Configure anti-malware policies
Applies to: Exchange Server 2013
By default, malware filtering is enabled in Microsoft Exchange Server 2013. The default anti-malware policy controls your company-wide malware filtering settings. As an administrator, you can view and edit, but not delete, the default anti-malware policy so that it is tailored to best meet the needs of your organization. For greater granularity, you can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (that is, the running order) of your custom policies. For more information, see Use the EAC to configure the default anti-malware policy.
What do you need to know before you begin?
We recommend that you manually download anti-malware engine and definition updates on your Exchange server prior to placing it in production. For more information, see Download engine and definition updates.
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Anti-malware" entry in the Anti-spam and anti-malware permissions topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Use the EAC to configure the default anti-malware policy
In the Exchange admin center (EAC), navigate to Protection > Malware filter.
Do one of the following:
Double-click the default policy in order to edit this company-wide policy.
Click the New icon in order to create a new policy that can be applied to users, groups, and domains in your organization. You can also edit existing custom policies by double-clicking them.
For custom policies only, specify a name for this policy. You can optionally specify a more detailed description as well. You cannot rename the default policy.
When creating a new policy, all configuration settings appear on a single screen, whereas when editing a policy you must navigate through different screens. The settings are the same in either case, but the rest of this procedure describes how to access these settings when editing a policy.
Click the Settings menu option. In the Malware Detection Response section, use the option buttons to select the action to take when malware is detected in a message:
Delete the entire message: Prevents the entire message, including attachments, from being delivered to the intended recipients. This is the default value.
Delete all attachments and use default alert text: Deletes all message attachments, not just the infected one, and inserts the following default alert text into a text file that replaces the attachments: "Malware was detected in one or more attachments included with this email. All attachments have been deleted."
Delete all attachments and use custom alert text: Deletes all message attachments, not just the infected one, and inserts a custom message into a text file that replaces the attachments. Selecting this option enables the Custom alert text field where you must type a custom message.
If malware is detected in the message body, the entire message, including all attachments, will be deleted regardless of which option you select. This action is applied to both inbound and outbound messages.
In the Notifications section, you have the option to send a notification email message to senders or administrators when a message is detected as malware and is not delivered. These notifications are only sent when the entire message is deleted.
In the Sender Notifications section, select the check boxes to Notify internal senders (those within your organization) or to Notify external senders (those outside your organization) when a detected message is not delivered.
Similarly, in the Administrator Notifications section, select the check boxes to Notify administrator about undelivered messages from internal senders or to Notify administrator about undelivered messages from external senders. Specify the email address or addresses of the administrator in their respective Administrator email address fields after selecting one or both of these check boxes.
The default notification text is "This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected." The language in which the default notification text is sent is dependent on the locale of the message being processed.
In the Customize Notifications section, you can create customized notification text to be used in place of the default notification text for sender and administrator notifications. Select the Use customized notification text check box, and then specify values in the following required fields:
From name: The name you want to be used as the sender of the customized notification.
From address: The email address you want to be used as the sender of the customized notification.
Messages from internal senders: The Subject and Message of the notification if the detected message originated from an internal sender.
Messages from external senders: The Subject and Message of the notification if the detected message originated from an external sender.
The default Subject text is "Undeliverable message."
For custom policies only, click the Apply to menu item and then create a condition-based rule to specify the users, groups, and/or domains for whom to apply this policy. You can create multiple conditions provided that they are unique.
To select users, select The recipient is. In the subsequent dialog box, select one or more senders from your company from the user picker list and then click add. To add senders who aren't on the list, type their email addresses and click Check names. In this box, you can also use wildcards for multiple email addresses (for example: *@domainname). When you are done with your selections, click ok to return to the main screen.
To select groups, select The recipient is a member of and then, in the subsequent dialog box, select or specify the groups. Click ok to return to the main screen.
To select domains, select The recipient domain is and then, in the subsequent dialog box, add the domains. Click ok to return to the main screen.
You can create exceptions within the rule, for example you can filter messages from all domains except for a certain domain. Click add exception and then create your exception conditions similar to the way you created the other conditions.
Click Save. A summary of your default policy settings appears in the right pane.
You can select or clear the check boxes in the ENABLED column to enable or disable your custom policies. All policies are enabled by default, and the default policy cannot be disabled.
To delete a custom policy, select the policy, click the Delete icon, and then confirm that you want to delete the policy. The default policy cannot be deleted.
Custom policies always take precedence over the default policy. Custom policies run in the reverse order that you created them (from oldest to newest), but you can change the priority (running order) of your custom policies by clicking the up arrow and down arrow. The policy with a PRIORITY of 0 will run first, followed by 1, then 2, and so on.
How do you know this worked?
The following procedure provides instructions for using the EICAR.TXT antivirus test file to verify that malware filtering is working correctly.
The EICAR.TXT file is not a virus. However, because users often have the need to test that installations function correctly, the antivirus industry, through the European Institute for Computer Antivirus Research, has adopted the EICAR standard in order to meet this need.
Create a new text file, and then name the file EICAR.TXT.
Copy the following line into the text file:
Make sure that this is the only string in the file. When done, you will have a 68-byte file.
If you are using a desktop antivirus program, make sure that the folder you are saving the file to is excluded from scanning.
Attach this file to an email message that will be filtered by Exchange 2013.
Check the recipient mailbox of the test message. Depending on the malware detection response you have configured, the entire message will be deleted, or the attachment will be deleted and replaced with the alert text file. Any configured notifications will also be distributed.
Delete the EICAR.TXT file after testing is completed so that other users are not unnecessarily alarmed.