Integration with AMSI

The Anitmalware Scan Interface (AMSI) detects any malicious script or commands executed on the system. The scripts or commands detected by AMSI is later shared with Qualys Cloud Agent. The AMSI engine decodes the encoded scripts or arguments in human readable format.

Note: You must log into the Antimalware Scan Interface on Windows 10.

AMSI in Hunting tab

AMSI in Incidents tab

AMSI in Hunting tab

Perform the following steps to view the AMSI script information from the Hunting tab:

1. Select a process from the Hunting tab to verify if the AMSI script is loaded. For example, you can run an AMSI token query like, amsi.type:powershell

AMSI in Hunting tab

2. Click Event History and from the Event column, click Script is loaded by. The details of the script is displayed in the Event Details.

3. In the Event Details pane, click Show decoded content to view the decoded content.

AMSI in Event History

AMSI in Incidents tab

Perform the following steps to view the AMSI script information from the Incidents tab:

1. Select an incident from the Incidents tab to verify if the AMSI script is loaded.

2. From the Timeline, click the Script is loaded by, the AMSI script event details is displayed.

AMSI script in Incidents tab

3. The Script Content displays the encoded content of the script. To view the decoded content of the script, click Show decoded content. Copy and paste the path in the command prompt or powershell.

Decoded content AMSI Script

4. The Process tree displays the new script when its loaded.