for the future.


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

0 Kudos
Reply
robg3381
Level 9
Report Inappropriate Content
Message 3 of 5
‎03-12-2019 07:51 AM

Re: Querying for AMSI Scan Events

Jump to solution

Thanks, but I'm more referring to events in my EPO that specifically triggered an AMSI scan event. I'd like to look back since we deployed 10.6 and see what kinds of things it triggered on so that we can make a risk-based decision in order to disable the observe mode of the AMSI scan. (this information above is still very helpful for overall knowledge though)

0 Kudos
Reply
akatt
Employee
Employee
Report Inappropriate Content
Message 4 of 5
‎03-12-2019 11:55 AM

Re: Querying for AMSI Scan Events

Jump to solution

These are listed within the KB above (KB85494):

 

34935:

event_name_34935=Script security violation detected and blocked by AMSI
event_desc_34935=Script security violation detected and blocked by AMSI Threat Prevention

34936:

event_name_34936=Script security violation detected and deleted by AMSI
event_desc_34936=Script security violation detected and deleted by AMSI Threat Prevention

34937:

event_name_34937=Script security violation detected, AMSI would block
event_desc_34937=Script security violation detected, AMSI would block Threat Prevention

34938:

event_name_34938=Script security violation detected, AMSI would delete
event_desc_34938=Script security violation detected, AMSI would delete Threat Prevention

 

These are the event ID's for AMSI events.  Is that what you are looking for?

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 



0 Kudos
Reply
robg3381
Level 9
Report Inappropriate Content
Message 5 of 5
‎03-12-2019 01:35 PM

Re: Querying for AMSI Scan Events

Jump to solution

Thanks and yes.  I wasn't thinking clearly enough about putting those 4 EventID's into my query thus showing me all the AMSI events...which is what I was after.  Thanks agian!

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC