Anti-malware FAQ
Applies to: Exchange Server 2013
This topic provides frequently asked questions about malware filtering (scanning) in Microsoft Exchange Server 2013.
Q. Where does malware scanning occur?
A. Malware scanning is performed on messages sent to or received from a mailbox server. Malware scanning isn't performed on a message accessed from a mailbox because it should have already been scanned. If a message is re-sent from a mailbox, it's rescanned.
Q. Do I need Internet access in order to download engine and definition updates?
A. To download updates, you must be able to access the Internet and be able to establish a connection on TCP port 80 (HTTP). We strongly recommend that you manually download anti-malware engine and definition updates on your Exchange server prior to placing it in production. For more information, see Download engine and definition updates.
Q. How often are the malware definitions updated?
A. Each server checks for new malware definitions every hour.
What are some advantages of pairing the built-in malware scanning feature with Exchange Online Protection (EOP))?
A. There are several advantages:
The service uses multiple anti-malware engines whereas the built-in anti-malware protection uses a single engine.
The service has reporting capabilities including malware statistics.
The service provides the message trace feature for self-troubleshooting mail flow problems including malware detections.
Q. Why did this malware make it past the filter?
A. There are two possible reasons why you may have received malware.
The first, and more likely scenario, is that the attachment received doesn't contain any active malicious code. In these situations, some anti-malware engines that run on computers may be more aggressive and stop messages with truncated payloads.
The second is that the malware you received is a new variant and our anti-malware engine has not yet released a pattern file for the service to deploy.
Q. How can I submit malware that made it past the filter to Microsoft?
A. If you have received malware such as a virus that made it past the filter, please save a copy of the email message with its attached virus, go to Microsoft Security Intelligence and submit a sample using the detailed instructions on that page. When submitting the file, in the Product drop-down list select Other, select the I believe this file contains malware option, and in the Comments field specify Exchange Server 2013. After we receive the sample, we'll investigate and if it's determined that the sample contains malware, we'll take corrective action to prevent the virus from going undetected.
Q. How can I submit a file that I believe was incorrectly detected as malware?
A. Similar to submitting malware, go to Microsoft Security Intelligence and submit a sample using the detailed instructions on that page. When submitting the file, in the Product drop-down list select Other, select the I believe this file should not be detected as malware option, and in the Comments field specify Exchange Server 2013. After we receive the sample, we'll investigate and if it's determined that the sample is clean, we'll take corrective action to prevent the file from being detected as malware.
Q. I received an email with an attachment that I am not familiar with. Is this malware or can I disregard this attachment?
A. We strongly advise that you don't open any attachments that you don't recognize. If you would like us to investigate the attachment, go to Microsoft Security Intelligence and submit the possible malware to us as described previously.
Q. Where can I get the messages that have been deleted by the malware filter?
A. The messages contain active malicious code and therefore we don't allow access to these messages. They're simply deleted.
Q. I am not able to receive a specific attachment because it's being falsely filtered by your malware filter. Can I allow this attachment through via Exchange transport rules?
A. No. Transport rules can't be used to bypass the malware filter. If you would like this attachment to bypass the malware filter, send the attachment to the intended recipient within a password protected .zip file. Any password protected file is bypassed by malware filtering.
Q. Can I turn off the product's built-in anti-malware protection?
A. The built-in anti-malware scanning can be permanently disabled or temporarily bypassed by following the steps in Disable or bypass anti-malware scanning.