Scheduled maintenance on Saturday, August 8th from 7am to 10am (UTC). Licensing registrations and key activations will be unavailable during this period. More info here.
Sophos Endpoints running on Windows 10 version 1903 (or higher) with enabled Sophos AMSI Protection may show performance issues when
This only affects Endpoints that have the Microsoft 'Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903' policy applied to them.
The following sections are covered:
Applies to the following Sophos products and versions Central Windows Core Agent 2.6.0Central Server Core Agent 2.6.0
On the affected Endpoint, verify if the Microsoft feature 'Enable svchost.exe mitigation options' has been activated:
If present and set to '1', the svchost mitigation options are enabled for the system, which will cause the issues described in the Overview section. This feature is primarily enabled through the Microsoft Security Baseline Group Policy.
When enabling the 'Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903' policy, this enables a new Windows security feature called 'Enable svchost.exe mitigation options', which was introduced in Windows 10 version 1903:
Enabling this feature results in the Sophos AMSI Protection plugin failing to load, as - although it has been build and signed according to the AMSI Provider requirements - the SophosAMSIProvider.dll is not signed by Microsoft.
Microsoft published an updated 'Security baseline (Sept2019Update) for Windows 10 v1903 and Windows Server v1903' in October, that includes the following change:
At this point it seems that signing requirements for third party AMSI providers (or any third-party code running in the scope of svchost) are not compatible with the restrictions imposed by this Group Policy.
To resolve any of the above mentioned performance issues, we recommend to disable the 'Enable svchost.exe mitigation options' policy for now.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.