After you disable AMSI, you need to close all instances of that process and relaunch it to unload
MfeAmsiProvider.dll or ATPAmsiGuard.dll. You don't need to reboot unless the process in question can't be closed without a system reboot.
NOTE: As an example, where a process restart isn't possible (for example, Internet Information Services (IIS) service), you need to reboot the system to unload
MfeAmsiProvider.dll or ATPAmsiGuard.dll.
To confirm the presence or absence of the ENS ATP or ENS Threat Prevention AMSI
.dlls and the associated PID details, run the following command from an administrator command prompt:
- For ENS ATP AMSI: tasklist /m atpamsiguard.dll
- For ENS Threat Prevention AMSI: tasklist /m mfeamsiprovider.dll
To list processes with a Microsoft AMSI
.dll loaded, run the following command:
tasklist /m amsi.dll
ENS AMSI is configured in the following policy locations:
- ePolicy Orchestrator:
- ENS ATP: Policy Catalog, Endpoint Security Adaptive Threat Protection, Options, <policy name>, Enable enhanced script scanning (includes AMSI integration)
- ENS Threat Prevention: Policy Catalog, Endpoint Security Threat Prevention, On-Access Scan, <policy name>, Enable AMSI (provides enhanced script scanning)
- MVISION Endpoint: Policy Catalog, MVISION Endpoint, General, <policy name>, Enable script scanning