Manage anti-malware protection

  • 7 minutes

Anti-malware policies can be configured in either the Exchange admin center (EAC) or through PowerShell commands in the Exchange Management Shell (EMS). As messages travel through the Transport service on a Mailbox server, the Malware agent scans the messages and applies these policies to them. This process is referred to as malware filtering, which is implemented by configuring the following components:

  • Anti-malware policies. These policies specify inbound and outbound scanning and notification options for malware filtering. There's a default policy that applies to all recipients in the Exchange organization. You can also create custom policies that are applied in a specific order.
  • Anti-malware server settings. These settings specify the error and retry actions, and the engine and definition update settings for malware filtering. The Malware agent uses Internet access on TCP port 80 (HTTP) to check for engine and definition updates every hour.
  • Anti-malware scripts. These scripts enable or disable malware filtering on the server, and they manually download engine and definition updates.

These anti-malware components are described in greater detail below.

Anti-malware policies

Anti-malware policies control the actions and notification options for malware detections. The important settings in anti-malware policies are outlined in the following table.

Setting

Description

Options

Action

Specifies what action to complete when a message is found that contains malware.

The options are:

  • Delete the message (this option is the default value).
  • Replace all attachments with a text file that contains this default text.
  • Replace all attachments with a text file that contains the custom text you specify.

Notifications

When an anti-malware policy is configured to delete messages, you can choose whether to send a notification message to the sender.

You can send notification messages based on whether the sender is internal or external. The default notification message has the following properties:

  • From: Postmaster postmaster@[default domain].com
  • Subject: Undeliverable message
  • Message text: This message was created automatically by mail delivery software. Your email message wasn't delivered to the intended recipients because malware was detected.

You can customize the message properties for internal and external notifications. Other recipients (administrators) can also be added to receive notifications for undeliverable messages from internal or external senders.

Recipient filters

For custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to.

You can use the following properties for conditions and exceptions:

  • By recipient
  • By accepted domain
  • By group membership

Note: You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, [recipient1] or [recipient2]). Different conditions or exceptions use AND logic (for example, [recipient1] and [member of group]).

Priority

If you create multiple custom anti-malware policies, you can specify the order in which they should be applied.

The basic elements of an anti-malware policy include:

  • The malware filter policy. Specifies the action and notification options for malware filtering.
  • The malware filter rule. Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.

Every Mailbox server has a built-in anti-malware policy named Default that has the following properties:

  • The malware filter policy named Default is applied to all recipients in the Exchange organization, even though there's no malware filter rule (recipient filters) associated with the policy.
  • The policy named Default has the custom priority value of Lowest, which you can't modify (the policy is always applied last). Any custom anti-malware policies that you create always have a higher priority than the policy named Default.
  • The policy named Default is the default policy (the IsDefault property has the value True), and you can't delete the default policy.

Organizations should also consider the following best practices when configuring anti-malware policies with either the EAC or the Exchange Management Shell:

When using the EAC

When using the Exchange Management Shell

  • When you create an anti-malware policy in the EAC, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.

  • When you modify an anti-malware policy in the EAC, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (actions and notification options) modify the associated malware filter policy.

  • When you remove an anti-malware policy from the EAC, the malware filter rule and the associated malware filter policy are removed.

  • You create the malware filter policy first. Then you create the malware filter rule that identifies the policy that the rule applies to.

  • You modify the settings in the malware filter policy and the malware filter rule separately.

  • When you remove a malware filter policy from the Exchange Management Shell, the corresponding malware filter rule isn't automatically removed.

  • When you remove a malware filter rule from the Exchange Management Shell, the corresponding malware filter policy isn't automatically removed.

  • You manage malware filter policies by using the -MalwareFilterPolicy cmdlets, and you manage malware filter rules by using the -MalwareFilterRule cmdlets.

Anti-malware server settings

You can use the Get-MalwareFilteringServer and Set-MalwareFilteringServer cmdlets in the Exchange Management Shell to view and configure the update, timeout, and download settings for the Malware agent on the Mailbox server.

Anti-malware scripts

Exchange includes three Exchange Management Shell scripts that you can use to manage malware filtering:

  • Disable-Anti-malwarescanning.ps1. Disables the Malware agent, malware engine, and definition updates on the Mailbox server.
  • Enable-Anti-malwarescanning.ps1. Enables the Malware agent, malware engine, and definition updates, and runs engine and definition updates on the Mailbox server.
  • Update-MalwareFilteringServer.ps1. Manually runs malware engine and definition updates on the Mailbox server.