With Feature Update 22H2 last November we added AMSI support for SharePoint Server Subscription Edition.
Today with March 2023 CU for SharePoint Server 2019 we have added the same functionality to SharePoint Server 2019.
Excerpt:
The cybersecurity landscape has fundamentally changed, as evidenced by large-scale, complex attacks, and signals that human-operated ransomware are on the rise. More than ever, it’s critical to keep your on-premises infrastructure secure and up to date, including SharePoint Servers.
To help customers secure their environments and respond to associated threats from the attacks, we’re introducing integration between SharePoint Server and the Windows Antimalware Scan Interface (AMSI). AMSI is a versatile standard that allows applications and services to integrate with any AMSI-capable anti-malware product present on a computer.
The AMSI integration functionality is designed to prevent malicious web requests from reaching SharePoint endpoints. For example, to exploit a security vulnerability in a SharePoint endpoint before the official fix for the security vulnerability has been installed.
Read more in the official documentation of AMSI Support for SharePoint Server:
Permalink
Any chance of this making to SP 2016?
Permalink
There is always a chance! 😀
Permalink
The official Microsoft documentation for AMSI actually lists SharePoint 2016 under “APPLIES TO”… I suspect that’s a typo?
https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration
Permalink
Hi Stefan.
Can you recommend any AMSI software that we can use for SharePoint 2019/SE ?
Permalink
Hi Nihal,
Microsoft Defender can be used or any other AMSI capable Anti-Malware Solution.
Cheers,
Stefan
Permalink
Hi Stefan. We have Kaspersky AV it’s ok to integrate with our SP 2019 Farm and AMSI, or AMSI default in Windows Server 2019 it’s ok? Thanks
Permalink
Hi Jose,
If the Kaspersky product you are using supports AMSI you can use it.
Cheers,
Stefan
Permalink
Hi Stefan. Performance impact on the farm it’s significant? The current documentation it’s not very clear about that. Thanks
Permalink
Hi Jose,
there should not be a performance impact. If you notice a problem here I would suggest to open a support case with Microsoft.
Cheers,
Stefan
Permalink
After enabling AMSI on the SharePoint Web application, I have a question: where can I see logs as SharePoint admin if the file uploaded went through AMSI check or not? Can’t find anything in ULS logs or event viewer.
Permalink
Hi Stefan, how can we check that AMSI works after feature activation? Is there something visible in the ULS log? Are there test scenarios available? I made an upload of an EICAR-AV-Test file and it was not recognized. I assume, that we still need for example Trend Micro Portal Protect to scan file up- and/or downloads. AMSI will help us to prevent “fileless threats”, isn’t it?
Permalink
Hi Reto,
same result with a text string like this : https://servername/sites/sitename?amsiscantest:x5opap4pzx54p7cc7$eicar-standard-antivirus-test-fileh+h* ?
Permalink
Hi Reto, Hi Alexandre,
SharePoint AMSI implementation does not support document content scanning.
I looks at the http uri and the http request headers and to compare them against common attack vectors.
For file content scanning, please look for 3rd party vendors which offer this.
Cheers,
Stefan