AMSI integration may cause a performance degradation in certain interactions

book

Article ID: 197096

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection running on Windows 10 1903 or above may experience a performance degradation when interacting with certain applications. 

Cause

The "Enable Svchost.exe mitigation options" policy (EnableSvcHostMitigationPolicy) in Windows 10 1903+ and Windows Server security baselines causes the SymAMSI.dll plug-in to fail to load. 

SymAMSI.dll meets all Microsoft AMSI provider signing requirements, but will still fail to load if this Microsoft Security Policy is enabled. 

Resolution

Disable the "Enable Svchost.exe mitigation options" Security Settings policy. 

  • System\Service Control Manager Settings\Security Settings - "Enable Svchost.exe mitigation options"

Microsoft has removed this option from their Security Baselines due to reported incompatibilities with multiple vendors.

See the below Microsoft articles for additional detail:

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-sept2019update-for-windows-10-v1903-and/ba-p/890940

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093