Anti-malware protection

Microsoft Exchange Online Protection helps combat malware in your email messaging environment. (Exchange Online Protection helps protect your on-premises mailboxes and is also the malware filtering solution for cloud-hosted mailboxes in Exchange Online.) Malware is comprised of viruses and spyware. Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. Spyware refers to malware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.

The service offers multi-layered malware protection that's designed to catch all known malware traveling inbound to or outbound from your organization. The following options help provide anti-malware protection:

  • Layered Defenses Against Malware Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.

  • Real-time Threat Response During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat even before a definition is available from any of the engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.

  • Fast Anti-Malware Definition Deployment The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they are publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.

For more information about anti-malware protection, see the Anti-malware protection FAQ.

To configure anti-malware policies, see Configure anti-malware policies.

To submit malware to Microsoft, see Submitting malware and non-malware to Microsoft for analysis.

Anti-malware policies

Anti-malware policies control the actions and notification options for malware detections. The important settings in anti-malware policies are:

  • Action: Specifies what to do when a message is found to contain malware. The options are:

    • Delete the message (this is the default value).

    • Replace all attachments with a text file that contains this default text:

      Malware was detected in one or more attachments included with this email. All attachments have been deleted.

    • Replace all attachments with a text file that contains the custom text you specify.

  • Notifications: When an anti-malware policy is configured to delete messages, you can choose whether to send a notification message to the sender. You can send notification messages based on whether the sender is internal or external. The default notification message has these properties:

    • From: Postmaster postmaster@ <defaultdomain>.com

    • Subject: Undeliverable message

    • Message text: This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected.

    You can customize the message properties for internal and external notifications. You can also specify additional recipients (administrators) to receive notifications for undeliverable messages from internal or external senders.

  • Recipient filters: For custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:

    • By recipient

    • By accepted domain

    • By group membership

    You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

  • Priority: If you create multiple custom anti-malware policies, you can specify the order that they're applied.

Anti-malware policies in the Exchange admin center vs Exchange Online PowerShell or Exchange Online Protection PowerShell

The basic elements of an anti-malware policy are:

  • The malware filter policy: Specifies the action and notification options for malware filtering.

  • The malware filter rule: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.

The difference between these two elements isn't obvious when you manage anti-malware polices in the Exchange admin center (EAC):

  • When you create an anti-malware policy in the EAC, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.

  • When you modify an anti-malware policy in the EAC, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (actions and notification options) modify the associated malware filter policy.

  • When you remove an anti-malware policy from the EAC, the malware filter rule and the associated malware filter policy are removed.

In Exchange Online PowerShell or Exchange Online Protection PowerShell, the difference between malware filter policies and malware filter rules is apparent. You manage malware filter policies by using the *-MalwareFilterPolicy cmdlets, and you manage malware filter rules by using the *-MalwareFilterRule cmdlets.

  • In PowerShell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.

  • In PowerShell, you modify the settings in the malware filter policy and the malware filter rule separately.

  • When you remove a malware filter policy from PowerShell, the corresponding malware filter rule isn't automatically removed, and vice versa.

Default anti-malware policy

Every organization has a built-in anti-malware policy named Default that has these properties:

  • The malware filter policy named Default is applied to all recipients in the organization, even though there's no malware filter rule (recipient filters) associated with the policy.

  • The policy named Default has the custom priority value Lowest that you can't modify (the policy is always applied last). Any custom anti-malware policies that you create always have a higher priority than the policy named Default.

  • The policy named Default is the default policy (the IsDefault property has the value True), and you can't delete the default policy.