The Anitmalware Scan Interface (AMSI) detects any malicious script or commands executed on the system. The scripts or commands detected by AMSI is later shared with Qualys Cloud Agent. The AMSI engine decodes the encoded scripts or arguments in human readable format.
Note: You must log into the Antimalware Scan Interface on Windows 10.
AMSI in Hunting tab
AMSI in Incidents tab
Perform the following steps to view the AMSI script information from the Hunting tab:
1. Select a process from the Hunting tab to verify if the AMSI script is loaded. For example, you can run an AMSI token query like, amsi.type:powershell
2. Click Event History and from the Event column, click Script is loaded by. The details of the script is displayed in the Event Details.
3. In the Event Details pane, click Show decoded content to view the decoded content.
Perform the following steps to view the AMSI script information from the Incidents tab:
1. Select an incident from the Incidents tab to verify if the AMSI script is loaded.
2. From the Timeline, click the Script is loaded by, the AMSI script event details is displayed.
3. The Script Content displays the encoded content of the script. To view the decoded content of the script, click Show decoded content. Copy and paste the path in the command prompt or powershell.
4. The Process tree displays the new script when its loaded.