AMSI - Antimalware Scan Interface

Microsoft Exchange Server 2016 now supports integration with Windows Antimalware Scan Interface (AMSI). This feature enables an AMSI-capable antivirus or antimalware solution to scan content in HTTP requests that're sent to the Exchange Server. Additionally, it will block a malicious request before it's handled by Exchange. This was introduced with CU21 (also with Exchange Server 2019 CU10, or higher).

More information about AMSI is available at:

https://techcommunity.microsoft.com/t5/exchange-team-blog/more-about-amsi-integration-with-exchange-server/ba-p/2572371

It has been reported that in some environments users experience significant degradation in Outlook performance. I have only seen reports relating to third party Anti Virus products.

Whilst the feature is desirable to have, it may be that it has to be disabled until the performance issues are overcome.

The feature writes into AD at the following location:

CN=Setting Overrides, CN=Global Settings, CN=[your Exchange Org.], CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=[your AD domain], DC=[your AD domain suffix]

So in ADSIEDIT:

Configuration > Services > Microsoft Exchange > [your Exchange Org.] > Global Settings > Setting Overrides

The override you can create can be a global or local (server) override. By not using the Server attribute (and therefore not defining it), you will be creating a Global override that applies to all applicable Exchange servers.

To create a Server Override for Server1 (needs to be performed on an upgraded server, e.g. Server1):

New-SettingOverride -Name "DisablingAMSIScan" -Component Cafe -Section HttpRequestFiltering -Parameters ("Enabled=False") -Reason "Testing" -Server Server1

Next, on Server1:

Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh

Finally (also on Server 1):

Restart-Service -Name W3SVC, WAS -Force

If you didn't set it as a local override in the first instance, you need to use the Add command and you need to specify the servers it applies to.

Add-SettingOverride DisablingAMSIScan -Server Server1, Server2

Once you have populated the servers attribute, you need to use the Set command to modify it. (I tried appending the attribute, unsuccessfully - as the property type is affected). So adding Server3:

Set-SettingOverride DisablingAMSIScan -Server Server1, Server2, Server3

Obviously, the post-config part could be done with remote PS:

$servers = @("Server1", "Server2", "Server3")

Foreach($server in $servers){$s = new-pssession -computername $server; invoke-command -session $s{Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh; Restart-Service -Name W3SVC, WAS -Force};Exit-PSSession}

Removing servers from the override is removing them from the defined servers and then running the recycling commands again. So to remove Server3:

Set-SettingOverride DisablingAMSIScan -Server Server1, Server2

Once again, the post-config part could be done with remote PS:

$servers = @("Server3")

Foreach($server in $servers){$s = new-pssession -computername $server; invoke-command -session $s{Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh; Restart-Service -Name W3SVC, WAS -Force};Exit-PSSession}

To remove the override completely, use the Remove-SettingOverride command.

Labels: ,

Exchange Transport Rules and Regular expressions

 I haven't posted anything in a long time and I have chosen not to go back over what has already been posted to see if it is still valid. I expect readers to have a level of understanding and knowledge to know how to interpret what has been posted and determine if it is relevant. I use blogs like these just to point me in the right direction, which brings me to an item that Microsoft had published for Exchange 2010, but the link is now defunct (after they moved their library) and I couldn't find it anywhere else, except on another blog. So this is to bolster that blog in case it too vanishes.

When using PowerShell / Exchange Management Shell, certain characters are interpreted as scripting language (e.g. the $ symbol). When writing something to the screen for example, when a dollar sign is encountered, PS is looking for a variable. You can overcome this using the tilde character (`) immediately before any character you want to be displayed literally (it is located to the left of number one across the top of most keyboards). So, to get the following to display the way you intend it to:

write-host "The contents of $variable are"$variable

you would write:

write-host "The contents of `$variable are"$variable

It's a subtle difference. If you wanted to display a tilde, you'd put a tilde in front of it.

The same principle is not used in Transport Rules. When you want to match criteria in a rule, you need to use a different approach. Below is a copy of the content originally posted by Microsoft. It was in relation to Exchange 2010, but is still relevant in exchange 2016 at least. Note that the criteria you filter for is not case-sensitive so looking for 'External' is the same as 'external' and 'EXTERNAL' and even 'ExTeRnAL'.

Here is an example to match only 'External' encased in brackets and not 'external' elsewhere in the field being searched:

\(External\)

Pattern matching in Exchange Transport Rules

Pattern stringDescription
\SThe \S pattern string matches any single character that's not a space.
\sThe \s pattern string matches any single white-space character.
\DThe \D pattern string matches any non-numeric digit.
\dThe \d pattern string matches any single numeric digit.
\wThe \w pattern string matches any single Unicode character categorized as a letter or decimal digit.
\WThe \W pattern string matches any single Unicode character not categorized as a letter or a decimal digit.
|The pipe ( | ) character performs an OR function.
*The asterisk ( * ) character matches zero or more instances of the previous character. For example, ab*c matches the following strings: acabcabbbbc.
( )Parentheses act as grouping delimiters. For example, a(bc)* matches the following strings: aabcabcbcabcbcbc, and so on.
\A backslash is used as an escaping character before a special character. Special characters are characters used in pattern strings:
  • Backslash ( \ )
  • Pipe ( | )
  • Asterisk ( * )
  • Opening parenthesis ( ( )
  • Closing parenthesis ( ) )
  • Caret ( ^ )
  • Dollar sign ( $ )
For example, if you want to match a string that contains (525), you would type \(525\).
^The caret ( ^ ) character indicates that the pattern string that follows the caret must exist at the start of the text string being matched.
For example, ^fred@contoso matches fred@contoso.com and fred@contoso.co.uk but not alfred@contoso.com.
$The dollar sign ( $ ) character indicates that the preceding pattern string must exist at the end of the text string being matched.
For example, contoso.com$ matches adam@contoso.com and kim@research.contoso.com, but doesn't match kim@contoso.com.au

Labels: ,
Subscribe to: Posts (Atom)