Sophos Endpoint

Discussions AMSI Problem mit Exchnage 2016 CU 21

Sophos Endpoint requires membership for participation - click to join

Thread Info

State Suggested Answer
+2 person also asked this people also asked this
Locked Locked
Replies 19 replies
Answers 1 answer
Subscribers 22 subscribers
Views 23230 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AMSI Problem mit Exchnage 2016 CU 21

Simon Straubinger over 2 years ago

Hallo zusammen,

weiß irgendjemand ob es schon einen Workaround bzw. eine Lösung für das AMSI Problem beim Exchange 2016 CU 21 gibt?

https://www.frankysweb.de/exchange-2016-2019-amsi-integration-sorgt-fuer-probleme-mit-outlook/

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 2 years ago +2 suggested

See: https://support.sophos.com/support/s/article/KB-000038972

Parents

0 Jamie Norman1 over 2 years ago

anyone get a solution here or is turning off AMSI still the workaround?
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to Jamie Norman1

If you disable MS Exchange from making AMSI scan requests with the following 3 commands in the Exchange Management Shell as detailed in More about AMSI integration with Exchange Server - Microsoft Tech Community but then re-enable AMSI in Central, I assume this helps:

New-SettingOverride -Name "DisablingAMSIScan" -Component Cafe -Section HttpRequestFiltering -Parameters ("Enabled=False") -Reason "Testing"

Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh

Restart-Service -Name W3SVC, WAS -Force

It does require the restart so you might have to pick a time.

I assume the log file "C:\ProgramData\Sophos\Sophos AMSI Protection\Logs\SophosAmsiProtection.log" quietens down a bit once the Exchange processes are started after Sophos AMSI has been re-enabled, You might need to run:

Restart-Service -Name W3SVC, WAS -Force

once Sophos AMSI has been enabled in policy for the Sophos AMSI dll to be loaded into the Exchange processes and not have the same performance issue.

You should see a process such as PowerShell.exe load the Sophos AMSI DLL as evidence Sophos AMSI is re-enabled.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Sophos User930 over 2 years ago in reply to Jamie Norman1

If you disable MS Exchange from making AMSI scan requests with the following 3 commands in the Exchange Management Shell as detailed in More about AMSI integration with Exchange Server - Microsoft Tech Community but then re-enable AMSI in Central, I assume this helps:

New-SettingOverride -Name "DisablingAMSIScan" -Component Cafe -Section HttpRequestFiltering -Parameters ("Enabled=False") -Reason "Testing"

Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh

Restart-Service -Name W3SVC, WAS -Force

It does require the restart so you might have to pick a time.

I assume the log file "C:\ProgramData\Sophos\Sophos AMSI Protection\Logs\SophosAmsiProtection.log" quietens down a bit once the Exchange processes are started after Sophos AMSI has been re-enabled, You might need to run:

Restart-Service -Name W3SVC, WAS -Force

once Sophos AMSI has been enabled in policy for the Sophos AMSI dll to be loaded into the Exchange processes and not have the same performance issue.

You should see a process such as PowerShell.exe load the Sophos AMSI DLL as evidence Sophos AMSI is re-enabled.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data