AMSI Problem mit Exchnage 2016 CU 21

Hallo zusammen,

weiß irgendjemand ob es schon einen Workaround bzw. eine Lösung für das AMSI Problem beim Exchange 2016 CU  21 gibt?

https://www.frankysweb.de/exchange-2016-2019-amsi-integration-sorgt-fuer-probleme-mit-outlook/

Parents
  • Hello,

    I've also had this problem with Outlook client connectivity slowing down dramatically since installing Exchange 2016 CU21.  I disabled in web.config as you advised, but still had the problem.

    I have cases open with Microsoft and Sophos; impossible for me to tell who's issue it is at this point.

    I disabled AMSI on the agent with the "override" feature, as advised by Support.  Waited a while for the change to go through, but the Outlook connections remained slow.

    Finally, today I decided to disable AMSI on my Exchange Server by policy from Sophos Central.  This time it worked!  Outlook connections are fast again.

    Obviously this is a workaround.  I hope engineers at Sophos, Microsoft, or both can determine the root cause and fix it.  This is an important feature that I'd like to have enabled.

  • We too have run into this issue. We originally applied CU21 on 10th July. Outlook was unworkable and we had to roll back to CU20 (from backup). We applied again on 17th July (assuming that something had just gone wrong with the previous update) and once again we had issues but they weren't nearly as bad as the previous week.

    We have noticed that Sophos themselves have added automatic exclusions for CU21, so they are clearly aware of the problem, and it explains why our experience the second time wasn't as bad although still present. We too have temporarily disabled AMSI but are waiting until tonight to reboot.

  • Hello,

    Has anyone had any experience with Sophos exceptions?

  • We were having problems with connectivity and slow downs after applying CU21 to Exchange.   We ended up disabling on servers first which fixed problems with client connecting to server but clients were slow and not responding.   We then disabled AMSI on all clients and all issues were resolved.

    Today I checked and we have the automatic exclusions for Exchange as pictured above.   We are still leery to turn AMSI back on.   Does anyone know if there are exclusions needed for Outlook client or on the workstations? 

  • I would suggests that the performance issues are one or more of the following:

    1. Additional scanning caused by the Sophos AMSI module.

    2. The logging performed by the Sophos AMSI module.

    3. Just the presence of the Sophos AMSI dll being loaded by the process.

    Answering 1 or 2 is easier than 3. 

    Under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos AMSI

    You can create a couple of DWORD values:

    LogLevel

    0-5 I think are the values, 0 being the most, 5 being off.

    ExtendedLogging  1|0

    If you set LogLevel to 5, then I believe that would disable logging of the Sophos AMSI dll.  I assume the process loading the Sophos AMSI DLL would have to restart.  This could answer point 2.

    For point 1, if you set the LogLevel to be 0 or 1 for example, can you see many scan requests in "C:\ProgramData\Sophos\Sophos AMSI Protection\Logs\SophosAmsiProtection.log"?  Is the same file being scanned all the time for example?  This is where the AMSI exclusion type comes in in the exclusions dialog in Central, these are not the same as realtime.  I believe the value in Content-Name is the item being scanned and the same thing to AMSI exclusion would exclude.

    I would leave ExtendedLogging off at this time.

Reply
  • I would suggests that the performance issues are one or more of the following:

    1. Additional scanning caused by the Sophos AMSI module.

    2. The logging performed by the Sophos AMSI module.

    3. Just the presence of the Sophos AMSI dll being loaded by the process.

    Answering 1 or 2 is easier than 3. 

    Under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos AMSI

    You can create a couple of DWORD values:

    LogLevel

    0-5 I think are the values, 0 being the most, 5 being off.

    ExtendedLogging  1|0

    If you set LogLevel to 5, then I believe that would disable logging of the Sophos AMSI dll.  I assume the process loading the Sophos AMSI DLL would have to restart.  This could answer point 2.

    For point 1, if you set the LogLevel to be 0 or 1 for example, can you see many scan requests in "C:\ProgramData\Sophos\Sophos AMSI Protection\Logs\SophosAmsiProtection.log"?  Is the same file being scanned all the time for example?  This is where the AMSI exclusion type comes in in the exclusions dialog in Central, these are not the same as realtime.  I believe the value in Content-Name is the item being scanned and the same thing to AMSI exclusion would exclude.

    I would leave ExtendedLogging off at this time.

Children
No Data