cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

AMSI & exclusion lists

Jump to solution

Our (legacy) application uses the MS scripting APIs (vbScript and jScript) to evaluate various scripts. The script "snipets" can be condition statements or statements that evaluate to a value but they differ for each customer and are changed as part of the customer's implementation. There can be 000's of statements defined for a customer's system.

We've recently had performance issues which have been caused by the AMSI scan being invoked for each script execution. The virus checker is cutting in for each evaluation and hitting performance massively even though the process has been added into the virus checker exclusion list. 

Is there a reason why AMSI is cutting in even though it's in the exclusion list? Other than disabling AMSI, is there a way to stop it running for a particular process?

1 Solution

Accepted Solutions
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: AMSI & exclusion lists

Jump to solution

Hi @Melchett,

Thank you for your post. The AMSI scanner will scan scripts once they have been executed. This enables the scanner to de-obfuscate the script and scan it using DAT content. This is useful as the original scripts can be heavily obfuscated and are difficult to generically detect

Source: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against...

Having said that, I am curious to know what process you have excluded here?  How many scripts are being un when this application is running? I would very much recommend putting this under the technical Support's radar for analysis of the situation. A Service Request with us would help us really investigate the issue. The answer may vary from it is working as expected to this can be resolved by exclusion and hence I would like to request for Technical Support's involvement in analysisng and investigating this over a support request. Here is the link to create a case:

https://support.mcafee.com/webcenter/portal/supportportal/pages_serviceRequests/createSR

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
6 Replies
McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: AMSI & exclusion lists

Jump to solution

You can add On Access Scan exclusions based on file types, file age, detection name, and pattern matching. AMSI uses On Access Scan Exclusions. Please make sure you have added the exclusions in On Access scan policy

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: AMSI & exclusion lists

Jump to solution

Hi @Melchett,

Thank you for your post. The AMSI scanner will scan scripts once they have been executed. This enables the scanner to de-obfuscate the script and scan it using DAT content. This is useful as the original scripts can be heavily obfuscated and are difficult to generically detect

Source: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against...

Having said that, I am curious to know what process you have excluded here?  How many scripts are being un when this application is running? I would very much recommend putting this under the technical Support's radar for analysis of the situation. A Service Request with us would help us really investigate the issue. The answer may vary from it is working as expected to this can be resolved by exclusion and hence I would like to request for Technical Support's involvement in analysisng and investigating this over a support request. Here is the link to create a case:

https://support.mcafee.com/webcenter/portal/supportportal/pages_serviceRequests/createSR

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

Re: AMSI & exclusion lists

Jump to solution

Many thanks for your reply. I'll put the details in the service request as suggested.

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: AMSI & exclusion lists

Jump to solution

Hi @Melchett,

Thank you for your kind response. Very glad to be of some assistance here. I sincerely hope you get your answer or resolution via Tech Support's investigation over your Service Request. Kudos to you for keeping us posted!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Docusa
Level 7
Report Inappropriate Content
Message 6 of 7

Re: AMSI & exclusion lists

Jump to solution

Hi @AdithyanT 

We also seem to be experiencing exactly the same issue with our application (only when AMSI is enabled)

However, we have found that specifying exclusions aren't making any difference (and the performance issues occur whether or not 'observe' mode is switched on as well).  From reading up on this further, it appears this behaviour is to be expected in our case -  see here - "Some scripts, such as PowerShell, are fileless and are not excluded from AMSI." - all of our scripts (not PowerShell, but VBscript etc) are 'fileless'.

I was hoping to also raise an SR to have this investigated further, however I am unfortunately unable to register an account in order to do so.  Please can you advise how best to proceed?

Thanks in advance,

Chris

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: AMSI & exclusion lists

Jump to solution

Hi @Docusa,

Thanks for reporting this to us. I would first recommend contacting our Customer care to get your account creation issue sorted out. You can also call us directly, The links to both technical Support and Customer care is as follows:

https://www.mcafee.com/enterprise/en-us/home/contact-us.html

Additionally, I would recommend trying out the newest version (10.7 preferably) as we have enhanced Script scanning which may help us increase the efficiency of script processing.

However, I am afraid I don't have a solid answer as in "If you perform this, issue will be resolved/performance will get better". However, It is still worthy to raise a Service Request for investigation so that we can understand if it is just the script processing or more than that.

Remember, Although the scripts are "file-less", the actions they do are mostly file related and hence may be excluding the known files it may touch or create might help!

Also, Please help us with as much information as possible about scripts used, number of scripts being run and Support will also request you for Debug logs and other log files that may help us understand if this is expected behavior or an issue to be mitigated.

I sincerely hope this is of some use to you.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community