AMSI support

Hi everyone

First post here and just wanna say I love what Elastic has done with the SIEM app and now endpoints.

However, I've been running some tests and it doesn't seem like the Elastic Endpoint Security Agent currently utilizes AMSI to detect things like malicious PowerShell scripts. Just would like to know if this is in the roadmap or if Elastic has other ways to address the large attack surface that comes with PowerShell.

I've also noticed that Windows Defender is able to run alongside the Elastic Endpoint Security Agent and was able to help block some of these PowerShell scripts. Would you recommend running both Defender and Elastic ES Agent together?

Hi @WayneJLee,

Thanks for checking out the product. Just to make sure my answers have the right context, I primarily work on the Elastic Security Endpoint, which is installed by Agent. Agent is the management/deployment piece that ensures everything that you've requested be enabled is installed and functioning while keeping their configurations up to date.

Endpoint does not currently use AMSI but it is on our roadmap for the future. We currently don't have any specific powershell script monitoring, but that also is on the roadmap (through AMSI and/or some other methods.).

Regarding Windows Defender, I think that you're mostly asking about it from the security product viewpoint (IE Endpoint). Agent should never have any issues running along side Defender. For Endpoint, we do everything we can to make sure that we don't conflict or cause issues with any other security product. We occasionally run in to issues and generally the safest approach is to make sure that all security products on a box have exemptions or trust entries for each other (The terminology and steps to do so are different for every product). Currently Elastic Endpoint Security has a much smaller set of features than we have planned, one of those being a "Trusted Apps" feature that would be used to resolve conflicts between security products. For running them together, I can't make a blanket recommendation. If they run together without impacting the performance in your environment, then adding another layer of defense probably has no downsides.

Let me know if you have any other questions!