How AMSI Works in Trend Micro Apex One

• Trend Micro Apex One leverages the native Windows AMSI interface on Windows 10, Windows Server 2016, and later versions.
• Unlike Trend Micro™ Deep Security™, Trend Micro Apex One does not provide a dedicated AMSI enable/disable checkbox because AMSI is embedded in its core real-time protection engine. No manual configuration or enabling of AMSI is necessary.
• The Real-Time Scan and Advanced Protection Service must be enabled for AMSI to function.

Verifying AMSI Integration

You can confirm AMSI is active by checking the presence of AMSI-related data fields in Trend Micro Apex One logs and reports.

AMSI Data Fields in Trend Micro Apex One Logs

These fields indicate AMSI is capturing script-based threat data:

• AMSI Script Source: Name and extension of the script source file
• AMSI Script Content: Actual content of the scanned script
• AMSI Script Source SHA-1: SHA-1 hash of the script source
• AMSI Script Source SHA-256: SHA-256 hash of the script source

These fields are documented in the Appendix A: Data Views section of the Trend Micro Apex One Administrator's Guide.

Steps to Confirm AMSI Functionality

1. Ensure Trend Micro Apex One Real-Time Protection is Enabled

   • Open the Trend Micro Apex One management console.
   • Navigate to the endpoint policy settings.
   • Confirm that Real-Time Scan and Advanced Protection Service are enabled.

2. Check Windows Version Compatibility

   • Verify the endpoint runs Windows 10, Windows Server 2016, or later, which support AMSI.

3. Review Trend Micro Apex One Logs for AMSI Data Fields

   • Access the Trend Micro Apex One log repository or console.
   • Search for events containing AMSI-related fields such as "AMSI Script Source" or "AMSI Script Content".
   • Presence of these fields confirms AMSI is integrated and actively logging script-based detections.

4. Refer to Official Documentation

   • Consult the Trend Micro Apex One Administrator's Guide, specifically Appendix A: Data Views, to see official references to AMSI logging fields.
   • Use the PDF search (Ctrl+F) to locate "AMSI" mentions.

5. Enable and Configure AMSI Protection in Server & Workload Protection

   • For additional AMSI settings related to Server & Workload Protection, see the official guide on Enable Windows AMSI protection (real-time scans only).

Enabling Other Protection Features

AMSI integration enhances detection of fileless and script-based malware by utilizing Windows native interfaces. If AMSI-related detections are not appearing but expected, verify endpoint compatibility and that real-time protections are active.

To fully leverage these protection techniques, these features must be enabled:

Required Services:

1. Go to Policies > Policy Management.
2. Select the policy to which the settings will be applied.
3. Go to Additional Service Settings.
4. Enable the following:
   • Unauthorized Change Prevention Service
   • Advanced Protection Service

Administrators can opt to enable the services and features to Windows Server Platforms should higher security is required for those machines.

File-less Malware Solution Features:

• Behavior Monitoring
  1. Go to Policies > Policy Management.
  2. Select the policy to which the settings will be applied.
  3. Expand Behavior Monitoring Settings:
     • Check "Enable Behavior Monitoring Settings".
     • Check "Anti-Exploit Protection".
     • Check "Enable Program Inspection and Block Compromised Executable Files".
• Real Time Scan
  1. Go to Policies > Policy Management.
  2. Select the policy to which the settings will be applied.
  3. Expand Real Time Scan Settings.
  4. Check "Enable Virus/Malware Scan".
  5. Select "Target".
  6. Check "Quarantine Malware Variants Detected in Memory".
• Predictive Machine Learning
  1. Go to Policies > Policy Management.
  2. Select the policy to which the settings will be applied.
  3. Expand Predictive Machine Learning Settings.
  4. Check "Enable Predictive Machine Learning".
  5. Under Detection Settings:
     1. Check "File" for File Scanning and select "Quarantine" for Action.
     2. Check "Process" for Process Scanning and select "Terminate" for Action.

---

References

While there isn't a standalone KB article titled "Apex One AMSI Support", you may refer to the Trend Micro Apex One Administrator's Guide available on the Trend Micro official documentation portal for further details. The presence of AMSI data fields in the official documentation and the confirmed fileless threat protection capabilities strongly indicate AMSI integration.

You may also consult the links below for additional references:

• Trend Vision One's Server & Workload Protection and Standard Endpoint Protection products Documentation
• Trend Micro Apex One Automated Detection and Response in Trend Micro Apex One™ as a Service has been released
• Specific Trend Micro Apex One features that have been disabled and Trend Micro Apex One in Comparison of Apex One family features
• More information about AMSI in the Microsoft repository about Antimalware Scan Interface (AMSI)