The anti-malware scanning is performed after the connection filtering. A lot of malware comes from compromised home computers and other low reputation IP ranges, and that will be blocked already by the connection filter. So that’s saved a lot of processing resources, so the malware filtering doesn’t need to be performed on absolutely every mail that comes in with an attachment. EOP uses multiple antivirus engines to check email attachments for known viruses and malware. The antivirus engines are continually updated throughout the day, and the malware scanning also handles file type restrictions so you can restrict email attachments that are commonly used as carriers for malware like executable files and scripts, as well as any other file type you just don’t want to run the risk of accepting.

If malware is detected, the message is quarantined, but only so that an admin can review them and make a decision about whether to release them. Obviously, you don’t want to release actual malware, but if you’re doing attachment-type filtering, let’s say a software vendor sends you an executable file to install to fix a bug in some software, well then you can review that quarantine attachment, and then decide to release it if you need to. Most of the control you have over malware filtering, other than which attachment types to block, is in the notifications. You can send no notifications at all, or you can notify the recipient of the email that the email was quarantined. You can choose whether to notify internal or external senders that their email was quarantined and you can also customize those notifications with friendly messages to help your users understand what’s going on. So let’s take a look at the malware filter configuration.

We can configure malware filtering in either portal that’s available here in the Exchange admin center, and there’s also an Anti-malware configuration interface in the Security and Compliance Center.

Exchange Admin Center

2019-05-07 11_53_33-malware filter - Microsoft Exchange

Security and Compliance

2019-05-07 11_54_10-Policy - Security & Compliance

Let’s stay in the Security and Compliance Center this time. When we click on the Anti-Malware, we can see that there’s one default malware filtering policy already in place, and we can create additional anti-malware policies as well. To create a new policy click on +.

2019-05-07 11_57_32-Anti-malware - Security & Compliance.png

Let’s go through the settings. First we need to give it a name.

Malware Detection Response:

  • NO –> Do you want to notify recipients if their messages are quarantined? Now this is quarantining malware, not spam, which is different. Should we notify the users that an email that was sent to them was quarantined by the malware filter. If you choose this option no notification will be sent.
  • YES AND USE THE DEFAULT NOTIFICATION TEXT –> A notification using the default notification text is sent to the recipient (we all know that system generated notifications are not usually very good)
  • YES AND USE THE CUSTOM NOTIFICATION TEXT –> By enabling the custom response text we can specify more details about what the end user needs to do when they receive this alert message. Wherever possible, it’s helpful to use custom notifications that do a better job of explaining to your users what just happened.

2019-05-07 12_25_49-Anti-malware policy.png

Scroll down to move to the next set of settings

Common Attachment Types Filter:

When you turn this on for the first time, there is a preconfigured set of file types that will be in this list. You can see that this list makes pretty good sense. It includes executable files, registry files, macro-enabled documents, stuff that’s pretty high-risk these days. You can add to the list if you need to, you can remove an extension from that list if you need to, although I don’t recommend it. If you find that your list is completely blank, it could be that someone has been in here before and removed everything from the list. EOP won’t automatically add anything back to this list for you in that case. You’ll need to rebuild the list from scratch by adding additional file types and choosing the ones that you want to block. Now when we turn this on, it triggers the Malware Detection Response, which is the first setting that we were looking at. It is a good idea to notify your users so they know what to do.

Notifications:

Do we want to notify the sender of the undelivered message? So if a message is blocked or quarantined by the malware filter, do we want to let the sender know that that has happened? I’d say yes for internal senders. That’s a good idea, letting them know that their outbound email was quarantined by the malware filter. For external senders, well, there’s the risk that the sender address has been spoofed, so we’d be sending a notification back to the address that may not be the real sender of the email. So let’s leave external senders off and just notify internal senders.

2019-05-07 12_30_55-Anti-malware - Security & Compliance.png

Administrator Notifications

We can also notify administrators when the malware filter blocks or quarantines an email. Let’s say that yes, we do want to notify our IT folks that that has happened, or at least a specific group of them, because that could be a sign of a compromised user or computer in the organization. But let’s not notify admins every time an external sender is blocked. If you really want to turn this on, by all means do, but in my experience it just generates way too many notifications.

Customize Notifications

One more notification to configure. If we’re notifying internal senders that their email was blocked by the malware filter, we want that to be a nice, friendly email that they understand.

2019-05-07 12_37_44-Anti-malware policy.png

Applied To:

You can scope policies so that they apply to specific recipients or recipients in a particular domain of our organization or members of a group. So those recipients that the policy is scoped to could have different malware settings applied. An example would be if you have some power users who should be allowed to receive executable files via email, but only those users. The rest of your organization should not be allowed to receive executable files, so that would be a case for configuring two separate malware filter policies and scoping them to those two different groups of users.

Once done, click on Save

2019-05-07 12_39_32-Configuring and Managing Office 365 Security _ Pluralsight.png

That’s it. In the next post we will take a look at Mail Flow Rules which is our third EOP feature.

Cheers,

Nedim