Anti-malware protection FAQ


Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

This article provides frequently asked questions and answers about anti-malware protection for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.

For questions and answers about the quarantine, see Quarantine FAQ.

For questions and answers about anti-spam protection, see Anti-spam protection FAQ.

For questions and answers about anti-spoofing protection, see Anti-spoofing protection FAQ.

What are best practice recommendations for configuring and using the service to combat malware?

How often are the malware definitions updated?

Each server checks for new malware definitions from our anti-malware partners every hour.

How many anti-malware partners do you have? Can I choose which malware engines we use?

We have partnerships with multiple anti-malware technology providers. Messages are scanned with the Microsoft anti-malware engines, an additional signature based engine, and URL and file reputation scans from multiple sources. Our partners are subject to change, but EOP always uses anti-malware protection from multiple partners. You can't choose one anti-malware engine over another.

Where does malware scanning occur?

We scan for malware in messages that are sent to or sent from a mailbox (messages in transit). For Exchange Online mailboxes, we also have zero-hour auto purge (ZAP) for malware to scan messages that have already been delivered. If you resend a message from a mailbox, then it's scanned again (because it's in transit).

If I make a change to an anti-malware policy, how long does it take after I save my changes for them to take effect?

It might take up to 1 hour for the changes to take effect.

Does the service scan internal messages for malware?

For organizations with Exchange Online mailboxes, the service scans for malware in all inbound and outbound messages, including messages sent between internal recipients.

A standalone EOP subscription scans messages as they enter or leave the on-premises email organization. Messages sent between internal on-premises recipients aren't scanned for malware. However, you can use the built-in anti-malware scanning features of Exchange Server. For more information, see Anti-malware protection in Exchange Server.

Do all anti-malware engines used by the service have heuristic scanning enabled?

Yes. Heuristic scanning scans for both known (signature match) and unknown (suspicious) malware.

Can the service scan compressed files (such as .zip files)?

Yes. The anti-malware engines can drill into compressed (archive) files.

Is the compressed attachment scanning support recursive (.zip within a .zip within a .zip) and if so, how deep does it go?

Yes, recursive scanning of compressed files scans many layers deep.

Does the service work with legacy Exchange versions and non-Exchange environments?

Yes, the service is server agnostic.

What's a zero-day virus and how is it handled by the service?

A zero-day virus is a first generation, previously unknown variant of malware that's never been captured or analyzed.

After a zero-day virus sample is captured and analyzed by our anti-malware engines, a definition and unique signature is created to detect the malware.

When a definition or signature exists for the malware, it's no longer considered zero-day.

How can I configure the service to block specific executable files (such as \*.exe) that I fear may contain malware?

You can enable and configure the common attachments filter (also known as common attachment blocking) as described in Common attachments filter in anti-malware policies.

You can also create an Exchange mail flow rule (also known as transport rule) that blocks any email attachment that has executable content.

Follow the steps in How to reduce malware threats through file attachment blocking in Exchange Online Protection to block the file types listed in Supported file types for mail flow rule content inspection in Exchange Online.

For increased protection, we also recommend using the Any attachment file extension includes these words condition in mail flow rules to block some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh.

Why did a specific malware get past the filters?

The malware that you received is a new variant (see What's a zero-day virus and how is it handled by the service?). The time it takes for a malware definition update is dependent on our anti-malware partners.

Remember, no user or admin-configurable setting can exempt email attachments from being scanned by anti-malware protection.

How can I submit malware that made it past the filters to Microsoft? Also, how can I submit a file that I believe was incorrectly detected as malware?

I received an email message with an unfamiliar attachment. Is this malware or can I disregard this attachment?

We strongly advise that you don't open any attachments you don't recognize. If you would like us to investigate the attachment, report the file to Microsoft.

Where can I get messages that were deleted by the malware filters?

The messages contain active malicious code and therefore we don't allow access to these messages. They're unceremoniously deleted.

I'm not able to receive a specific attachment because it's being falsely identified as malware. Can I allow this attachment through via mail flow rules?

No. You can't use Exchange mail flow rules to skip malware filtering. The only way to skip malware filtering for a recipient is to identify the mailbox as a SecOps mailbox. For more information, see Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy.

Can I get reporting data about malware detections?

Yes, you can access reports in the Microsoft Defender portal. For more information, see View email security reports in the Microsoft Defender portal.

Is there a tool that I can use to follow a malware-detected message through the service?

Yes, the message trace tool enables you to follow email messages as they pass through the service. For more information about how to use the message trace tool to find out why a message was detected to contain malware, see Message trace in the modern Exchange admin center.

Can I use a third-party anti-spam and anti-malware provider with Exchange Online?

Yes. In most cases, we recommend that you point your MX records to (that is, deliver email directly to) EOP. If you need to route your email somewhere else first, you need to enable Enhanced Filtering for Connectors so EOP can use the true message source in filtering decisions.

Are spam and malware messages being investigated as to who sent them, or being transferred to law enforcement entities?

The service focuses on spam and malware detection and removal, though we may occasionally investigate especially dangerous or damaging spam or attack campaigns and pursue the perpetrators.

We often work with our legal and digital crime units to take the following actions:

  • Take down a spam botnet.
  • Block an attacker from using the service.
  • Pass the information on to law enforcement for criminal prosecution.

For more information