With September 2023 CU the AMSI security feature for SharePoint Server 2016, 2019 and Subscription Edition has been automatically enabled for a customers.
After the activation of this feature a couple of customers have reported application pool crashes and 500 server errors.
The Windows Antimalware Scan Interface (AMSI) is a security feature introduced with Windows 10 and Windows Server 2016. It allows applications to pass information to an installed AMSI compatible antimalware solutions to check against common threads.
The SharePoint AMSI integration allows AMSI-capable antimalware solutions to scan HTTP and HTTPS requests that are sent to SharePoint Server. When this feature is enabled, libraries of the configured antimalware solutions are loaded into each SharePoint worker process (w3wp.exe) to perform the scanning.
Be aware that there is a second issue which can cause very similar symptoms which is discussed separately.
What is causing the stability issues?
Our investigation shows, that the issues customers reported (application pool crashes, 500 server errors, …) are caused by unhandled exceptions in the antimalware solution liberaries loaded into the SharePoint worker process when performing the analysis of the HTTP and HTTPS requests. As these exceptions are not handled by the antimalware solution they are causing these stability issues in the worker processes.
How can this be resolved?
As a workaround(!) the SharePoint AMSI integration can be disabled for each affected web application using the following PowerShell command:
Disable-SPFeature -Identity 4cf046f3-38c7-495f-a7da-a1292d32e8e9 -Url http://url-to-webapp
Important: This command disables an important security feature which was intentionally added and activated in SharePoint. This step should not be the final solution.
It is recommended that affected customers contact the antimalware solution provider to allow them to investigate and resolve the underlying compatibilty issues of the antimalware software with SharePoint and reactivate the SharePoint AMSI feature after the issue is resolved.
Microsoft is currently investigating possible solutions to prevent malfunctioning antimalware solutions from destabilizing the SharePoint worker processes.