Integration with AMSI
Click to view navigation pane
  1. Home >
  2. Integration with AMSI

Integration with AMSI

The Antimalware Scan Interface (AMSI) detects any malicious script or commands executed on the system. The scripts or commands detected by AMSI are later shared with Qualys Cloud Agent. The AMSI engine decodes the encoded scripts or arguments in a human-readable format.

You must log into the Antimalware Scan Interface on Windows 10.

AMSI in the Events tab

Perform the following steps to view the AMSI script information from the Events tab:

  1. Type a QQL to verify if the AMSI script is loaded. For example, you can run an AMSI token query like, amsi.type:powershell

    AMSI in Events tab.

  2. From the Quick Actions menu, click Event Details or Events
  3. In the View Mode pane, click Event History. 
  4. From the Event column, click Script is loaded by. The details of the script are displayed in the Event Details.
  5. In the Event Details pane, click Show decoded content to view the decoded content.

    AMSI in Event History

AMSI in the Incidents tab

Perform the following steps to view the AMSI script information from the Incidents tab:

  1. Select an incident from the Incidents tab to verify if the AMSI script is loaded.
  2. From the Timeline, click the Script is loaded by, and the AMSI script event details are displayed.

    AMSI script in Incidents tab

  3. The Script Content displays the encoded content of the script. To view the decoded content of the script, click Show decoded content. Copy and paste the path in the command prompt or powershell.

    Decoded content AMSI Script

  4. The Process tree displays the new script when it's loaded.

 

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.