Configure the Default Anti-Malware Policy

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the “Anti-malware” entry in the Feature Permissions in Exchange Online topic.

For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.

1. In the Exchange admin center (EAC), navigate to Protection > Malware filter, and then double-click the default policy.
   
2. Click the Settings menu option. In the Malware Detection Response section, use the option buttons to select the action to take when malware is detected in a message:
   
   • Delete the entire message   Prevents the entire message, including attachments, from being delivered to the intended recipients. This is the default value.
     
   • Delete all attachments and use default alert text   Deletes all message attachments, not just the infected one, and inserts the following default alert text into a text file that replaces the attachments: “Malware was detected in one or more attachments included with this email. All attachments have been deleted.”
     
   • Delete all attachments and use custom alert text   Deletes all message attachments, not just the infected one, and inserts a custom message into a text file that replaces the attachments. Selecting this option enables the Custom alert text field where you must type a custom message.
     

   Important:
   If malware is detected in the message body, the entire message, including all attachments, will be deleted regardless of which option you select. This action is applied to both inbound and outbound messages.

3. In the Notifications section, you have the option to send a notification email message to senders or administrators when a message is detected as malware and is not delivered. These notifications are only sent when the entire message is deleted.
   
   1. In the Sender Notifications section, select the check boxes to Notify internal senders (those within your organization) or to Notify external senders (those outside your organization) when a detected message is not delivered.
      
   2. Similarly, in the Administrator Notifications section, select the check boxes to Notify administrator about undelivered messages from internal senders or to Notify administrator about undelivered messages from external senders. Specify the email address or addresses of the administrator in their respective Administrator email address fields after selecting one or both of these check boxes. Use a semicolon to separate multiple addresses.
      The default notification text is “This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected.” The language in which the default notification text is sent is dependent on the locale of the message being processed.
      
   3. In the Customize Notifications section, you can create customized notification text to be used in place of the default notification text for sender and administrator notifications. Select the Use customized notification text check box, and then specify values in the following required fields:
      
      • From name   The name you want to be used as the sender of the customized notification.
        
      • From address   The email address you want to be used as the sender of the customized notification.
        
      • Messages from internal senders   The Subject and Message of the notification if the detected message originated from an internal sender.
        
      • Messages from external senders   The Subject and Message of the notification if the detected message originated from an external sender.
        

        Note:
        The default Subject text is “Undeliverable message.”

   4. Click Save. A summary of your default policy settings appears in the right pane.
      

The following procedure provides instructions for using the EICAR.TXT antivirus test file to verify that malware filtering is working correctly. Use an email client that does not block the file.

Important:
The EICAR.TXT file is not a virus. However, because users often have the need to test that installations function correctly, the antivirus industry, through the European Institute for Computer Antivirus Research, has adopted the EICAR standard in order to meet this need.

1. Create a new text file, and then name the file EICAR.TXT.

2. Copy the following line into the text file:

   Copy

   X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
   

   Make sure that this is the only string in the file. When done, you will have a 68-byte file.

   Note:
   If you are using a desktop antivirus program, make sure that the folder you are saving the file to is excluded from scanning.

3. Attach this file to an email message that will be filtered by the service.

   Check the recipient mailbox of the test message. Depending on the malware detection response you have configured, the entire message will be deleted, or the attachment will be deleted and replaced with the alert text file. Any configured notifications will also be distributed.

   The recipient may receive a notification message (if configured) that appears similar to the following: “This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected.” The following additional information will also be included: the subject of the message, the sender of the message, the time the message was received by the service, the Message ID (the Internet message ID (also known as the Client ID) found in the header of the message with the “Message-ID:” token), and the detection found (which will be eicar.txt).

4. Delete the EICAR.TXT file after testing is completed so that other users are not unnecessarily alarmed.

Anti-Malware Protection

Anti-Malware Protection FAQ