Anti-malware protection FAQ

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

This article provides frequently asked questions and answers about anti-malware protection for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.

For questions and answers about the quarantine, see Quarantine FAQ.

For questions and answers about anti-spam protection, see Anti-spam protection FAQ.

For questions and answers about anti-spoofing protection, see Anti-spoofing protection FAQ.

What are best practice recommendations for configuring and using the service to combat malware?

How often are the malware definitions updated?

Each server checks for new malware definitions from our anti-malware partners every hour.

How many anti-malware partners do you have? Can I choose which malware engines we use?

We have partnerships with multiple anti-malware technology providers, so messages are scanned with the Microsoft anti-malware engines, two added signature based engines, plus URL and file reputation scans from multiple sources. Our partners are subject to change, but EOP always uses anti-malware protection from multiple partners. You can't choose one anti-malware engine over another.

Where does malware scanning occur?

We scan for malware in messages that are sent to or sent from a mailbox (messages in transit). For Exchange Online mailboxes, we also have malware zero-hour auto purge (ZAP) to scan for malware in messages that have already been delivered. If you resend a message from a mailbox, then it's scanned again (because it's in transit).

If I make a change to an anti-malware policy, how long does it take after I save my changes for them to take effect?

It might take up to 1 hour for the changes to take effect.

Does the service scan internal messages for malware?

For organizations with Exchange Online mailbox, the service scans for malware in all inbound and outbound messages, including messages sent between internal recipients.

A standalone EOP subscription scans messages as they enter or leave your on-premises email organization. Messages sent between internal users aren't scanned for malware. However, you can use the built-in anti-malware scanning features of Exchange Server. For more information, see Antimalware protection in Exchange Server.

Do all anti-malware engines used by the service have heuristic scanning enabled?

Yes. Heuristic scanning scans for both known (signature match) and unknown (suspicious) malware.

Can the service scan compressed files (such as .zip files)?

Yes. The anti-malware engines can drill into compressed (archive) files.

Is the compressed attachment scanning support recursive (.zip within a .zip within a .zip) and if so, how deep does it go?

Yes, recursive scanning of compressed files scans many layers deep.

Does the service work with legacy Exchange versions and non-Exchange environments?

Yes, the service is server agnostic.

What's a zero-day virus and how is it handled by the service?

A zero-day virus is a first generation, previously unknown variant of malware that's never been captured or analyzed.

After a zero-day virus sample is captured and analyzed by our anti-malware engines, a definition and unique signature is created to detect the malware.

When a definition or signature exists for the malware, it's no longer considered zero-day.

How can I configure the service to block specific executable files (such as \*.exe) that I fear may contain malware?

You can enable and configure the common attachments filter (also known as common attachment blocking) as described in Anti-malware policies.

You can also create an Exchange mail flow rule (also known as transport rule) that blocks any email attachment that has executable content.

Follow the steps in How to reduce malware threats through file attachment blocking in Exchange Online Protection to block the file types listed in Supported file types for mail flow rule content inspection in Exchange Online.

For increased protection, we also recommend using the Any attachment file extension includes these words condition in mail flow rules to block some or all of the following extensions: ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh.

Why did a specific malware get past the filters?

There are two possible reasons why you might have received malware:

  1. Most likely, the attachment does not actually contain malicious code. Some anti-malware engines that run on computers might be more aggressive and could stop messages with truncated payloads.

  2. The malware you received is a new variant (see What's a zero-day virus and how is it handled by the service?). The time it takes for a malware definition update is dependent on our anti-malware partners.

How can I submit malware that made it past the filters to Microsoft? Also, how can I submit a file that I believe was incorrectly detected as malware?

I received an email message with an unfamiliar attachment. Is this malware or can I disregard this attachment?

We strongly advise that you do not open any attachments that you do not recognize. If you would like us to investigate the attachment, go to the Malware Protection Center and submit the possible malware to us as described previously.

Where can I get the messages that have been deleted by the malware filters?

The messages contain active malicious code and therefore we do not allow access to these messages. They are unceremoniously deleted.

I am not able to receive a specific attachment because it is being falsely filtered by the malware filters. Can I allow this attachment through via mail flow rules?

No. You can't use Exchange mail flow rules to skip malware filtering.

Can I get reporting data about malware detections?

Yes, you can access reports in the admin center. For more information about reporting, see the following links:

Exchange Online customers: Monitoring, Reporting, and Message Tracing in Exchange Online

Exchange Online Protection customers: Reporting and message trace in Exchange Online Protection

Is there a tool that I can use to follow a malware-detected message through the service?

Yes, the message trace tool enables you to follow email messages as they pass through the service. For more information about how to use the message trace tool to find out why a message was detected to contain malware, see Message trace in the modern Exchange admin center.

Can I use a third-party anti-spam and anti-malware provider in conjunction with Exchange Online?

Yes. In most cases, we recommend that you point your MX records to (that is, deliver email directly to) EOP. If you need to route your email somewhere else first, you need to enable Enhanced Filtering for Connectors so EOP can use the true message source in filtering decisions.

Are spam and malware messages being investigated as to who sent them, or being transferred to law enforcement entities?

The service focuses on spam and malware detection and removal, though we may occasionally investigate especially dangerous or damaging spam or attack campaigns and pursue the perpetrators.

We often with our legal and digital crime units to take the following actions:

  • Take down a spam botnet.
  • Block an attacker from using the service.
  • Pass the information on to law enforcement for criminal prosecution.

For more information