Anti-malware protection in EOP

• Applies to:

  ✅ Exchange Online Protection, ✅ Microsoft Defender for Office 365 plan 1 and plan 2, ✅ Microsoft 365 Defender

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:

• Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect.
• Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.
• Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.

EOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:

• Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.
• Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.
• Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.

In EOP, messages that are found to contain malware in any attachments are quarantined. Whether the recipients can view or otherwise interact with the quarantined messages is controlled by quarantine policies. By default, messages that were quarantined due to malware can only be viewed and released by admins. For more information, see the following articles:

• Anatomy of a quarantine policy
• EOP anti-malware policy settings
• Manage quarantined messages and files as an admin in EOP.

As explained in the next section, anti-malware policies also contain a common attachments filter. Messages that contain the specified file types are automatically identified as malware. You can choose whether to quarantine or reject the messages.

For more information about anti-malware protection, see the Anti-malware protection FAQ.

To configure anti-malware policies, see Configure anti-malware policies.

To submit malware to Microsoft, see Report messages and files to Microsoft.

Anti-malware policies

Anti-malware policies control the settings and notification options for malware detections. The important settings in anti-malware policies are described in the following subsections.

Recipient filters in anti-malware policies

In custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use the following properties for conditions and exceptions:

• Users
• Groups
• Domains

You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

Important

Multiple different types of conditions or exceptions are not additive; they're inclusive. The policy is applied only to those recipients that match all of the specified recipient filters. For example, you configure a recipient filter condition in the policy with the following values:

• Users: romain@contoso.com
• Groups: Executives

The policy is applied to romain@contoso.com only if he's also a member of the Executives group. If he's not a member of the group, then the policy is not applied to him.

Likewise, if you use the same recipient filter as an exception to the policy, the policy is not applied to romain@contoso.com only if he's also a member of the Executives group. If he's not a member of the group, then the policy still applies to him.

Common attachments filter in anti-malware policies

There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these types of files for malware, when you should probably block them all, anyway? That's where the common attachments filter comes in. The file types that you specify are automatically treated as malware.

A list of file types is specified by default. You can select from a list of additional file types when you create or modify anti-malware policies in the Microsoft 365 Defender portal.

Using the Defender portal or the FileTypes parameter in the New-MalwareFilterPolicy or Set-MalwareFilterPolicy cmdlets in Exchange Online PowerShell, you can add any text value as an additional file type or remove existing file types when you create or modify anti-malware policies.

• Default file types: ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z.

• Additional file types to select in the Defender portal: 7z, 7zip, a, accdb, accde, action, ade, adp, appxbundle, asf, asp, aspx, avi, bas, bin, bundle, bz, bz2, bzip2, caction, cer, chm, command, cpl, crt, csh, css, der, dgz, dmg, doc, docx, dos, dot, dotm, dtox [sic], dylib, font, fxp, gadget, gz, gzip, hlp, Hta, htm, html, imp, inf, ins, ipa, isp, its, js, jse, ksh, Lnk, lqy, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, mht, mhtml, mscompress, msh, msh1, msh1xml, msh2, msh2xml, mshxml, msixbundle, o, obj, odp, ods, odt, one, onenote, ops, os2, package, pages, pbix, pcd, pdb, pdf, php, pkg, plg, plugin, pps, ppsm, ppsx, ppt, pptm, pptx, prf, prg, ps1, ps1xml, ps2, ps2xml, psc1, psc2, pst, pub, py, rar, rpm, rtf, scpt, service, sh, shb, shs, shtm, shx, so, tar, tarz, terminal, tgz, tmp, tool, url, vhd, vsd, vsdm, vsdx, vsmacros, vss, vssx, vst, vstm, vstx, vsw, w16, workflow, ws, xhtml, xla, xlam, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, xnk, zi, zip, zipx.

When files are detected by the common attachments filter, you can choose to Reject the message with a non-delivery report (NDR) or Quarantine the message.

True type matching in the common attachments filter

The common attachments filter uses best effort true type matching to detect the file type, regardless of the filename extension. True type matching uses file characteristics to determine the real file type (for example, leading and trailing bytes in the file). For example, if an exe file is renamed with a txt filename extension, the common attachments filter detects the file as an exe file.

True type matching in the common attachments filter supports the following file types:

7zip, ace, adoc, ani, arc, arj, asf, asice, avi, bmp, bz, bz2, cab, cda, chm, deb, dex, dll, dmg, doc, docm, docx, dot, dotm, dotx, dwg, eml, eps, epub, excelml, exe, fluid, gif, gzip, heic, heif, html, hyper, icon, ics, infopathml, jar, javabytecode, jnlp, jpeg, json, lib, lnk, lzh, lzma, macho, mhtml, mp3, mp4, mpeg, mpp, msaccess, mscompress, msg, msp, musx, nws, obd, obj, obt, odbcexcel, odc, odf, odg, odi, odm, odp, ods, odt, one, otc, otf, otg, oth, oti, otp, ots, ott, pal, pcx, pdf, pfb, pfile, pif, png, pointpub, pot, potm, potx, powerpointml, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, ps, pub, qcp, quicktime, rar, rar4, riff, rmi, rpm, rpmsg, rtf, smime, swf, tar, tiff, tlb, tnef, ttf, txt, vcf, vcs, vdw, vdx, vsd, vsdm, vsdx, vss, vssm, vssx, vst, vstm, vstx, vsx, vtt, vtx, wav, webp, whiteboard, wmf, woff, woff2, word2, wordml, xar, xlam, xlb, xlc, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, xml, xps, xz, z, zip, zoo

If true type matching fails or isn't supported for the file type, then simple extension matching is used.

Zero-hour auto purge (ZAP) in anti-malware policies

ZAP for malware quarantines messages that are found to contain malware after they've been delivered to Exchange Online mailboxes. By default, ZAP for malware is turned on, and we recommend that you leave it on. For more information, see Zero-hour auto purge (ZAP) for malware.

Quarantine policies in anti-malware policies

Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. By default, recipients don't receive notifications for messages that were quarantined as malware. For more information, see Anatomy of a quarantine policy.

Admin notifications in anti-malware policies

You can specify an additional recipient (an admin) to receive notifications for malware detected in messages from internal or external senders. You can customize the From address, subject, and message text for internal and external notifications.

Note

Admin notifications are sent only for attachments that are classified as malware.

The quarantine policy that's assigned to the anti-malware policy determines whether recipients receive email notifications for messages that were quarantined as malware.

Priority of anti-malware policies

If you create multiple custom anti-malware policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied (the highest priority policy for that recipient).

For more information about the order of precedence and how multiple policies are evaluated, see Order and precedence of email protection and Order of precedence for preset security policies and other policies.

Default anti-malware policy

Every organization has a built-in anti-malware policy named Default that has the following properties:

• The policy is the default policy (the IsDefault property has the value True), and you can't delete the default policy.
• The policy is automatically applied to all recipients in the organization, and you can't turn it off.
• The policy is always applied last (the Priority value is Lowest and you can't change it. Any custom anti-malware policies that you create are always applied before the default policy (custom anti-malware policies always have a higher priority than the default policy).