cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

AMSI & exclusion lists

Jump to solution

Our (legacy) application uses the MS scripting APIs (vbScript and jScript) to evaluate various scripts. The script "snipets" can be condition statements or statements that evaluate to a value but they differ for each customer and are changed as part of the customer's implementation. There can be 000's of statements defined for a customer's system.

We've recently had performance issues which have been caused by the AMSI scan being invoked for each script execution. The virus checker is cutting in for each evaluation and hitting performance massively even though the process has been added into the virus checker exclusion list. 

Is there a reason why AMSI is cutting in even though it's in the exclusion list? Other than disabling AMSI, is there a way to stop it running for a particular process?

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 16

Re: AMSI & exclusion lists

Jump to solution

Hi @Melchett,

Thank you for your post. The AMSI scanner will scan scripts once they have been executed. This enables the scanner to de-obfuscate the script and scan it using DAT content. This is useful as the original scripts can be heavily obfuscated and are difficult to generically detect

Source: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against...

Having said that, I am curious to know what process you have excluded here?  How many scripts are being un when this application is running? I would very much recommend putting this under the technical Support's radar for analysis of the situation. A Service Request with us would help us really investigate the issue. The answer may vary from it is working as expected to this can be resolved by exclusion and hence I would like to request for Technical Support's involvement in analysisng and investigating this over a support request. Here is the link to create a case:

https://support.mcafee.com/webcenter/portal/supportportal/pages_serviceRequests/createSR

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

15 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 16

Re: AMSI & exclusion lists

Jump to solution

You can add On Access Scan exclusions based on file types, file age, detection name, and pattern matching. AMSI uses On Access Scan Exclusions. Please make sure you have added the exclusions in On Access scan policy

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 16

Re: AMSI & exclusion lists

Jump to solution

Hi @Melchett,

Thank you for your post. The AMSI scanner will scan scripts once they have been executed. This enables the scanner to de-obfuscate the script and scan it using DAT content. This is useful as the original scripts can be heavily obfuscated and are difficult to generically detect

Source: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against...

Having said that, I am curious to know what process you have excluded here?  How many scripts are being un when this application is running? I would very much recommend putting this under the technical Support's radar for analysis of the situation. A Service Request with us would help us really investigate the issue. The answer may vary from it is working as expected to this can be resolved by exclusion and hence I would like to request for Technical Support's involvement in analysisng and investigating this over a support request. Here is the link to create a case:

https://support.mcafee.com/webcenter/portal/supportportal/pages_serviceRequests/createSR

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

Highlighted

Re: AMSI & exclusion lists

Jump to solution

Many thanks for your reply. I'll put the details in the service request as suggested.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 16

Re: AMSI & exclusion lists

Jump to solution

Hi @Melchett,

Thank you for your kind response. Very glad to be of some assistance here. I sincerely hope you get your answer or resolution via Tech Support's investigation over your Service Request. Kudos to you for keeping us posted!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted
Level 7
Report Inappropriate Content
Message 6 of 16

Re: AMSI & exclusion lists

Jump to solution

Hi @AdithyanT 

We also seem to be experiencing exactly the same issue with our application (only when AMSI is enabled)

However, we have found that specifying exclusions aren't making any difference (and the performance issues occur whether or not 'observe' mode is switched on as well).  From reading up on this further, it appears this behaviour is to be expected in our case -  see here - "Some scripts, such as PowerShell, are fileless and are not excluded from AMSI." - all of our scripts (not PowerShell, but VBscript etc) are 'fileless'.

I was hoping to also raise an SR to have this investigated further, however I am unfortunately unable to register an account in order to do so.  Please can you advise how best to proceed?

Thanks in advance,

Chris

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 16

Re: AMSI & exclusion lists

Jump to solution

Hi @Docusa,

Thanks for reporting this to us. I would first recommend contacting our Customer care to get your account creation issue sorted out. You can also call us directly, The links to both technical Support and Customer care is as follows:

https://www.mcafee.com/enterprise/en-us/home/contact-us.html

Additionally, I would recommend trying out the newest version (10.7 preferably) as we have enhanced Script scanning which may help us increase the efficiency of script processing.

However, I am afraid I don't have a solid answer as in "If you perform this, issue will be resolved/performance will get better". However, It is still worthy to raise a Service Request for investigation so that we can understand if it is just the script processing or more than that.

Remember, Although the scripts are "file-less", the actions they do are mostly file related and hence may be excluding the known files it may touch or create might help!

Also, Please help us with as much information as possible about scripts used, number of scripts being run and Support will also request you for Debug logs and other log files that may help us understand if this is expected behavior or an issue to be mitigated.

I sincerely hope this is of some use to you.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted
Level 7
Report Inappropriate Content
Message 8 of 16

Re: AMSI & exclusion lists

Jump to solution

Hi @AdithyanT 

Many thanks for this. 

I've tried contacting customer support this morning, however after being on hold for 45 minutes I was told someone would call me back as it requires specialist input. I'm still waiting on that call back 3 hours later.

I am ultimately trying to obtain a download of version 10.7 as you suggest, however the Free Trial area doesn't seem to offer it. If you are able to provide a link to download this that'd be much appreciated.

Thanks in advance

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 16

Re: AMSI & exclusion lists

Jump to solution

Hi @Docusa,

Thank you for your response. Apologies for any delay. The availability of 10.7 for Trial is under discussion with Product Management. I am afraid, currently for trial you can only download 10.6 version. However, If you have licensed Grant# with you, You must already be having the 10.7 package added to your product downloads page.

Have you received any response from Customer care yet? I am afraid from technical Support we do not have any direct contact with them, but if you have any reference ID for your conversation with Customer care, I can try to reach out form my end.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted

Re: AMSI & exclusion lists

Jump to solution

Same problem at my company. Using the latest version of ENS 10.7, we saw massive performance hits with AMSI turned on, even in observe mode, while PCs are running scripts. Since these are "file less" scripts, AMSI ignores the folder exclusion we set up. I think McAfee should change that in the next version of ENS 10.7. If we have decided to exclude a folder due to performance hits when legitimate, "file less" scripts are running, we're OK with assuming the risk if some bad script executes out of that directory.

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community