weiß irgendjemand ob es schon einen Workaround bzw. eine Lösung für das AMSI Problem beim Exchange 2016 CU 21 gibt?
Do you know if the performance issue due to AMSI making scan requests? If so, you can add AMSI exclusions which might help.
To see if a lot of scan requests are being made and for what, you can increase the logging of AMSI by adding the following DWORD:
Key: HKLM\SOFTWARE\Sophos\Sophos AMSI ProtectionType DWORDName: LogLevelvalue: 4
C:\ProgramData\Sophos\Sophos AMSI Protection\Logs\SophosAmsiProtection.log
I've also had this problem with Outlook client connectivity slowing down dramatically since installing Exchange 2016 CU21. I disabled in web.config as you advised, but still had the problem.
I have cases open with Microsoft and Sophos; impossible for me to tell who's issue it is at this point.
I disabled AMSI on the agent with the "override" feature, as advised by Support. Waited a while for the change to go through, but the Outlook connections remained slow.
Finally, today I decided to disable AMSI on my Exchange Server by policy from Sophos Central. This time it worked! Outlook connections are fast again.
Obviously this is a workaround. I hope engineers at Sophos, Microsoft, or both can determine the root cause and fix it. This is an important feature that I'd like to have enabled.
The processes in question would need to have restarted I suspect once the policy arrived such that the Sophos AMSI dll wasn't pulled into the process.
I've just received a reply on a Microsoft Exchange Team Blog (Released: July 2021 Exchange Server Security Updates - Microsoft Tech Community) indicating that AMSI may not be compatible with several antivirus solutions at this time. Still unclear to me if this incompatibility is caused by Sophos or Microsoft. If Sophos, it doesn't appear that they're the only provider with this issue.
Hello, Norman.have you already received an answer to your ticket? Since it is every subject it would be good to get answers to help others as well.
No response on my Microsoft ticket yet at all. Sophos has contacted me for more information, which I've provided. Hopefully we'll learn more soon.
That's a good point, and I don't recall if we did that or not. an IISRESET after disabling AMSI on the endpoint probably would have done it.
Hello all, we are facing the same issue, waiting now for the reply from sophos.
We too have run into this issue. We originally applied CU21 on 10th July. Outlook was unworkable and we had to roll back to CU20 (from backup). We applied again on 17th July (assuming that something had just gone wrong with the previous update) and once again we had issues but they weren't nearly as bad as the previous week.
We have noticed that Sophos themselves have added automatic exclusions for CU21, so they are clearly aware of the problem, and it explains why our experience the second time wasn't as bad although still present. We too have temporarily disabled AMSI but are waiting until tonight to reboot.