Anti-malware protection FAQ
Applies to: Exchange Online, Exchange Online Protection
Topic Last Modified: 2016-05-03
This section provides frequently asked questions and answers about anti-malware protection. Answers are applicable for Microsoft Exchange Online and Exchange Online Protection customers.
Q. What are best practice recommendations for configuring and using the service to combat malware?
A. See “Set anti-malware options” in Best practices for configuring EOP.
Q. How often are the malware definitions updated?
A. Each server checks for new malware definitions from our anti-malware partners every hour.
Q. How many anti-malware partners do you have? Can I choose which malware engines we use?
A. We have partnerships with multiple best-of-breed providers of anti-malware technologies. The number of partners we have is subject to change, but all of our customers are automatically protected by multiple anti-malware partners at all times. There is no way to choose one engine over another.
Q. Where does malware scanning occur?
A. Malware scanning is performed on messages sent to or received from a mailbox. Malware scanning is not performed on a message accessed from a mailbox because it should have already been scanned. If a message is re-sent from a mailbox, it’s rescanned.
Q. If I make a change to an anti-malware policy, how long does it take after I save my changes for them to take effect?
A. It may take up to 1 hour for the changes to take effect.
Q. Does the service scan internal messages for malware?
A. For Exchange Online Protection standalone customers, the service only scans inbound and outbound messages that are routed by the service, and does not scan messages sent from a sender in your organization to a recipient in your organization. However, for another layer of defense, you can pair the service with the built-in anti-malware protection capabilities of Exchange Server 2013, which scans internal messages for malware.
For Exchange Online and Exchange Enterprise CAL with Services customers, the service scans inbound and outbound messages that are routed by the service, as well as internal messages sent from a sender in your organization to a recipient in your organization.
Q. Do all anti-malware engines used by the service have heuristic scanning enabled?
Yes. This enables the anti-malware engines to scan for both known (signature match) and unknown (suspicious) malware.
Q. Can the service scan compressed files (such as .zip files)?
Yes. The anti-malware engines can drill into archive (compressed) files (such as .zip files).
Q. Is the compressed attachment scanning support recursive (.zip within a .zip within a .zip) and if so, how deep does it go?
Yes, recursive scanning of compressed files can be scanned many layers deep.
Q. Does the service work with legacy Exchange versions (such as Exchange Server 2010) and non-Exchange environments?
A. Yes, the service is server agnostic.
Q. What’s a zero-day virus and how is it handled by the service?
A. A zero-day virus is a first generation, previously unknown variant of malware that’s never been captured or analyzed, so our anti-malware engines don’t yet have any definitions available for detecting it. After a zero-day virus sample is captured and analyzed by our anti-malware engines, a definition is created to detect it based on the unique signature of the malware, and it’s no longer considered “zero-day.”
Q. How can I configure the service to block specific executable files (such as *.exe) that I fear may contain malware?
A. You can create an Exchange Transport rule that blocks any email attachment that has executable content. Follow the steps in How to reduce malware threats through file attachment blocking in Exchange Online Protection in order to block the file types listed under “Supported executable file types for transport rule inspection” in Use mail flow rules to inspect message attachments.
For increased protection, we also recommend using Transport rules to block some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh. This can be done by using the Any attachment file extension includes these words condition.
Q. Why did this malware make it past the filters?
A. There are two possible reasons why you may have received malware.
The first, and more likely scenario, is that the attachment received does not contain any active malicious code. In these situations, some anti-malware engines that run on computers may be more aggressive and stop messages with truncated payloads.
The second is that the malware you received is a new variant and our anti-malware partners have not yet released a pattern file for the service to deploy. The time it takes for an update to be released is dependent on the anti-malware partners.
Q. How can I submit malware that made it past the filters to Microsoft? Also, how can I submit a file that I believe was incorrectly detected as malware?
Q. I received an email with an attachment that I am not familiar with. Is this malware or can I disregard this attachment?
A. We strongly advise that you do not open any attachments that you do not recognize. If you would like us to investigate the attachment, go to the Malware Protection Center and submit the possible malware to us as described previously.
Q. Where can I get the messages that have been deleted by the malware filters?
A. The messages contain active malicious code and therefore we do not allow access to these messages. They are simply deleted.
Q. I am not able to receive a specific attachment because it is being falsely filtered by the malware filters. Can I allow this attachment through via transport rules?
A. No. Transport rules cannot be used to bypass the malware filters. If you would like this attachment to bypass the malware filters, send the attachment to the intended recipient within a password protected .zip file. Any password protected file is bypassed by malware filtering.
Q. Can I obtain reporting data about malware detections?
A. Yes, you can access reports in the Office 365 admin center or by downloading an Excel reporting workbook. For more information about reporting, see the following links:
Exchange Online customers: Monitoring, reporting, and message tracing in Exchange Online
Exchange Online Protection customers: Reporting and message trace in Exchange Online Protection
Q. Is there a tool that I can use to follow a malware-detected message through the service?
Yes, the message trace tool enables you to follow email messages as they pass through the service. For more information about how to use the message trace tool to find out why a message was detected to contain malware, see Was a message detected to contain malware?
Q. Can I use a third-party anti-spam and anti-malware provider in conjunction with Exchange Online?
A. Yes, you may configure another spam and malware filtering service to protect your Exchange Online mailboxes. To do this for inbound mail, you should redirect your email messages to the third-party provider by changing your MX records to point to the third-party provider, and then redirect the messages to EOP for additional processing. To do this for outbound mail, please configure the message delivery destination to the third-party provider (smart host), as shown in Scenario: Outbound smart hosting - topic no longer available.
Q. Are spam and malware messages being investigated as to who sent them, or being transferred to law enforcement entities?
A. The service focuses on spam and malware detection and removal, though we may occasionally investigate especially dangerous or damaging spam or attack campaigns and pursue the perpetrators. This may involve working with our legal and digital crime units to take down a spammer botnet, blocking the spammer from using the service (if they’re using it for sending outbound email), and passing the information on to law enforcement for criminal prosecution.