Antimalware protection in Exchange Server

Antimalware protection in Exchange Server 2016 helps combat viruses and spyware in your email messaging environment. Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. Spyware gathers personal information (for example, sign-in information and personal data) and sends it back to its author.

The antimalware protection in Exchange Server was introduced in Exchange 2013, and is provided by the Transport agent named Malware Agent. The agent scans messages as they travel through the Transport service on a Mailbox server. You configure malware filtering by using:

  • Antimalware policies: Specify inbound and outbound scanning and notification options for malware filtering. There's a default policy that applies to all recipients in the Exchange organization, and you can create addtional policies that are applied in a specific order.

  • Antimalware server settings: Specify the error and retry actions, and the engine and definition update settings for malware filtering. The Malware agent uses Internet access on TCP port 80 (HTTP) to check for engine and definition updates every hour.

  • Antimalware scripts: Enable or disable malware filtering on the server, and manually download engine and definition updates.

For procedures related to malware filtering, see Procedures for antimalware protection in Exchange Server. For more information about the antispam features in Exchange Server, see Antispam protection in Exchange Server.

Antimalware policies

Antimalware policies control the actions and notification options for malware detections. The important settings in antimalware policies are:

  • Action: Specifies what to do when a message is found to contain malware. The options are:

    • Delete the message (this is the default value).

    • Replace all attachments with a text file that contains this default text:

      Malware was detected in one or more attachments included with this email. All attachments have been deleted.

    • Replace all attachments with a text file that contains the custom text you specify.

  • Notifications: When an antimalware policy is configured to delete messages, you can choose whether to send a notification message to the sender. You can send notification messages based on whether the sender is internal or external. The default notification message has these properties:

    • From: Postmaster postmaster@ <defaultdomain>.com

    • Subject: Undeliverable message

    • Message text: This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected.

    You can customize the message properties for internal and external notifications. You can also specify additional recipients (administrators) to receive notifications for undeliverable messages from internal or external senders.

  • Recipient filters: For custom antimalware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:

    • By recipient

    • By accepted domain

    • By group membership

    You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

  • Priority: If you create multiple custom antimalware policies, you can specify the order that they're applied.

Antimalware policies in the Exchange admin center vs the Exchange Management Shell

The basic elements of an antimalware policy are:

  • The malware filter policy: Specifies the action and notification options for malware filtering.

  • The malware filter rule: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.

The difference between these two elements isn't obvious when you manage antimalware polices in the Exchange admin center (EAC):

  • When you create an antimalware policy in the EAC, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.

  • When you modify an antimalware policy in the EAC, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (actions and notification options) modify the associated malware filter policy.

  • When you remove an antimalware policy from the EAC, the malware filter rule and the associated malware filter policy are removed.

In the Exchange Management Shell, the difference between malware filter policies and malware filter rules is apparent. You manage malware filter policies by using the *-MalwareFilterPolicy cmdlets, and you manage malware filter rules by using the *-MalwareFilterRule cmdlets.

  • In the Exchange Management Shell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.

  • In the Exchange Management Shell, you modify the settings in the malware filter policy and the malware filter rule separately.

  • When you remove a malware filter policy from the Exchange Management Shell, the corresponding malware filter rule isn't automatically removed, and vice versa.

Default antimalware policy

Every Mailbox server has a built-in antimalware policy named Default that has these properties:

  • The malware filter policy named Default is applied to all recipients in the Exchange organization, even though there's no malware filter rule (recipient filters) associated with the policy.

  • The policy named Default has the custom priority value Lowest that you can't modify (the policy is always applied last). Any custom antimalware policies that you create always have a higher priority than the policy named Default.

  • The policy named Default is the default policy (the IsDefault property has the value True), and you can't delete the default policy.

Antimalware server settings

You can use the Get-MalwareFilteringServer and Set-MalwareFilteringServer cmdlets in the Exchange Management Shell to view and configure the update, timeout, and download settings for the Malware agent on the Mailbox server. For procedures that use these cmdlets, see Use the Exchange Management Shell to bypass malware filtering on Mailbox servers and Use the Exchange Management Shell to configure malware filtering to rescan messages that were already scanned by EOP.

Antimalware scripts

Exchange includes two Exchange Management Shell scripts that you can use to manage malware filtering:

  • Disable-Antimalwarescanning.ps1 disables the Malware agent, and malware engine and definition updates on the Mailbox server.

  • Enable-Antimalwarescanning.ps1 enables the Malware agent, enables malware engine and definition updates, and runs engine and definition updates on the Mailbox server.

  • Update-MalwareFilteringServer.ps1 manually runs malware engine and definition updates on the Mailbox server.

For more information about using these scripts, see Use the Exchange Management Shell to enable or disable malware filtering on Mailbox servers and Download antimalware engine and definition updates.

Antimalware protection options in Exchange Server

This list describes the antimalware options for Exchange:

  • Built-in antimalware protection: You can use the built-in antimalware protection in Exchange to help you combat malware. You can use it by itself, or you can pair it with other antimalware solutions to provide a layered defense against malware.

  • Exchange Online Protection (EOP): You can pay for a subscription to EOP, which is the antimalware solution that's used in Microsoft 365 and Office 365. EOP leverages partnerships with several antimalware engines to provide efficient, cost effective, and multi-layered antimalware protection. The advantages of paring the built-in antimalware protection with EOP are:

    • EOP uses multiple antimalware engines, while the built-in antimalware protection uses a single engine.

    • EOP has reporting capabilities, including malware statistics.

    • EOP provides the message trace feature for self-troubleshooting mail flow problems including malware detections.

      For more information about EOP, see Anti-malware protection in EOP.

  • Third-party antimalware protection: You can buy a third-party antimalware program.

Antimalware FAQ for Exchange

This section answers the frequently asked questions about built-in malware filtering and scanning in Exchange.

Why did malware that was identified by other antimalware services get past Exchange antimalware filtering?

There are two likely reasons:

  • The most likely scenario is the message attachment doesn't actually contain any active malicious code. Some antimalware engines are more aggressive than others, and these engines might stop messages simply because they contain truncated malware payloads that don't actually do anything.

  • The malware you received is a new variant, and our antimalware engine hasn't released a pattern file for it (yet).

I received a message with an unfamiliar attachment. Is this malware or can I disregard this attachment?

We strongly advise that you don't open any attachments that you don't recognize. If you would like us to investigate the attachment, submit it to us as described in the next item.

How do I submit known malware, suspicious files, or false positives to Microsoft?

Save a copy of the message and upload the message to the Microsoft Security Intelligence website so we can examine it.

If the sample contains malware, we'll take corrective action to prevent the virus from going undetected. if the sample is clean, we'll take corrective action to prevent the file from being detected as malware.

Where can I get the messages that have been deleted by the malware filter?

You can't. The messages were found to contain active malicious code, so they were deleted.

Can I use mail flow rules to bypass malware filtering?

No, you can't use mail flow rules (also known as transport rules) to bypass the Malware agent. Instead, send the attachment in a password-protected .zip file (password-protected file .zip files are bypassed by malware filtering).