[German]A brief note for administrators of a Microsoft Exchange Server 2016/2019. With CU21 (Exchange 2016) and CU10 (Exchange 2019) an AMSI integration was introduced to support third-party virus scanners. However, this integration causes severe problems with Outlook with various antivirus scanners.
Advertising
CU10/CU21 and the AMSI integration
I had pointed out in the blog post Cumulative Exchange CUs June 2021 released that Microsoft has released the cumulative quarterly updates for Exchange Server on June 29, 2021:
- Exchange Server 2019 Cumulative Update 10 (KB5003612)
- Exchange Server 2016 Cumulative Update 21 (KB5003611)
The download addresses are provided in the blog post linked above. Microsoft had indicated when it unveiled the quarterly cumulative updates for Exchange Server that they introduce new Exchange Server integration with AMSI (Antimalware Scan Interface). The AMSI integration in Exchange Server provides an AMSI-enabled antivirus/antimalware solution the ability to scan content in HTTP requests sent to Exchange Server and block a malicious request before it is processed by Exchange Server. The scan is performed in real-time by any AMSI-enabled antivirus/antimalware solution running on Exchange Server as soon as the server starts processing the request. The details can be read in the blog post Cumulative Exchange CUs June 2021 released and on the linked Microsoft pages.
Issues with AMSI integration
Now, however, it looks like this very AMSI integration can cause problems with various third-party antivirus scanners. Frank Zöchling has touched this issues within FrankysWeb in his German article Exchange 2016/2019: AMSI Integration sorgt für Probleme mit Outlook in early July 2021.
According to Zöchling, various antivirus scanners, which are used in conjunction with Microsoft Outlook, causes serious issues. Frank wrote, that there are cases, where Outlook will be in connection with the Exchange Server sometimes becomes extremely slow. As a result, it is no longer possible to work with Outlook. It has also been observed that Outlook startup can take several minutes. In addition, it is reported that Outlook repeatedly does not respond (especially when the cache mode is turned off).
Frank explicitly mentions the McAfee Endpoit Security Client causing these error patterns. If the AMSI scan by the McAfee Endpoit Security Client is disabled by the administrator, the observed problems are gone again. The second external virus scanner mentioned is Sophos Intercept X for Server. There, too, such problems occur during the AMSI scan.
Advertising
It seems that only Microsoft Outlook is affected, but not OWA, EWS and ActiveSync. As a workaround, Frank suggests disabling AMSI scanning in the affected virus scanners. Details on this issue can be found in Frank's German article. Are any of you affected by this issue.
Advertising
Well I thought the bet way to properly test this was to fully remove Sophos from the Ex2016 server and see if performance problems persist. This then resulted in constant application errors in C:\Program Files\Microsoft\Exchange Server\V15\FIP-FS\Bin\scanningprocess.exe
Wow – last time I looked at my watch the year was 2021 – surely an uninstall of an AV program should not leave totally broken applications behind.
Thank you, this information provable invaluable. Our organization ran into this issue after installing Exchange Server 2019 CU10 and using Sophos Intercept X. Sophos recommends disabling the AMSI from Exchange, rather than within Intercept X.
https://support.sophos.com/support/s/article/KB-000042460?language=en_US