Skip to content

Enhance the AMSI Request Body Scanning analysis #2490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lusassl-msft wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Enhance the AMSI Request Body Scanning analysis #2490

lusassl-msft wants to merge 4 commits into from

Conversation

@lusassl-msft
Copy link
Contributor

@lusassl-msft lusassl-msft commented Jan 23, 2026
edited
Loading

Description:

Enhances the AMSI Request Body Scanning analysis to provide more detailed and actionable information about the configuration state.

When AMSI Request Body Scanning is enabled for specific protocols (rather than globally via EnabledAll), the output now lists which protocols are configured:

image

I've also added yellow warning indicator when AMSI Request Body Scanning is not enabled.

I've also fixed the analyzer logic of the AMSI body scanning feature. The logic in Exchange Server is the following:

EnabledAll == true means that AMSI body scanning is enabled for any protocol. Starting with the Aug25SU, EnabledAll == true is the default without explicitly setting the value via SO.

If you're running the Aug25Su and you want to disable AMSI body scanning for all protocols except selected protocols, the logic is the following:

  1. Set EnabledAll == false via SO
  2. Create SO for any protocol which you want to enable (e.g., EnabledEcp == true, EnabledOwa == true)

Validation:
Lab

@lusassl-msft lusassl-msft requested a review from a team as a code owner January 23, 2026 10:14
@lusassl-msft
Copy link
Contributor Author

lusassl-msft commented Jan 23, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jan 23, 2026

Azure Pipelines successfully started running 1 pipeline(s).

@lusassl-msft lusassl-msft marked this pull request as draft January 23, 2026 13:30
@lusassl-msft lusassl-msft marked this pull request as ready for review January 23, 2026 16:39
@lusassl-msft
Copy link
Contributor Author

lusassl-msft commented Jan 23, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jan 23, 2026

Azure Pipelines successfully started running 1 pipeline(s).

@lusassl-msft lusassl-msft marked this pull request as draft January 23, 2026 17:25
@lusassl-msft lusassl-msft marked this pull request as ready for review January 23, 2026 18:38
@lusassl-msft
Copy link
Contributor Author

lusassl-msft commented Jan 23, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jan 23, 2026

Azure Pipelines successfully started running 1 pipeline(s).

@dpaulson45
Copy link
Member

dpaulson45 commented Jan 23, 2026

looks good, is it worth our time to add in pester testing covering the problem that this new code does address?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lusassl-msft @dpaulson45