The newly introduced CU21 for Exchange 2016 and CU10 for Exchange 2019 AMSI integration in conjunction with various anti-virus scanners causes some serious problems. The Outlook connection sometimes becomes so slow that it is no longer possible to work. Even starting Outlook can take several minutes. Outlook repeatedly fails to respond, and it is particularly bad when the cache mode is switched off.
For example, the McAfee Endpoit Security Client, which also supports AMSI, caused the problems described above today. As soon as AMSI was switched off in the McAfee Endpoint Security Client, the Outlook speed returned to normal.
Even with Sophos Intercept X for Server there are problems with Outlook speed as long as AMSI is activated in the virus scanner. The problems currently only occur with Outlook. OWA, EWS and ActiveSync do not seem to be affected.
Windows Defender, on the other hand, does not appear to cause any problems. As a workaround, AMSI can be switched off in most virus scanners (as shown in the screenshot above using McAfee, for example; ideally this should be done using a corresponding policy).
As an alternative to deactivating AMSI in the virus scanner, the web.config on the Exchange servers can also be adapted to deactivate AMSI only for MAPIoverHTTP (and if necessary for RPCoverHTTP). The web.config files are located in the following directories:
- %exchangeinstallpath%\FrontEnd\HttpProxy\mapi
- %exchangeinstallpath%\FrontEnd\HttpProxy\rpc
To deactivate the AMSI integration, the following line can be commented out within the section:
<add name="HttpRequestFilteringModule" type="Microsoft.Exchange.HttpRequestFiltering.HttpRequestFilteringModule, Microsoft.Exchange.HttpRequestFiltering, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
The line can therefore be modified as follows:
<!-- <add name="HttpRequestFilteringModule" type="Microsoft.Exchange.HttpRequestFiltering.HttpRequestFilteringModule, Microsoft.Exchange.HttpRequestFiltering, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> -->
After changing the web.config files, a restart of the IIS is necessary, during which the clients briefly lose the connection to Exchange.