AMSI integration with SharePoint Server is now also available for SharePoint Server 2019

With Feature Update 22H2 last November we added AMSI support for SharePoint Server Subscription Edition.
Today with March 2023 CU for SharePoint Server 2019 we have added the same functionality to SharePoint Server 2019.

Excerpt:

The cybersecurity landscape has fundamentally changed, as evidenced by large-scale, complex attacks, and signals that human-operated ransomware are on the rise. More than ever, it’s critical to keep your on-premises infrastructure secure and up to date, including SharePoint Servers.

To help customers secure their environments and respond to associated threats from the attacks, we’re introducing integration between SharePoint Server and the Windows Antimalware Scan Interface (AMSI). AMSI is a versatile standard that allows applications and services to integrate with any AMSI-capable anti-malware product present on a computer.

The AMSI integration functionality is designed to prevent malicious web requests from reaching SharePoint endpoints. For example, to exploit a security vulnerability in a SharePoint endpoint before the official fix for the security vulnerability has been installed.

Read more in the official documentation of AMSI Support for SharePoint Server:

13 Comments


  1. Any chance of this making to SP 2016?

    Reply

    1. There is always a chance! 😀

      Reply

  2. Hi Stefan.
    Can you recommend any AMSI software that we can use for SharePoint 2019/SE ?

    Reply

    1. Hi Nihal,
      Microsoft Defender can be used or any other AMSI capable Anti-Malware Solution.
      Cheers,
      Stefan

      Reply

  3. Hi Stefan. We have Kaspersky AV it’s ok to integrate with our SP 2019 Farm and AMSI, or AMSI default in Windows Server 2019 it’s ok? Thanks

    Reply

    1. Hi Jose,

      If the Kaspersky product you are using supports AMSI you can use it.

      Cheers,
      Stefan

      Reply

      1. Hi Stefan. Performance impact on the farm it’s significant? The current documentation it’s not very clear about that. Thanks

        Reply

        1. Hi Jose,
          there should not be a performance impact. If you notice a problem here I would suggest to open a support case with Microsoft.
          Cheers,
          Stefan

          Reply

  4. After enabling AMSI on the SharePoint Web application, I have a question: where can I see logs as SharePoint admin if the file uploaded went through AMSI check or not? Can’t find anything in ULS logs or event viewer.

    Reply

  5. Hi Stefan, how can we check that AMSI works after feature activation? Is there something visible in the ULS log? Are there test scenarios available? I made an upload of an EICAR-AV-Test file and it was not recognized. I assume, that we still need for example Trend Micro Portal Protect to scan file up- and/or downloads. AMSI will help us to prevent “fileless threats”, isn’t it?

    Reply

      1. Hi Reto, Hi Alexandre,

        SharePoint AMSI implementation does not support document content scanning.
        I looks at the http uri and the http request headers and to compare them against common attack vectors.
        For file content scanning, please look for 3rd party vendors which offer this.

        Cheers,
        Stefan

        Reply

Leave a Reply to Gene Coleman Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.