Antimalware protection in Exchange 2016

 

Applies to: Exchange Server 2016

Topic Last Modified: 2017-09-06

Learn about the built-in malware filtering that's avaialble in Exchange 2016.

Antimalware protection in Exchange 2016 helps combat viruses and spyware in your email messaging environment. Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. Spyware gathers personal information (for example, sign-in information and personal data) and sends it back to its author.

The antimalware protection in Exchange 2016 was introduced in Exchange 2013, and is provided by the Transport agent named Malware Agent. The agent scans messages as they travel through the Transport service on a Mailbox server. You configure malware filtering by using:

  • Antimalware policies   Specify inbound and outbound scanning and notification options for malware filtering. There's a default policy that applies to all recipients in the Exchange organization, and you can create addtional policies that are applied in a specific order.

  • Antimalware server settings   Specify the error and retry actions, and the engine and definition update settings for malware filtering. The Malware agent uses Internet access on TCP port 80 (HTTP) to check for engine and definition updates every hour.

  • Antimalware scripts   Enable or disable malware filtering on the server, and manually download engine and definition updates.

For procedures related to malware filtering, see Procedures for antimalware protection in Exchange 2016. For more information about the antispam features in Exchange 2016, see Antispam protection in Exchange 2016.

Antimalware policies control the actions and notification options for malware detections. The important settings in antimalware policies are:

  • Action   Specifies what to do when a message is found to contain malware. The options are:

    • Delete the message (this is the default value).

    • Replace all attachments with a text file that contains this default text:

      Malware was detected in one or more attachments included with this email. All attachments have been deleted.

    • Replace all attachments with a text file that contains the custom text you specify.

  • Notifications   When an antimalware policy is configured to delete messages, you can choose whether to send a notification message to the sender. You can send notification messages based on whether the sender is internal or external. The default notification message has these properties:

    • From   Postmaster postmaster@<defaultdomain>.com

    • Subject   Undeliverable message

    • Message text   This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected.

    You can customize the message properties for internal and external notifications. You can also specify additional recipients (administrators) to receive notifications for undeliverable messages from internal or external senders.

  • Recipient filters   For custom antimalware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:

    • By recipient

    • By accepted domain

    • By group membership

    You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

  • Priority   If you create multiple custom antimalware policies, you can specify the order that they're applied.

The basic elements of an antimalware policy are:

  • The malware filter policy   Specifies the action and notification options for malware filtering.

  • The malware filter rule   Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.

The difference between these two elements isn't obvious when you manage antimalware polices in the Exchange admin center (EAC):

  • When you create an antimalware policy in the EAC, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.

  • When you modify an antimalware policy in the EAC, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (actions and notification options) modify the associated malware filter policy.

  • When you remove an antimalware policy from the EAC, the malware filter rule and the associated malware filter policy are removed.

In the Exchange Management Shell, the difference between malware filter policies and malware filter rules is apparent. You manage malware filter policies by using the *-MalwareFilterPolicy cmdlets, and you manage malware filter rules by using the *-MalwareFilterRule cmdlets.

  • In the Exchange Management Shell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.

  • In the Exchange Management Shell, you modify the settings in the malware filter policy and the malware filter rule separately.

  • When you remove a malware filter policy from the Exchange Management Shell, the corresponding malware filter rule isn't automatically removed, and vice versa.

Every Mailbox server has a built-in antimalware policy named Default that has these properties:

  • The malware filter policy named Default is applied to all recipients in the Exchange organization, even though there's no malware filter rule (recipient filters) associated with the policy.

  • The policy named Default has the custom priority value Lowest that you can't modify (the policy is always applied last). Any custom antimalware policies that you create always have a higher priority than the policy named Default.

  • The policy named Default is the default policy (the IsDefault property has the value True), and you can't delete the default policy.

You can use the Get-MalwareFilteringServer and Set-MalwareFilteringServer cmdlets in the Exchange Management Shell to view and configure the update, timeout, and download settings for the Malware agent on the Mailbox server. For procedures that use these cmdlets, see Use the Exchange Management Shell to bypass malware filtering on Mailbox servers and Use the Exchange Management Shell to configure malware filtering to rescan messages that were already scanned by EOP.

Exchange includes two Exchange Management Shell scripts that you can use to manage malware filtering:

  • Disable-Antimalwarescanning.ps1 disables the Malware agent, and malware engine and definition updates on the Mailbox server.

  • Enable-Antimalwarescanning.ps1 enables the Malware agent, enables malware engine and definition updates, and runs engine and definition updates on the Mailbox server.

  • Update-MalwareFilteringServer.ps1 manually runs malware engine and definition updates on the Mailbox server.

For more information about using these scripts, see Use the Exchange Management Shell to enable or disable malware filtering on Mailbox servers and Download antimalware engine and definition updates.

This list describes the antimalware options for Exchange:

  • Built-in antimalware protection   You can use the built-in antimalware protection in Exchange to help you combat malware. You can use it by itself, or you can pair it with other antimalware solutions to provide a layered defense against malware.

  • Exchange Online Protection (EOP)   You can pay for a subscription to EOP, which is the antimalware solution that used in Office 365. EOP leverages partnerships with several antimalware engines to provide efficient, cost effective, and multi-layered antimalware protection. The advantages of paring the built-in antimalware protection with EOP are:

    • EOP uses multiple anti-malware engines, while the built-in anti-malware protection uses a single engine.

    • EOP has reporting capabilities, including malware statistics.

    • EOP provides the message trace feature for self-troubleshooting mail flow problems including malware detections.

    For more information about EOP, see Antimalware Protection.

  • Third-party antimalware protection   You can buy a third-party antimalware program.

This section answers the frequently asked questions about built-in malware filtering and scanning in Exchange.

There are two likely reasons:

  • The most likely scenario is the message attachment doesn't actually contain any active malicious code. Some antimalware engines are more aggressive than others, and these engines might stop messages simply because they contain truncated malware payloads that don't actually do anything.

  • The malware you received is a new variant, and our antimalware engine hasn't released a pattern file for it (yet).

We strongly advise that you don't open any attachments that you don't recognize. If you would like us to investigate the attachment, submit it to us as described in the next item.

Save a copy of the message and upload the message at https://go.microsoft.com/fwlink/p/?LinkId=196858 so we can examine it.

If the sample contains malware, we'll take corrective action to prevent the virus from going undetected. if the sample is clean, we'll take corrective action to prevent the file from being detected as malware.

You can't. The messages were found to contain active malicious code, so they were deleted.

No, you can't use mail flow rules (also known as transport rules) to bypass the Malware agent. Instead, send the attachment in a password-protected .zip file (password-protected file .zip files are bypassed by malware filtering).

 
Show: