Lists of frequently asked questions

In order to timely detect attempts (including successful ones) to hack into end devices and take appropriate measures, we recommend that you take advantage of the security auditing option.

To do this:

1. Go to the Control Panel → Administrative Tools → Local security policy → Advanced audit policy configuration → Object access →Audit file system. Set the file system audit for success and failure.

2. Next, enable an audit for the folder you need:

   1. Open the properties of the shared folder → the Security tab → Advanced → the Audit tab → Change → Add;

   2. specify the users to be audited. Select All, application level — For this folder and its subfolders and files;

   3. specify the actions to be audited: Create files/append data, Create folders/append data, Remove folders and files, or just Remove. For all actions, select the audit option for both success and failure.

After that, file and folder access events will appear in the security event log.

If, in a system that already has the auditing option configured, the anti-virus detects changes in the file system, make sure to note the detection time and compare it with the events in the security log.

You can familiarise yourself with security event codes on Microsoft's official website.

By releasing cumulative updates for Exchange Server 2016/2019 (KB5003611 and KB5003612), Microsoft has introduced support for integration with AMSI (Antimalware Scan Interface) in the respective Exchange Server versions. Now AMSI-capable anti-virus software running on the same machine as the Exchange Server can scan the contents of all inbound HTTP requests before they are handled by a mail server.

As a result, running Dr.Web Anti-virus for Windows Servers and Dr.Web Agent for Windows with AMSI integration enabled may have a severe adverse impact on the overall performance of the Exchange Server and the Dr.Web software. The update that solves the mentioned issue was released on January 17, 2022. Before installing this update, Doctor Web developers recommend that you disable support for AMSI in your Exchange mail servers.

You can disable AMSI integration via Exchange Server PowerShell:

1. Open Exchange Server PowerShell.
2. Run the following command sequence:

   [PS] C:\>New-SettingOverride -Name DisablingAMSIScan -Component Cafe -Section HttpRequestFiltering -Parameters ("Enabled=False") -Reason "Testing" [PS] C:\>Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh [PS] C:\>Restart-Service -Name W3SVC, WAS -Force

Important: Before you proceed, make sure that all your relevant data is saved. Running these commands will restart Internet Information Services (IIS) and interrupt the current connection.

It is also recommended that you re-enable AMSI integration on your mail server after the issue gets resolved with the release of an update. Re-enable AMSI integration by running these commands in Exchange Server PowerShell:

[PS] C:\>Remove-SettingOverride -Identity DisablingAMSIScan -Confirm:$false [PS] C:\>Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh [PS] C:\>Restart-Service -Name W3SVC, WAS -Force

Important: Before you proceed, make sure that all your relevant data is saved. Running these commands will restart Internet Information Services (IIS) and interrupt the current connection.

You can also disable AMSI integration with an Exchange Server support script:

1. Download the Test-AMSI.ps1 script from the Microsoft repository here.
2. Copy the script to the directory C:\scripts.. If the scripts directory does not exist, create it. To avoid possible errors, ensure that the script file is unblocked.
3. Run the following command sequence:

   [PS] C:\scripts>.\Test-AMSI.ps1 -DisableAMSI [PS] C:\scripts>.\Test-AMSI.ps1 -RestartIIS

To re-enable AMSI integration with Microsoft Exchange Server, run the following command sequence:

[PS] C:\scripts>.\Test-AMSI.ps1 -EnableAMSI [PS] C:\scripts>.\Test-AMSI.ps1 -RestartIIS