Microsoft Exchange Server 2016 now supports integration with Windows Antimalware Scan Interface (AMSI). This feature enables an AMSI-capable antivirus or antimalware solution to scan content in HTTP requests that're sent to the Exchange Server. Additionally, it will block a malicious request before it's handled by Exchange. This was introduced with CU21 (also with Exchange Server 2019 CU10, or higher).
More information about AMSI is available at:
It has been reported that in some environments users experience significant degradation in Outlook performance. I have only seen reports relating to third party Anti Virus products.
Whilst the feature is desirable to have, it may be that it has to be disabled until the performance issues are overcome.
The feature writes into AD at the following location:
CN=Setting Overrides, CN=Global Settings, CN=[your Exchange Org.], CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=[your AD domain], DC=[your AD domain suffix]
So in ADSIEDIT:
Configuration > Services > Microsoft Exchange > [your Exchange Org.] > Global Settings > Setting Overrides
The override you can create can be a global or local (server) override. By not using the Server attribute (and therefore not defining it), you will be creating a Global override that applies to all applicable Exchange servers.
To create a Server Override for Server1 (needs to be performed on an upgraded server, e.g. Server1):
New-SettingOverride -Name "DisablingAMSIScan" -Component Cafe -Section HttpRequestFiltering -Parameters ("Enabled=False") -Reason "Testing" -Server Server1
Next, on Server1:
Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
Finally (also on Server 1):
Restart-Service -Name W3SVC, WAS -Force
If you didn't set it as a local override in the first instance, you need to use the Add command and you need to specify the servers it applies to.
Add-SettingOverride DisablingAMSIScan -Server Server1, Server2
Once you have populated the servers attribute, you need to use the Set command to modify it. (I tried appending the attribute, unsuccessfully - as the property type is affected). So adding Server3:
Set-SettingOverride DisablingAMSIScan -Server Server1, Server2, Server3
Obviously, the post-config part could be done with remote PS:
$servers = @("Server1", "Server2", "Server3")
Foreach($server in $servers){$s = new-pssession -computername $server; invoke-command -session $s{Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh; Restart-Service -Name W3SVC, WAS -Force};Exit-PSSession}
Removing servers from the override is removing them from the defined servers and then running the recycling commands again. So to remove Server3:
Set-SettingOverride DisablingAMSIScan -Server Server1, Server2
Once again, the post-config part could be done with remote PS:
$servers = @("Server3")
Foreach($server in $servers){$s = new-pssession -computername $server; invoke-command -session $s{Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh; Restart-Service -Name W3SVC, WAS -Force};Exit-PSSession}
To remove the override completely, use the Remove-SettingOverride command.