cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Querying for AMSI Scan Events

Jump to solution

I'm hoping someone else has figured this out, but is there a way to scan for AMSI Scan events.  Apparently AMSI is a new feature in Win10/2016 and is now part of ENS 10.6 and later.  As such, there is a setting to turn on observe mode for AMSIScan.  Before turning Observe mode off and to start blocking, I'd like to know what events are getting triggered by AMSI, so I want to filter them.  I can't find the right mixture of properties.  Any guidance would be helpful.

 

Labels (3)
2 Solutions

Accepted Solutions
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Querying for AMSI Scan Events

Jump to solution

This KB could help:

https://kc.mcafee.com/corporate/index?page=content&id=KB85494

Expand the bottom section "Event IDs Index," and then do a control+f for AMSI. Should hit on a couple of event IDs.

In terms of testing, we did have a beta phase where we provided some testing examples. I have hosted those testing scenarios here, as these are the same that we provided externally for a time:

ftp://custftp2.nai.com/outgoing/akattawar/ENS_10.6_Beta_Test_Scenario_Content.zip


NOTE: This FTP is scrubbed automatically, so the package will not remain indefinitely

NOTE:  This beta package for the testing scenarios is not something that we can address any discovered issues with, via a support ticket.

Since it could prove beneficial to have a public-facing KB with this information, we will check with the internal teams and see about its content creation and publication for the future.


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Querying for AMSI Scan Events

Jump to solution

These are listed within the KB above (KB85494):

 

34935:

event_name_34935=Script security violation detected and blocked by AMSI
event_desc_34935=Script security violation detected and blocked by AMSI Threat Prevention

34936:

event_name_34936=Script security violation detected and deleted by AMSI
event_desc_34936=Script security violation detected and deleted by AMSI Threat Prevention

34937:

event_name_34937=Script security violation detected, AMSI would block
event_desc_34937=Script security violation detected, AMSI would block Threat Prevention

34938:

event_name_34938=Script security violation detected, AMSI would delete
event_desc_34938=Script security violation detected, AMSI would delete Threat Prevention

 

These are the event ID's for AMSI events.  Is that what you are looking for?

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 



4 Replies
McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Querying for AMSI Scan Events

Jump to solution

This KB could help:

https://kc.mcafee.com/corporate/index?page=content&id=KB85494

Expand the bottom section "Event IDs Index," and then do a control+f for AMSI. Should hit on a couple of event IDs.

In terms of testing, we did have a beta phase where we provided some testing examples. I have hosted those testing scenarios here, as these are the same that we provided externally for a time:

ftp://custftp2.nai.com/outgoing/akattawar/ENS_10.6_Beta_Test_Scenario_Content.zip


NOTE: This FTP is scrubbed automatically, so the package will not remain indefinitely

NOTE:  This beta package for the testing scenarios is not something that we can address any discovered issues with, via a support ticket.

Since it could prove beneficial to have a public-facing KB with this information, we will check with the internal teams and see about its content creation and publication for the future.


Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Querying for AMSI Scan Events

Jump to solution

Thanks, but I'm more referring to events in my EPO that specifically triggered an AMSI scan event. I'd like to look back since we deployed 10.6 and see what kinds of things it triggered on so that we can make a risk-based decision in order to disable the observe mode of the AMSI scan. (this information above is still very helpful for overall knowledge though)

McAfee Employee akatt
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Querying for AMSI Scan Events

Jump to solution

These are listed within the KB above (KB85494):

 

34935:

event_name_34935=Script security violation detected and blocked by AMSI
event_desc_34935=Script security violation detected and blocked by AMSI Threat Prevention

34936:

event_name_34936=Script security violation detected and deleted by AMSI
event_desc_34936=Script security violation detected and deleted by AMSI Threat Prevention

34937:

event_name_34937=Script security violation detected, AMSI would block
event_desc_34937=Script security violation detected, AMSI would block Threat Prevention

34938:

event_name_34938=Script security violation detected, AMSI would delete
event_desc_34938=Script security violation detected, AMSI would delete Threat Prevention

 

These are the event ID's for AMSI events.  Is that what you are looking for?

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 



Re: Querying for AMSI Scan Events

Jump to solution

Thanks and yes.  I wasn't thinking clearly enough about putting those 4 EventID's into my query thus showing me all the AMSI events...which is what I was after.  Thanks agian!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community