Integration with AMSI

The Antimalware Scan Interface (AMSI) detects any malicious script or commands executed on the system. The scripts or commands detected by AMSI are later shared with Qualys Cloud Agent. The AMSI engine decodes the encoded scripts or arguments in a human-readable format.

You must log into the Antimalware Scan Interface on Windows 10.

AMSI in the Events tab

Perform the following steps to view the AMSI script information from the Events tab:

1. Type a QQL to verify if the AMSI script is loaded. For example, you can run an AMSI token query like, event.hasamsi:true 

   

2. From the Quick Actions menu, click Event Details or Events. 
3. In the View Mode pane, click Related Events. 
4. From the Timeline of Related Events section, type the QQL and then click View more under the listed scripts. The details of the script are displayed in the Event Details. 
   You can also view the scripts by going to the AMSI Log tab. This dedicated tab allows you to access log information faster and more easily.
5. In the Event Details pane, click Show decoded content to view the decoded content.

   

AMSI in the Incidents tab

Perform the following steps to view the AMSI script information from the Incidents tab:

1. Select an incident from the Incidents tab to verify if the AMSI script is loaded.
2. From the Timeline, click View more for a Process, and the AMSI script event details are displayed.