Share via

AMSI integration causing performance bottlenecks on WFE servers

Henry Harris 25 Reputation points
2026-03-09T10:59:44.6366667+00:00

With the recent rollout of Antimalware Scan Interface (AMSI) integration in SharePoint Server Subscription Edition, my Web Front End (WFE) servers are experiencing significant CPU spikes and request latency during large file uploads.  It appears that the SPAntimalwareService is triggering a synchronous scan for every POST request, which blocks the thread pool until the third-party AV engine (like Microsoft Defender or CrowdStrike) returns a verdict.

Since this is a new security layer, I'm trying to determine if there's a way to exclude specific Trusted Content Types or internal service-to-service traffic from the AMSI scan buffer without disabling the feature entirely via the Enable-SPAntimalwareScanning cmdlet.

Microsoft 365 and Office | SharePoint Server | For business
0 comments
Answer accepted by question author
  1. Q&A Assist
    2026-03-09T10:59:58.38+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    AMSI integration in SharePoint Server scans HTTP/HTTPS requests at the web application level and is designed as a generic request filter. The available documentation describes:

    • Prerequisites and supported versions.
    • How to enable/disable AMSI per web application.
    • How to test AMSI behavior with a special test string.
    • That request body scanning can be configured in different modes (Balanced / Full) in newer Subscription Edition builds.

    However, there is no documented mechanism to:

    • Exclude specific SharePoint content types from AMSI scanning.
    • Exclude particular URLs or service-to-service traffic from the AMSI scan buffer.
    • Configure AMSI rules from SharePoint to treat some requests as “trusted” while still leaving AMSI enabled for others.

    The only SharePoint-side control described is enabling or disabling AMSI integration on web applications (for example, via the AMSI feature and related cmdlets), and in newer versions choosing the request body scan mode. Fine‑grained exclusions (per content type, per traffic class) would have to come from the AMSI-capable antimalware product itself, if that product exposes such configuration, not from SharePoint.

    If AMSI is causing performance bottlenecks on WFE servers, the supported tuning options based on the documentation are:

    1. Verify that the environment meets the prerequisites (supported Windows, SharePoint build, and AV engine versions) so that AMSI runs in the expected, optimized path.
    2. On Subscription Edition builds that support it, adjust the AMSI request body scanning mode (for example, Balanced vs Full) to reduce scanning overhead while retaining protection.
    3. If performance remains unacceptable and the AV product cannot be tuned, AMSI can be disabled per web application using the documented AMSI integration controls.

    There is no documented way to implement the requested “trusted content type” or “internal traffic” exclusions from within SharePoint AMSI integration itself.

    References:

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.