Adding Macro Exceptions in Symantec Endpoint Security When AMSI Degrades Performance
Article ID: 244674
Updated On:
Products
Issue/Introduction
Users employ a macro which pulls data using an API and in which Symantec Endpoint Security (SES) appears to cause latency in process.
Administrators notice that when taking SES down to core files only, the network latency in the macro processes stops. Reintroducing Advanced Download Protection, which requires the AV parent component, reintroduces the problem. When only AV is enabled and advanced download protection is disabled, the problem also subsides.
Environment
Release : 14.3 RU3
Component : Default-Sym
Cause
AMSI, a component included with SEP 14.3 RU1 and later, provides scanning of command content. Currently there is no effective granularity for controlling false positives, exceptions, or policy modifications with AMSI.
Resolution
Currently there is no effective option to manage AMSI exceptions with any degree of granularity and there is no deadline provided for such an offering. The workaround is to disable SES's AMSI component by following the directions at this link.
Additional Information
SEP-66920
NOTE: Another workaround exists for scenarios where the Windows AMSI counterpart in Windows Server security interferes with the launch of the SEP AMSI component, which causes performance issues. That resolution involves disabling the Windows policy interfering with SEP's AMSI component's launch.
Attachments
Feedback
