Procedures for antimalware protection in Exchange Server

Exchange Server includes the Malware Agent that's installed on Mailbox servers. For more information about malware filtering in Exchange, see Antimalware protection in Exchange Server.

This topic describes the following procedures for managing malware filtering in Exchange:

  • Disable or enable malware filtering on a Mailbox server
  • Bypass malware filtering on a Mailbox server
  • Create antimalware policies
  • View antimalware policies
  • Modify antimalware policies
  • Enable and disable antimalware policies
  • Set the priority of antimalware policies
  • Remove antimalware policies
  • Configure malware filtering to scan messages that were already scanned by Exchange Online Protection (EOP).
  • Configure a malware filtering bypass for a recipient or group of recipients.

What do you need to know before you begin?

  • We recommend that you manually download antimalware engine and definition updates on your Exchange server prior to placing it into production. For more information, see Download antimalware engine and definition updates.

  • An antimalware policy consists of a malware filter policy and a malware filter rule. Each element controls different settings that don't overlap. The difference between these elements isn't visible in the EAC, but it's obvious in the Exchange Management Shell because you use different cmdlets to manage the settings (*-MalwareFilterPolicy and *-MalwareFilterRule). This topic refers to antimalware policies for procedures in the EAC, and malware filter policies and malware filter rules for procedures in the Exchange Management Shell. For more information, see Antimalware protection in Exchange Server.

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Antimalware" entry in the Antispam and antimalware permissions topic.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

Tip

Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

Use the Exchange Management Shell to enable or disable malware filtering on Mailbox servers

Disabling malware filtering on a Mailbox server disables the Malware agent and definition and engine updates.

  1. To disable malware filtering on the local Mailbox server, run this command in the Exchange Management Shell:

    & $env:ExchangeInstallPath\Scripts\Disable-AntimalwareScanning.ps1
    

    To enable malware filtering on the local Mailbox server, run this command in the Exchange Management Shell:

    & $env:ExchangeInstallPath\Scripts\Enable-AntimalwareScanning.ps1
    

    If the command was successful, you see this message:

    Anti-malware scanning is successfully <enabled or disabled>. Please restart MSExchangeTransport for the changes to take effect.

    Note: The enable script also applies malware engine and definition updates as needed.

  2. Restart the Exchange Transport service by running this command, which will temporarily interrupt mail flow on the server:

    Restart-Service MSExchangeTransport
    

    The change might take up to 10 minutes to take effect.

How do you know this worked?

To verify that you've successfully enabled or disabled malware filtering on a Mailbox server, run this command in the Exchange Management Shell, and verify the value of the Enabled property:

Get-TransportAgent "Malware Agent"

Use the Exchange Management Shell to bypass malware filtering on Mailbox servers

Bypassing malware filtering allows you to temporarily disable malware filtering on the server without disrupting mail flow (you don't need to restart the Exchange Transport service).

Note: You should only bypass malware filtering on a Mailbox server when you're troubleshooting a problem. When you're done, you should turn malware filtering back on.

To bypass or reenable malware filtering on a Mailbox server, use this syntax:

Set-MalwareFilteringServer -Identity <ServerIdentity> -BypassFiltering <$true | $false>

This example bypasses malware filtering on the server named Mailbox01.

Set-MalwareFilteringServer -Identity Mailbox01 -BypassFiltering $true

This example reenables malware filtering on the same server.

Set-MalwareFilteringServer -Identity Mailbox01 -BypassFiltering $false

The change might take up to 10 minutes to take effect.

For detailed syntax and parameter information, see Set-MalwareFilteringServer.

How do you know this worked?

To verify that you've temporarily bypassed or reenabled malware filtering on a Mailbox server, run this command in the Exchange Management Shell, and verify the value of the BypassFiltering property:

Get-MalwareFilteringServer | Format-List Name,BypassFiltering

Create antimalware policies

Use the EAC to create antimalware policies

Creating an antimalware policy in the EAC creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.

  1. In the EAC, go to Protection > Malware filter, and then click New .

  2. In the New anti-malware policy page that opens, configure these settings:

    • Name: Enter a unique, descriptive name for the policy.

    • Description: Enter an optional description for the policy.

    • Malware detection response: Select one of these options:

      • Delete the entire message: Prevents the entire message from being delivered to the intended recipients. This is the default value.

      • Delete all attachments and use default alert text: Replaces all message attachments (not just the detected ones) with a text file that contains this default text:

        Malware was detected in one or more attachments included with this email. All attachments have been deleted.

      • Delete all attachments and use custom alert text: Replaces all message attachments (not just the detected ones) with a text file that contains custom text you specify in the Custom alert text field.

      Note

      If malware is detected in the message body of an inbound or outbound message, the entire message is deleted, regardless of the setting you configure for Malware detection response.

    • Notification: The settings in this section control notifications when malware filtering deletes the message. The settings don't apply to messages where all attachments are replaced by the default or custom alert text.

      • Sender Notifications: Select one or both of these options:

        • Notify internal senders: An internal sender is inside the Exchange organization.

        • Notify external senders: An external sender is outside the Exchange organization.

      • Administrator Notifications: Select one or both of these options:

        • Notify administrator about undelivered messages from internal senders: If you select this option, enter a notification email address in the Administrator email address field.

        • Notify administrator about undelivered messages from external senders: If you select this option, enter a notification email address in the Administrator email address field.

      • Customize Notifications: These settings replace the default notification text that's used for senders or administrators. For more information about the default values, see Antimalware policies.

        • Use customized notification text: If you select this option, you need to use the From name and From address fields to specify the sender's name and email that's used in the customized notification message.

        • Messages from internal senders: If you elected to notify senders or administrators about undeliverable messages from internal senders, you need to use the Subject and Message fields to specify the subject and message body of the custom notification message.

        • Messages from external senders: If you elected to notify senders or administrators about undeliverable messages from external senders, you need to use the Subject and Message fields to specify the subject and message body of the custom notification message.

    • Applied to: The settings in this section identify the internal recipients that the policy applies to.

      • If: Click on the Select one drop down, and select conditions for the rule:

        • The recipient is: Specifies one or more mailboxes, mail users, or mail contacts in the Exchange organization. In the Select members dialog box that appears, select one or more recipients from the list, and then click add ->. In the Check names field, you can use wildcards for multiple email addresses (for example: *@fabrikam.com). When you're finished, click OK.

        • The recipient domain is: Specifies recipients in one or more of the configured accepted domains in the Exchange organization. In the dialog box that appears, select one or more domains, and then click add ->. When you're finished, click OK.

        • The recipient is a member of: Specifies one or more groups in the Exchange organization. In the Select members dialog box that appears, select one or more groups from the list, and then click add ->. When you're finished, click OK.

      You can only use one a condition once, but you can specify multiple values for the condition. To add more conditions, click Add condition and select from the remaining options.

      • Except if: To add exceptions for the rule, click Add exception, click on the Select one drop down, and configure an exception for the rule. The settings and behavior is exactly like the conditions.
  3. When you're finished, click Save.

Use the Exchange Management Shell to create antimalware policies

Creating an antimalware policy in the Exchange Management Shell is a two-step process:

  1. Create the malware filter policy.

  2. Create the malware filter rule that specifies the malware filter policy that the rule applies to.

Notes:

  • You can create a new malware filter rule and assign an existing, unassociated malware filter policy to it. A malware filter rule can't be associated with more than one malware filter policy.

  • There are two settings that you can configure on new antimalware policies in the Exchange Management Shell that aren't available in the EAC until after you create the policy:

    • Create the new policy as disabled (Enabled $false on the New-MalwareFilterPolicy cmdlet).

    • Set the priority of the policy during creation (Priority <Number>) on the New-MalwareFilterRule cmdlet).

  • Malware filter policies that you create in the Exchange Management Shell don't appear in the EAC until you assign the malware filter policy to a malware filter rule.

  • A setting that's available in the Exchange Management Shell that isn't available in the EAC is the ability to turn malware filtering on or off for inbound messages or outbound messages by using the BypassInboundMessages or BypassOutboundMessages parameters on the New-MalwareFilterPolicy cmdlet.

Step 1: Use the Exchange Management Shell to create a malware filter policy

To create a malware filter policy, use this syntax:

New-MalwareFilterPolicy -Name "<PolicyName>" [-Action <DeleteMessage | DeleteAttachmentAndUseDefaultAlert | DeleteAttachmentAndUseCustomAlert>] [-AdminDisplayName "<OptionalComments>"] [-BypassInboundMessages <$true | $false>] [-BypassOutboundMessages <$true | $false>] [-CustomNotifications <$true | $false>] [<Inbound notification options>] [<Outbound notification options>]

This example creates a new malware filter policy named Contoso Malware Filter Policy with these settings:

  • Block messages that contain malware (we aren't using the Action parameter, and the default value is DeleteMessage).

  • Don't notify the message sender when malware is detected in the message (we aren't using the EnableExternalSenderNotifications or EnableInternalSenderNotifications parameters, and the default value for both is $false).

  • Notify the administrator admin@contoso.com when malware is detected in a message from an internal sender.

New-MalwareFilterPolicy -Name "Contoso Malware Filter Policy" -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress admin@contoso.com

For detailed syntax and parameter information, see New-MalwareFilterPolicy.

Step 2: Use the Exchange Management Shell to create a malware filter rule

To create a malware filter rule, use this syntax:

New-MalwareFilterRule -Name "<RuleName>" -MalwareFilterPolicy "<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments "<OptionalComments>"]

This example creates a new malware filter rule named Contoso Recipients with these settings:

  • The malware filter policy named Contoso Malware Filter Policy is associated with the rule.

  • The rule applies to recipients in the contoso.com domain.

New-MalwareFilterRule -Name "Contoso Recipients" -MalwareFilterPolicy "Contoso Malware Filter Policy" -RecipientDomainIs contoso.com

For detailed syntax and parameter information, see New-MalwareFilterRule.

How do you know this worked?

To verify that you've successfully created an antimalware policy, do any of these steps:

  • In the EAC, go to Protection > Malware filter. Verify that the rule you created is in the list. Click Edit Edit icon. to verify the settings of the rule.

  • In the Exchange Management Shell, replace <PolicyName> with the name of the malware filter policy, and run this command to verify the property values:

Get-MalwareFilterPolicy -Identity "<PolicyName>" | Format-List
  • In the Exchange Management Shell, replace <RuleName> with the name of the malware filter rule, and run this command to verify the property values:

    Get-MalwareFilterRule -Identity "<RuleName>" | Format-List
    
  • Use an European Institute for Computer Antivirus Research (EICAR) test file to verify that the malware filter is working correctly:

  1. Open Notepad, and insert this text (and only this text) into an empty file:

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    

    Save the file as EICAR.txt in a location that's easy for you to find, and that's excluded from scanning by your computer's antivirus program. The file will be 68 bytes in size.

  2. Create an email messages, attach the EICAR.txt file to the message, and send the message to a recipient in your Exchange organization who should be affected by the malware policy.

  3. Check the recipient's mailbox to verify that malware filtering acted on the message: the message was deleted, or the message was delivered with the replacement alert text file for the attachment, and the notification messages were delivered to the sender and/or administrators.

  4. When you're finished, delete the EICAR.TXT file so other users aren't unnecessarily alarmed.

View antimalware policies

Use the EAC to view antimalware policies

  1. In the EAC, go to Protection > Malware filter.

  2. When you select a policy, information about the policy is displayed in the details pane. To see more information about the policy, click Edit Edit icon..

    • The Enabled property value, the Priority property value, and the settings on the Applied to tab are in the malware filter rule.

    • The settings on the General and Settings tabs are in the malware filter policy.

Use the Exchange Management Shell to view malware filter policies

To return a summary list of all malware filter policies, run this command:

Get-MalwareFilterPolicy

To return detailed information about a specific malware filter policy, use the this syntax:

Get-MalwareFilterPolicy -Identity "<PolicyName>" | Format-List [<Specific properties to view>]

This example returns all the property values for the malware filter policy named Executives.

Get-MalwareFilterPolicy -Identity "Executives" | Format-List

This example returns only the specified properties for the same policy.

Get-MalwareFilterPolicy -Identity "Executives" | Format-List Action,AdminDisplayName,CustomNotifications,Enable*Notifications

For detailed syntax and parameter information, see Get-MalwareFilterPolicy.

Use the Exchange Management Shell to view malware filter rules

To return a summary list of all malware filter rules, run this command:

Get-MalwareFilterRule

To return detailed information about a specific malware filter rule, use this syntax:

Get-MalwareFilterRule -Identity "<RuleName>" | Format-List [<Specific properties to view>]

This example returns all the property values for the malware filter rule named Executives.

Get-MalwareFilterRule -Identity "Executives" | Format-List

This example returns only the specified properties for the same rule.

Get-MalwareFilterRule -Identity "Executives" | Format-List Name,Priority,State,MalwareFilterPolicy,*Is,*SentTo,*MemberOf

For detailed syntax and parameter information, see Get-MalwareFilterRule.

Modify antimalware policies

No additional settings are available when you modify a malware policy in the EAC or the Exchange Management Shell. They're the same settings that were available when you created the policy.

Use the EAC to modify an antimalware policy

  1. In the EAC, go to Protection > Malware filter.

  2. Select the policy, and then click Edit Edit icon.. For information about the settings, see the Use the EAC to create antimalware policies section in this topic.

    Notes:

    • Instead of everything on one page, the settings are divided among the General, Settings, and Applied to tabs. The Applied to tab isn't available on the default policy named Default.

    • You can't rename the default policy.

Use the Exchange Management Shell to modify a malware filter policy

To modify a malware filter policy, use this syntax:

Set-MalwareFilterPolicy -Identity "<PolicyName>" <Settings>

For detailed syntax and parameter information, see Set-MalwareFilterPolicy.

Use the Exchange Management Shell to modify a malware filter rule

When you modify a malware filter rule in the Exchange Management Shell, you can't disable or enable the rule (there's no Enabled parameter on the Set-MalwareFilterRule cmdlet). Instead, you use the Disable-MalwareFilterRule and Enable-MalwareFilterRule cmdlets as described later in this topic.

To modify a malware filter rule, use this syntax:

Set-MalwareFilterRule -Identity "<RuleName>" <Settings>

For detailed syntax and parameter information, see Set-MalwareFilterRule.

Enable or disable antimalware policies

By default, antimalware policies are enabled when you create them in the EAC or the Exchange Management Shell, but you can use the Exchange Management Shell to create a disabled malware filter rule (use the New-MalwareFilterRule cmdlet and the Enabled parameter with the value $false).

Use the EAC to enable or disable an antimalware policy

  1. In the EAC, go to Protection > Malware filter.

  2. Select the policy from the list, and then configure one of the following settings:

    • Disable the policy: Clear the check box in the Enabled column.

    • Enable the policy: Select the check box in the Enabled column.

Use the Exchange Management Shell to enable or disable malware filter rules

To enable or disable a malware filter rule in the Exchange Management Shell, use this syntax:

<Enable-MalwareFilterRule | Disable-MalwareFilterRule> -Identity "<RuleName>"

This example disables the malware filter rule named Marketing Department.

Disable-MalwareFilterRule -Identity "Marketing Department"

This example enables same rule.

Enable-MalwareFilterRule -Identity "Marketing"

For detailed syntax and parameter information, see Enable-MalwareFilterRule and Disable-MalwareFilterRule.

How do you know this worked?

To verify that you've successfully enabled or disabled an antimalware policy, use either of these procedures:

  • In the EAC, go to Protection > Malware filter, and in the list of antimalware policies, verify the status of the check box in the Enabled column.

  • In the Exchange Management Shell, run this command to see the list of rules and their State property values:

    Get-MalwareFilterRule
    

Set the priority of custom antimalware policies

By default, antimalware policies are given a priority that's based on the order they were created in (newer polices are lower priority than older policies). A lower priority number indicates a higher priority for the policy, and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority.

Notes:

  • In the EAC, you can only change the priority of the antimalware policy after you create it. In the Exchange Management Shell, you can override the default priority when you create the malware filter rule (which can affect the priority of existing rules).

  • The default antimalware policy named Default has the priority value Lowest, and you can't change it.

Use the EAC to set the priority of custom antimalware policies

In the EAC, antimalware policies are processed in the order that they're displayed (the first policy has the Priority value 0). To change the priority of a policy, move the policy up or down in the list (you can't directly modify the Priority number in the EAC).

  1. In the EAC, go to Protection > Malware filter.

  2. Select a policy, and then click Move up (Up Arrow Icon.) or Move down (Down Arrow Icon) to move the rule up or down in the list.

Use the Exchange Management Shell to set the priority of custom malware filter rules

The highest priority value you can set on a rule is 0. The lowest value you can set depends on the number of rules. For example, if you have five rules, you can use the priority values 0 through 4. Changing the priority of an existing rule can have a cascading effect on other rules. For example, if you have five rules (priorities 0 through 4), and you change the priority of a rule to 2, the existing rule with priority 2 is changed to priority 3, and the rule with priority 3 is changed to priority 4.

To set the priority of a malware filter rule in the Exchange Management Shell, use the following syntax:

Set-MalwareFilterRule -Identity "<RuleName>" -Priority <Number>

This example sets the priority of the rule named Marketing Department to 2. All existing rules that have a priority less than or equal to 2 are decreased by 1 (their priority numbers are increased by 1).

Set-MalwareFilterRule -Identity "Marketing Department" -Priority 2

Note: To set the priority of a new rule when you create it, use the Priority parameter on the New-MalwareFilterRule cmdlet.

How do you know this worked?

To verify that you've successfully modified the priority of an antimalware policy, use either of these procedures:

  • In the EAC, go to Protection > Malware filter, and verify the Priority value of the antimalware policies in the list.

  • In the Exchange Management Shell, run this command to see the list of rules and their Priority property values:

    Get-MalwareFilterRule
    

Remove antimalware policies

Note: You can't remove the default antimalware policy.

Use the EAC to remove antimalware policies

When you use the EAC to remove an antimalware policy, the malware filter rule and the corresponding malware filter policy are both removed.

  1. From the EAC, go to Protection > Malware filter.

  2. Select the antimalware policy you want to remove from the list, and then click Delete (Delete icon.).

Use the Exchange Management Shell to remove malware filter policies

When you use the Exchange Management Shell to remove a malware filter policy, the corresponding malware filter rule isn't removed.

To remove a malware filter policy in the Exchange Management Shell, use this syntax:

Remove-MalwareFilterPolicy -Identity "<PolicyName>"

This example removes the malware filter policy named Marketing Department.

Remove-MalwareFilterPolicy -Identity "Marketing Department"

For detailed syntax and parameter information, see Remove-MalwareFilterPolicy.

Use the Exchange Management Shell to remove malware filter rules

When you use the Exchange Management Shell to remove a malware filter rule, the associated malware filter policy isn't removed.

To remove a malware filter rule in the Exchange Management Shell, use this syntax:

Remove-MalwareFilterRule -Identity "<RuleName>"

This example removes the malware filter rule named Marketing Department:

Remove-MalwareFilterRule -Identity "Marketing Department"

For detailed syntax and parameter information, see Remove-MalwareFilterRule.

How do you know this worked?

To verify that you've successfully removed an antimalware policy, use either of these procedures:

  • In the EAC, go to Protection > Malware filter, and verify that the policy you removed is no longer in the list.

  • In the Exchange Management Shell, run this command to verify that the malware filter policy you removed is no longer listed:

    Get-MalwareFilterPolicy
    
  • In the Exchange Management Shell, run this command to verify that the malware filter rule you removed is no longer listed:

    Get-MalwareFilterRule
    

Use the Exchange Management Shell to configure malware filtering to rescan messages that were already scanned by EOP

By default, messages in transit that have been scanned by Exchange Online Protection (EOP) aren't scanned again by the Malware agent in Exchange. But, rescanning these messages can provide another layer of defense against malware.

To enable or disable scanning for malware in messages that have been already been scanned by EOP, use this syntax in the Exchange Management Shell:

Set-MalwareFilteringServer -Identity <ServerIdentity> -ForceRescan <$true | $false>

This example enables scanning for malware in messages that have already been scanned by EOP on the Mailbox server named Mailbox01.

Set-MalwareFilteringServer -Identity Mailbox01 -ForceRescan $true

This example disables scanning for malware in messages that have already been scanned by EOP on the same server.

Set-MalwareFilteringServer -Identity Mailbox01 -ForceRescan $false

How do you know this worked?

To verify that you've configured malware filtering to rescan messages that were already scanned by EOP, run this command in the Exchange Management Shell, and verify the value of the ForceRescan property:

Get-MalwareFilteringServer | Format-List Name, ForceRescan

Configure a malware filtering bypass for a recipient or group of recipients

To allow for a particular recipient or group of recipients to receive emails with attachments that would otherwise be detected and thus deleted by the default anti-malware policy, a new anti-malware policy has to be created, either using EAC or PowerShell. This policy should be set to scan emails for all recipients and an exclusion condition must be set within that policy for the recipient or group that is intended to receive such content.

Using EAC to create the new anti-malware policy:

Screenshot of the new anti-malware policy dialogue box.

The Except if dropdown box highlighted with The recipient is selected.

This will create a malware policy that will scan all email traffic except messages sent to the exempt user or group.

Using Exchange Management Shell to create an anti-malware policy:

Use the Exchange Management Shell to modify a malware filtering rule.

After creating the anti-malware policy and setting the appropriate exclusion, a new anti-malware policy has to be created in order for the unscanned messages to bypass the default anti-malware policy that always has the lowest priority. This change can be achieved by using Exchange Management Shell to set the value of the parameter -BypassInboundMessages of this anti-malware filtering rule to True. For detailed syntax and parameter information, see Set-MalwareFilterPolicy.

Set-MalwareFilterPolicy -Identity "<PolicyName>" -BypassInboundMessages $true

This method does not require a service restart and can allow for Exchange administrators and security teams to temporarily or permanently bypass anti-malware detection for a particular recipient or group, thus having otherwise undeliverable messages delivered to that particular subgroup without compromising the security of the entire Exchange organization and ultimately retaining security within their systems and for their clients.

How do you know this worked?

Get-MalwareFilterPolicy "<PolicyName>" | fl BypassInboundMessages