This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AMSI Problem mit Exchnage 2016 CU 21

Hallo zusammen,

weiß irgendjemand ob es schon einen Workaround bzw. eine Lösung für das AMSI Problem beim Exchange 2016 CU  21 gibt?

https://www.frankysweb.de/exchange-2016-2019-amsi-integration-sorgt-fuer-probleme-mit-outlook/



This thread was automatically locked due to age.
  • Hello,

    Has anyone had any experience with Sophos exceptions?

  • We were having problems with connectivity and slow downs after applying CU21 to Exchange.   We ended up disabling on servers first which fixed problems with client connecting to server but clients were slow and not responding.   We then disabled AMSI on all clients and all issues were resolved.

    Today I checked and we have the automatic exclusions for Exchange as pictured above.   We are still leery to turn AMSI back on.   Does anyone know if there are exclusions needed for Outlook client or on the workstations? 

  • I would suggests that the performance issues are one or more of the following:

    1. Additional scanning caused by the Sophos AMSI module.

    2. The logging performed by the Sophos AMSI module.

    3. Just the presence of the Sophos AMSI dll being loaded by the process.

    Answering 1 or 2 is easier than 3. 

    Under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Sophos AMSI

    You can create a couple of DWORD values:

    LogLevel

    0-5 I think are the values, 0 being the most, 5 being off.

    ExtendedLogging  1|0

    If you set LogLevel to 5, then I believe that would disable logging of the Sophos AMSI dll.  I assume the process loading the Sophos AMSI DLL would have to restart.  This could answer point 2.

    For point 1, if you set the LogLevel to be 0 or 1 for example, can you see many scan requests in "C:\ProgramData\Sophos\Sophos AMSI Protection\Logs\SophosAmsiProtection.log"?  Is the same file being scanned all the time for example?  This is where the AMSI exclusion type comes in in the exclusions dialog in Central, these are not the same as realtime.  I believe the value in Content-Name is the item being scanned and the same thing to AMSI exclusion would exclude.

    I would leave ExtendedLogging off at this time.

  • anyone get a solution here or is turning off AMSI still the workaround?

  • If you disable MS Exchange from making AMSI scan requests with the following 3 commands in the Exchange Management Shell as detailed in More about AMSI integration with Exchange Server - Microsoft Tech Community but then re-enable AMSI in Central, I assume this helps:

    New-SettingOverride -Name "DisablingAMSIScan" -Component Cafe -Section HttpRequestFiltering -Parameters ("Enabled=False") -Reason "Testing"

    Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh

    Restart-Service -Name W3SVC, WAS -Force

    It does require the restart so you might have to pick a time.

    I assume the log file "C:\ProgramData\Sophos\Sophos AMSI Protection\Logs\SophosAmsiProtection.log" quietens down a bit once the Exchange processes are started after Sophos AMSI has been re-enabled, You might need to run:

    Restart-Service -Name W3SVC, WAS -Force

    once Sophos AMSI has been enabled in policy for the Sophos AMSI dll to be loaded into the Exchange processes and not have the same performance issue.

    You should see a process such as PowerShell.exe load the Sophos AMSI DLL as evidence Sophos AMSI is re-enabled.

  • Would really like to hear Sophos' take on this. Doesn't anybody from Sophos contribute to this community? The XG group has plenty of input from several Sophos employees.

    It seems clear that there is an issue with Endpoint working with Exchange AMSI. Would be nice to hear what they are planning to do to resolve it and a timescale

  • __________________________________________________________________________________________________________________