New-MalwareFilterPolicy

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the New-MalwareFilterPolicy cmdlet to create malware filter policies in your organization.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

New-MalwareFilterPolicy
   [-Name] <String>
   [-Action <MalwareFilteringAction>]
   [-AdminDisplayName <String>]
   [-BypassInboundMessages <Boolean>]
   [-BypassOutboundMessages <Boolean>]
   [-Confirm]
   [-CustomAlertText <String>]
   [-CustomExternalBody <String>]
   [-CustomExternalSubject <String>]
   [-CustomFromAddress <SmtpAddress>]
   [-CustomFromName <String>]
   [-CustomInternalBody <String>]
   [-CustomInternalSubject <String>]
   [-CustomNotifications <Boolean>]
   [-DomainController <Fqdn>]
   [-EnableExternalSenderAdminNotifications <Boolean>]
   [-EnableExternalSenderNotifications <Boolean>]
   [-EnableFileFilter <Boolean>]
   [-EnableInternalSenderAdminNotifications <Boolean>]
   [-EnableInternalSenderNotifications <Boolean>]
   [-ExternalSenderAdminAddress <SmtpAddress>]
   [-FileTypeAction <FileTypeFilteringAction>]
   [-FileTypes <String[]>]
   [-InternalSenderAdminAddress <SmtpAddress>]
   [-QuarantineTag <String>]
   [-RecommendedPolicyType <RecommendedPolicyType>]
   [-WhatIf]
   [-ZapEnabled <Boolean>]
   [<CommonParameters>]

Description

New policies that you create using this cmdlet aren't applied to users and aren't visible in admin centers. You need to use the MalwareFilterPolicy parameter on the New-MalwareFilterRule or Set-MalwareFilterRule cmdlets to associate the policy with a rule.

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

Examples

Example 1

New-MalwareFilterPolicy -Name "Contoso Malware Filter Policy" -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress admin@contoso.com

This example creates a new malware filter policy named Contoso Malware Filter Policy with the following settings:

  • Block messages that contain malware.
  • Don't notify the message sender when malware is detected in the message.
  • Notify the administrator admin@contoso.com when malware is detected in a message from an internal sender.

Parameters

-Action

This parameter is available only in on-premises Exchange.

The Action parameter specifies the action to take when malware is detected in a message. Valid values are:

  • DeleteMessage: Handles the message without notifying the recipients. This is the default value. In Exchange Server, the message is deleted. In the cloud-based service, the message is quarantined.
  • DeleteAttachmentAndUseDefaultAlert: Delivers the message, but replaces all attachments with a file named Malware Alert Text.txt that contains the default alert text. In the cloud-based service, the message with the original attachments is also quarantined.
  • DeleteAttachmentAndUseCustomAlert: Delivers the message, but replaces all attachments with a file named Malware Alert Text.txt that contains the custom alert text specified by the CustomAlertText parameter. In the cloud-based service, the message with the original attachments is also quarantined.
Type:MalwareFilteringAction
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

-AdminDisplayName

The AdminDisplayName parameter specifies a description for the policy. If the value contains spaces, enclose the value in quotation marks (").

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-BypassInboundMessages

This parameter is available only in on-premises Exchange.

The BypassInboundMessages parameter enables or disables malware filtering on incoming messages (messages entering the organization). Valid values are:

  • $true: Malware filtering is disabled on inbound messages.
  • $false: Malware filtering is enabled on inbound messages. This is the default value.
Type:Boolean
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

-BypassOutboundMessages

This parameter is available only in on-premises Exchange.

The BypassOutboundMessages parameter enables or disables malware filtering on outgoing messages (messages leaving the organization). Valid values are:

  • $true: Malware filtering is disabled on outbound messages.
  • $false: Malware filtering is enabled on outbound messages. This is the default value.
Type:Boolean
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

-Confirm

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.
  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-CustomAlertText

This parameter is available only in on-premises Exchange.

The CustomAlertText parameter specifies the custom text to use in the replacement attachment named Malware Alert Text.txt. If the value contains spaces, enclose the value in quotation marks (").

This parameter is only meaningful when the Action parameter value is DeleteAttachmentAndUseCustomAlert.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

-CustomExternalBody

The CustomExternalBody parameter specifies the body of the custom notification message for malware detections in messages from external senders. If the value contains spaces, enclose the value in quotation marks (").

This parameter is only meaningful when the CustomNotifications parameter value is $true, and at least one of the following parameter values is also $true:

  • EnableExternalSenderAdminNotifications
  • EnableExternalSenderNotifications
Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-CustomExternalSubject

The CustomExternalSubject parameter specifies the subject of the custom notification message for malware detections in messages from external senders. If the value contains spaces, enclose the value in quotation marks (").

This parameter is only meaningful when the CustomNotifications parameter value is $true, and at least one of the following parameter values is also $true:

  • EnableExternalSenderAdminNotifications
  • EnableExternalSenderNotifications
Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-CustomFromAddress

The CustomFromAddress parameter specifies the From address of the custom notification message for malware detections in messages from internal or external senders.

This parameter is only meaningful when the CustomNotifications parameter value is $true, and at least one of the following parameter values is also $true:

  • EnableExternalSenderAdminNotifications
  • EnableExternalSenderNotifications
  • EnableInternalSenderAdminNotifications
  • EnableInternalSenderNotifications
Type:SmtpAddress
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-CustomFromName

The CustomFromName parameter specifies the From name of the custom notification message for malware detections in messages from internal or external senders. If the value contains spaces, enclose the value in quotation marks (").

This parameter is only meaningful when the CustomNotifications parameter value is $true, and at least one of the following parameter values is also $true:

  • EnableExternalSenderAdminNotifications
  • EnableExternalSenderNotifications
  • EnableInternalSenderAdminNotifications
  • EnableInternalSenderNotifications
Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-CustomInternalBody

The CustomInternalBody parameter specifies the body of the custom notification message for malware detections in messages from internal senders. If the value contains spaces, enclose the value in quotation marks (").

This parameter is only meaningful when the CustomNotifications parameter value is $true, and at least one of the following parameter values is also $true:

  • EnableInternalSenderAdminNotifications
  • EnableInternalSenderNotifications
Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-CustomInternalSubject

The CustomInternalSubject parameter specifies the subject of the custom notification message for malware detections in messages from internal senders. If the value contains spaces, enclose the value in quotation marks (").

This parameter is only meaningful when the CustomNotifications parameter value is $true, and at least one of the following parameter values is also $true:

  • EnableInternalSenderAdminNotifications
  • EnableInternalSenderNotifications
Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-CustomNotifications

The CustomNotifications parameter enables or disables custom notification messages for malware detections in messages from internal or external senders. Valid values are:

  • $true: When malware is detected in a message, a custom notification message is sent to the message sender. You specify the details of message using the CustomFromAddress, CustomFromName, CustomExternalSubject, CustomExternalBody, CustomInternalSubject and CustomInternalBody parameters.
  • $false: Custom notifications to the original message sender are disabled. This is the default value. Default notification messages are sent if the EnableExternalSenderNotifications and EnableInternalSenderNotifications parameters are set to $true.
Type:Boolean
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-DomainController

This parameter is available only in on-premises Exchange.

The DomainController parameter specifies the domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). For example, dc01.contoso.com.

Type:Fqdn
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

-EnableExternalSenderAdminNotifications

The EnableExternalSenderAdminNotifications parameter enables or disables sending malware detection notification messages to an administrator for messages from external senders. Valid values are:

  • $true: When malware attachments are detected in messages from external senders, send notification messages to the email address that's specified by the ExternalSenderAdminAddress parameter. You can customize the notification message using the CustomFromAddress, CustomFromName, CustomExternalBody, and CustomExternalSubject parameters.
  • $false: When malware attachments are detected in messages from external senders, don't send administrator notifications. This is the default value.

Note: Admin notifications are sent only for attachments that are classified as malware.

Type:Boolean
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-EnableExternalSenderNotifications

This parameter is available only in on-premises Exchange.

The EnableExternalSenderNotifications parameter enables or disables notification messages for malware detections in messages from external senders. Valid values are:

  • $true: When malware is detected in a message from an external sender, send them a notification message. You can customize the notification message using the CustomFromAddress, CustomFromName, CustomExternalBody, and CustomExternalSubject parameters.
  • $false: Don't send malware detection notification messages to external message senders. This is the default value.
Type:Boolean
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

-EnableFileFilter

This parameter is available only in the cloud-based service.

The EnableFileFilter parameter enables or disables the common attachments filter (also known as common attachment blocking). Valid values are:

  • $true: The common attachments filter is enabled. The file types are defined by the FileTypes parameter.
  • $false: The common attachments filter is disabled. This is the default value.
Type:Boolean
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-EnableInternalSenderAdminNotifications

This parameter is available only in on-premises Exchange.

The EnableInternalSenderAdminNotifications parameter enables or disables sending malware detection notification messages to an administrator for messages from internal senders. Valid values are:

  • $true: When malware attachments are detected in messages from internal senders, send notification messages to the email address that's specified by the InternalSenderAdminAddress parameter. You can customize the notification message using the CustomFromAddress, CustomFromName, CustomInternalBody, and CustomInternalSubject parameters.
  • $false: When malware attachments are detected in messages from internal senders, don't send administrator notifications. This is the default value.

Note: Admin notifications are sent only for attachments that are classified as malware.

Type:Boolean
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-EnableInternalSenderNotifications

This parameter is available only in on-premises Exchange.

The EnableInternalSenderNotifications parameter enables or disables notification messages for malware detections in messages from internal senders. Valid values are:

  • $true: When malware is detected in a message from an internal sender, send them a notification message. You can customize the notification message using the CustomFromAddress, CustomFromName, CustomInternalBody, and CustomInternalSubject parameters.
  • $false: Don't send malware detection notification messages to internal message senders. This is the default value.
Type:Boolean
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

-ExternalSenderAdminAddress

The ExternalSenderAdminAddress parameter specifies the email address of the administrator who will receive notifications messages when messages from external senders contain malware. Notification messages are sent to the specified email address only if the EnableExternalSenderAdminNotifications parameter is set to $true.

Type:SmtpAddress
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-FileTypeAction

This parameter is available only in the cloud-based service.

The FileTypeAction parameter specifies what's done to messages that contain one or more attachments where the file extension is included in the FileTypes parameter (the common attachments filter). Valid values are:

  • Quarantine: Quarantine the message. Whether or not the recipient is notified depends on the quarantine notification settings in the quarantine policy that's selected for the policy by the QuarantineTag parameter.
  • Reject: The message is rejected in a non-delivery report (also known as an NDR or bounce message) to the sender. The message is not available in quarantine. This is the default value.

This parameter is meaningful only when the EnableFileFilter parameter is set to the value $true.

Type:FileTypeFilteringAction
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-FileTypes

This parameter is available only in the cloud-based service.

The FileTypes parameter specifies the file types that are automatically blocked by the common attachments filter, regardless of content. The default values are:

ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z

You enable or disable the common attachments filter by using the EnableFileFilter parameter.

The common attachments filter uses best effort true-typing to detect the file type regardless of the file name extension. If true-typing fails or isn't supported for the specified file type, then extension matching is used. For example, .ps1 files are Windows PowerShell scripts, but their true type is text.

To replace the existing list of file types with the values you specify, use the syntax FileType1,FileType2,...FileTypeN. To preserve existing values, be sure to include the file types that you want to keep along with the new values that you want to add.

To add or remove file types without affecting the other file type entries, see the Examples section in the Set-MalwareFilterPolicy cmdlet topic.

Type:String[]
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-InternalSenderAdminAddress

The InternalSenderAdminAddress parameter specifies the email address of the administrator who will receive notification messages for malware detections in messages from internal senders.

This parameter is only meaningful if the EnableInternalSenderAdminNotifications parameter value is $true.

Type:SmtpAddress
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-Name

The Name parameter specifies a name for the malware filter policy. If the value contains spaces, enclose the value in quotation marks (").

Type:String
Position:1
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-QuarantineTag

This parameter is available only in the cloud-based service.

The QuarantineTag specifies the quarantine policy that's used on messages that are quarantined as malware. You can use any value that uniquely identifies the quarantine policy. For example:

  • Name
  • Distinguished name (DN)
  • GUID

Quarantine policies define what users are able to do to quarantined messages based on why the message was quarantined and quarantine notification settings. For more information about quarantine policies, see Quarantine policies.

If you don't use this parameter, the built-in quarantine policy named AdminOnlyAccessPolicy is used. This quarantine policy enforces the historical capabilities for messages that were quarantined as malware as described in the table here.

To view the list of available quarantine policies, run the following command: Get-QuarantinePolicy | Format-List Name,EndUser*,ESNEnabled.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-RecommendedPolicyType

This parameter is available only in the cloud-based service.

The RecommendedPolicyType parameter is used for Standard and Strict policy creation as part of Preset security policies. Don't use this parameter yourself.

Type:RecommendedPolicyType
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-WhatIf

The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-ZapEnabled

This parameter is available only in the cloud-based service.

The ZapEnabled parameter specifies whether to enable zero-hour auto purge (ZAP) for malware in cloud mailboxes. ZAP detects malware in unread messages that have already been delivered to the user's Inbox. Valid values are:

  • $true: ZAP for malware is enabled. Unread messages in the user's Inbox that contain malware are moved to the Junk Email folder. This is the default value.
  • $false: ZAP for malware is disabled.
Type:Boolean
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

Inputs

Input types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.

Outputs

Output types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn't return data.