Anti-Malware Protection FAQ
Applies to: Exchange Online Protection, Exchange Online
Topic Last Modified: 2014-03-28
This section provides frequently asked questions and answers about anti-malware protection. Answers are applicable for Microsoft Exchange Online and Exchange Online Protection customers.
Q. How often are the malware definitions updated?
A. Each server checks for new malware definitions from our anti-malware partners every hour.
Q. How many anti-malware partners do you have? Can I choose which malware engines we use?
A. We have partnerships with multiple best-of-breed providers of anti-malware technologies. The number of partners we have is subject to change, but all of our customers are automatically protected by multiple anti-malware partners at all times. There is no way to choose one engine over another.
Q. Where does malware scanning occur?
A. Malware scanning is performed on messages sent to or received from a mailbox. Malware scanning is not performed on a message accessed from a mailbox because it should have already been scanned. If a message is re-sent from a mailbox, it’s rescanned.
Q. If I make a change to an anti-malware policy, how long does it take after I save my changes for them to take effect?
A. It may take up to 1 hour for the changes to take effect.
Q. Does the service scan internal messages for malware?
A. The service only scans inbound and outbound messages that are routed by the service, and does not scan messages sent from a sender in your organization to a recipient in your organization. However, for another layer of defense, you can pair the service with the built-in anti-malware protection capabilities of Exchange Server 2013, which scans internal messages for malware.
Q. Do all anti-malware engines used by the service have heuristic scanning enabled?
Yes. This enables the anti-malware engines to scan for both known (signature match) and unknown (suspicious) malware.
Q. Can the service scan compressed files (such as .zip files)?
Yes. The anti-malware engines can drill into archive (compressed) files (such as .zip files).
Q. Is the compressed attachment scanning support recursive (.zip within a .zip within a .zip) and if so, how deep does it go?
Yes, recursive scanning of compressed files can be scanned many levels deep.
Q. Does the service work with legacy Exchange versions (such as Exchange Server 2010) and non-Exchange environments?
A. Yes, the service is server agnostic.
Q. Why did this malware make it past the filters?
A. There are two possible reasons why you may have received malware.
The first, and more likely scenario, is that the attachment received does not contain any active malicious code. In these situations, some anti-malware engines that run on computers may be more aggressive and stop messages with truncated payloads.
The second is that the malware you received is a new variant and our anti-malware partners have not yet released a pattern file for the service to deploy. The time it takes for an update to be released is dependent on the anti-malware partners.
Q. How can I submit malware that made it past the filter to Microsoft?
A. If you have received malware such as a virus that made it past the filter, please save a copy of the email message with its attached virus, go to the Malware Protection Center and submit a sample using the detailed instructions on that page. When submitting the file, in the Product drop-down list select Other, select the I believe this file contains malware option, and in the Comments field specify Exchange Online Protection. After we receive the sample, we’ll investigate and if it’s determined that the sample contains malware, we’ll take corrective action to prevent the virus from going undetected.
Q. How can I submit a file that I believe was incorrectly detected as malware?
A. Similar to submitting malware, go to the Malware Protection Center and submit a sample using the detailed instructions on that page. When submitting the file, in the Product drop-down list select Other, select the I believe this file should not be detected as malware option, and in the Comments field specify Exchange Online Protection. After we receive the sample, we’ll investigate and if it’s determined that the sample is clean, we’ll take corrective action to prevent the file from being detected as malware.
Q. I received an email with an attachment that I am not familiar with. Is this malware or can I disregard this attachment?
A. We strongly advise that you do not open any attachments that you do not recognize. If you would like us to investigate the attachment, go to the Malware Protection Center and submit the possible malware to us as described previously.
Q. Where can I get the messages that have been deleted by the malware filters?
A. The messages contain active malicious code and therefore we do not allow access to these messages. They are simply deleted.
Q. I am not able to receive a specific attachment because it is being falsely filtered by your malware filters. Can I allow this attachment through via transport rules?
A. No. Transport rules cannot be used to bypass the malware filter. If you would like this attachment to bypass the malware filter, send the attachment to the intended recipient within a password protected .zip file. Any password protected file is bypassed by malware filtering.
Q. Can I obtain reporting data about malware detections?
A. Yes, you can access reports in the Office 365 admin center or by downloading an Excel reporting workbook. For more information about reporting, see the following links:
Exchange Online customers: Monitoring, Reporting, and Message Tracing in Exchange Online
Exchange Online Protection customers: Reporting and Message Trace in Exchange Online Protection
Q. Is there a tool that I can use to follow a malware-detected message through the service?
Yes, the message trace tool enables you to follow email messages as they pass through the service. For more information about how to use the message trace tool to find out why a message was detected to contain malware, see Was a message detected to contain malware?
Q. Can I use a third-party anti-spam and anti-malware provider in conjunction with Exchange Online?
A. Yes, you may configure another spam and malware filtering service to protect your Exchange Online mailboxes. To do this for inbound mail, you should redirect your email messages to the third-party provider by changing your MX records to point to the third-party provider, and then redirect the messages to EOP for additional processing. To do this for outbound mail, please configure the message delivery destination to the third-party provider (smart host), as shown in Scenario: Outbound Smart Hosting.
Q. Are spam and malware messages being investigated as to who sent them, or being transferred to law enforcement entities?
A. The service focuses on spam and malware detection and removal, though we may occasionally investigate especially dangerous or damaging spam or attack campaigns and pursue the perpetrators. This may involve working with our legal and digital crime units to take down a spammer botnet, blocking the spammer from using the service (if they’re using it for sending outbound email), and passing the information on to law enforcement for criminal prosecution.