Introduction

In light of the increasing number of cyberattacks, intrusions, and security vulnerabilities targeting on-premises environments, Microsoft has implemented robust protection mechanisms for SharePoint Server. A key feature is the integration with the Antimalware Scan Interface (AMSI), which provides real-time protection against malicious web requests. This article discusses AMSI in the context of SharePoint Server 2019 and SharePoint Subscription Edition:

• It covers an explanation of what AMSI is.
• How to enable or disable AMSI.
• A detailed description of the operation and integration with Windows Defender.
• Test scenarios.
• Protective capabilities against exploitation.
• Compare antivirus products that support AMSI integration with SharePoint.

What is AMSI?

Antimalware Scan Interface (AMSI) is a versatile standard that Microsoft introduced with Windows 10 and Windows Server 2016. It allows applications and services to integrate with any antivirus product installed on the system for a deeper overview of dynamic content such as scripts, memory streams, and web requests. The main purpose of AMSI is to combat documentless malware, obfuscated scripts and other non-traditional threats that avoid classic file scanning.

According to Microsoft, AMSI allows applications to submit content for review before execution or processing. It supports techniques such as file scanning, memory/stream analysis, and URL/IP address reputation checks. AMSI also enables session-based correlation, which allows antivirus vendors to link multiple requirements to detect fragmented malicious content. It is integrated into Windows components such as PowerShell, Windows Script Host, JavaScript/VBScript, and Office VBA macros, ensuring early interception of potentially harmful content.

In SharePoint Server, AMSI integration specifically scans HTTP and HTTPS requests to prevent malicious exploits from reaching endpoints. This is crucial for on-premises installations, where vulnerabilities such as Remote Code Execution (RCE) can be exploited before patches are installed. Starting with SharePoint Subscription Edition 25H1, AMSI also includes review of request bodies, which improves detection in contents.

Enable and disable AMSI in SharePoint 2019 and Subscription Edition

AMSI integration is available in SharePoint Server 2019 (build 16.0.10396.20000 or later) and SharePoint Subscription Edition (version 22H2 or later). The prerequisites include Windows Server 2016 or later, an AMSI-compatible antivirus solution such as Microsoft Defender Antivirus (version 1.1.18300.4 or later), and appropriate security updates.

Via user interface (Central Administration)

For SharePoint 2019 or earlier Subscription Editions:

1. Open SharePoint Central Administration.
2. Go to Manage apps > Manage web apps.
3. Select the web app and click Manage features.
4. On the SharePoint Server Antivirus screen, select Activate to enable or Deactivate to disable.

For Subscription Edition version 25H1 or later:

1. Go to AMSI Security > Configuration.
2. Select the web app.
3. Enable AMSI by selecting “Enable AMSI Scan Function” (scans headers); disable by selecting “Completely disable the AMSI scan function”.
4. If enabled, configure request body scanning:
   • Off: No body scanning.
   • Balanced Mode: Scans predefined sensitive endpoints and user-defined included points.
   • Full Mode: Inspects all endpoints except the excluded ones.
5. Add the included/excluded endpoints (e.g., /SitePages/Home.aspx) and click OK.

As of the September 2023 security updates, AMSI is enabled by default for all web applications. Each web application must be configured individually, and changes may require a restart of IIS.

Via PowerShell

To enable AMSI for a web application:

Enable-SPFeature -Identity 4cf046f3-38c7-495f-a7da-a1292d32e8e9 -URL <URL of the web application>

To disable:

Disable-SPFeature -Identity 4cf046f3-38c7-495f-a7da-a1292d32e8e9 -URL <URL of the web application>

To scan your body in Subscription Edition 25H1 or later:

• Set the mode (0=Off, 1=Balanced, 2=Full):

$webApp = Get-SPWebApplication -Identity “http://primer&#8221;

$webApp.AMSIBodyScanMode = 2

$webApp.Update()

• Manage endpoints (for Balanced: AddAMSITargetedEndpoints; for Full: AddAMSIExcludedEndpoints).

Detailed description of how AMSI works and integration with Windows Defender

AMSI acts as a bridge between applications (such as SharePoint) and antivirus providers. When a request arrives, SharePoint sends the content—headers and, in advanced modes, the body—to AMSI. AMSI forwards this to a registered antivirus program for review. If the content is malicious, the request is blocked; otherwise, the processing continues.

Integration with Microsoft Defender Antivirus (MDAV) improves this process. MDAV uses AMSI to review script-based attacks, including obfuscation, through heuristics, behavior monitoring, and machine learning models. It detects threats such as reflective DLL injection, WMI persistence, and coded shellcodes. It supports languages such as PowerShell, JScript, VBScript, and .NET assemblies. MDAV scans in real-time, periodically checks WMI repositories, and blocks undocumented malware that exploits tools such as PowerShell.

In SharePoint, this means that incoming requests are reviewed before they are processed, preventing exploits. For example, in full mode, all endpoints are protected except the excluded ones, which balances security and performance. MDAV is automatically enabled on Windows Server and works flawlessly without additional tools, although third-party providers can also register.

Test scenarios for AMSI in SharePoint

To verify the operation of AMSI, use test strings that trigger detection without damage. The standard AMSI test pattern is “amsiscantest:x5opap4pzx54p7cc7-standard-antivirus-test-fileh+h*”.

In the browser

1. Make sure AMSI is enabled and MDAV is active.
2. Add a test string as a query parameter to a SharePoint URL, such as https://servername/sites/sitename?amsiscantest:x5opap4pzx54p7cc7-standard-antivirus-test-fileh+h*.
3. If AMSI is working, the request will be blocked with an error (e.g., 400 BAD REQUEST). If not, the request usually continues.

Alternatively, add the string as an HTTP header (e.g., X-Test-Header) using browser tools such as the Developer Console or extensions.

Via PowerShell

1. Use Invoke-WebRequest to simulate the request:

$headers = @{ ‘X-AMSI-Test’ = amsiscantest: x5opap4pzx54p7cc7-standard-antivirus-test-fileh+h*’ }

Invoke-WebRequest -Uri “http://sharepoint/stran&#8221; -Headers $headers -Method Get

The claim should look like the example below:

GET /sites/sitename HTTP/1.1

Host: servername

amsiscantest: x5opap4pzx54p7cc7$eicar-standard-antivirus-test-fileh+h*

2. If AMSI is active, expect a block or error. Check SharePoint logs or Defender alerts for confirmation.
3. To test the body (in Full/Balanced mode), send a POST request with the test string in the body.

If the block does not occur, check the AMSI status via Get-MpPreference in PowerShell or the Health Analyzer in Central Administration.

How AMSI protects SharePoint servers from hacker attacks

AMSI acts as a proactive protection against vulnerabilities by detecting malicious requests. For example, in CVE-2025-53770 (a deserialization vulnerability that enables unauthenticated remote code execution), attackers send specially crafted requests to exploit endpoints such as ToolPane.aspx. AMSI scans these requests, detects and blocks malicious content before execution, thereby preventing the installation of web shells or the export of data.

Other examples include CVE-2025-53771 (related to the above for privilege escalation) and legacy exploits targeting Exchange/SharePoint. Microsoft reports that AMSI terminates active campaigns by blocking malicious HTTP requests, even before patches. In real-world attacks, such as those with obfuscated scripts or no documented techniques, AMSI detects anomalies in conjunction with Defender through behavior monitoring, reducing the risk of intrusions in critical sectors.

Comparison of antivirus products and a list of those that support AMSI integration with SharePoint

Antivirus products differ in AMSI support: some focus on real-time scripts (e.g., PowerShell), others on endpoint protection with SharePoint-specific features. Microsoft Defender offers seamless, built-in integration at no additional cost, using machine learning for broad threat detection, but may not have specialized SharePoint dashboards. Third parties offer advanced forensics, centralized management, and customized rules, but require configuration and licensing.

Key comparison:

• Depth of Detection: Defender excels at undocumented threats; products like McAfee/Symantec add URL and network reputation analysis.
• Performance: Balanced AMSI modes reduce overhead; heavier products like Kaspersky can affect high-traffic servers.
• Ease of integration: All AMSI-compatible are automatically registered; SharePoint-specific ones, such as Symantec, offer plugins for AI.
• Cost: Defender is free with Windows; others are subscription-based.

List of products that support AMSI (verified through Microsoft documents, provider websites, and compatibility lists):

• Microsoft Defender Antivirus (native, real-time protection for scripts and requests).
• ESET Security for Microsoft SharePoint (Enhanced Malware Protection, AMSI for scripts/data).
• Symantec (Broadcom) Protection for SharePoint Servers (HTTP request scanning, all-in-one integration).
• Trend Micro Server & Workload Protection (leverages AMSI for script detection).
• McAfee Endpoint Security (blocks widespread threats like PowerMiner via AMSI).
• Kaspersky Endpoint Security (sends objects such as PowerShell scripts for review).
• Bitdefender (a bridge to protect against undocumented threats via AMSI).
• Sophos Home/Endpoint (protects against stealthy script attacks).
• WithSecure (F-Secure) Policy Manager (deeper review of scripting services).
• CrowdStrike (combines with Defender for AMSI registration).

For SharePoint, choose those with explicit support for reviewing HTTP requests. Always check the providers’ websites for compatibility.

Conclusion

AMSI integration strengthens SharePoint against evolving threats by ensuring the security of on-premises environments. By enabling AMSI and using compatible antivirus solutions, administrators can effectively mitigate risks. For updates, see Microsoft Learn.