I have a quick quesion on this topic - is there a way to test AMSI? I just setup some alerts in ePO for AMSI detections, but just wondered if there's an EICAR-esque test file that can be used to make sure the alerts are setup correctly?

I have Googled this but can't find a solution.

Thanks for any help you can give me.

We hardly SEE them in the AMSI Events (Seperate Category in Reports). We only had them BEFORE we activated MOST of the POWERSHELL IPS Rules. After the activation of the IPS Powershell rules we see the alerts under EXPLOIT PROTECTION.

So if oyu have most of the FILELESS AND POWERSHELL Exploit IPS Portection on THIS part of ENS will cpature the malware mostly BEFORE it even reaches the AMSI Module.

Name der Bedrohung: PS/Downloader!ams.e
Typ der Bedrohung: Trojaner
Erkennungsmethode des Analyseprogramms: AMSI
Ereignisbeschreibung: Sicherheitsverletzung beim Skript erkannt und durch AMSI blockiert
Endpoint Security
Modulname:Bedrohungsschutz
AMCore Content-Version: 3534.0
Quellenbeschreibung: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Ziel-Hash: c30fa58997cad2d4f18e91efcfb094fb
Task-Name: AMSIScan
Erste versuchte Aktion: Blockieren
Beschreibung:
hat den Vorgang 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ausgeführt. Die Bedrohung 'Trojaner' mit dem Namen 'PS/Downloader!ams.e' wurde erkannt und blockiert.

Thanks for your response, I will take a look at my ENS IPS rules.

Do you know if there is a test script that can be used to trigger an AMSI detection?

Thanks again,

Adam