Anti-malware protection in EOP
The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the Applies To section and look for specific call-outs in this article where there might be differences.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:
Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect.
Spyware that that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.
Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect and remove the malware payload that's associated with the ransomware.
EOP offers multi-layered malware protection that's designed to catch all known malware traveling into or out of your organization. The following options help provide anti-malware protection:
Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.
Real-time threat response: During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.
Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.
In EOP, messages that are found to contain malware in any attachments are quarantined, and can only be released from quarantine by an admin. For more information, see Manage quarantined messages and files as an admin in EOP.
For more information about anti-malware protection, see the Anti-malware protection FAQ.
To configure anti-malware policies, see Configure anti-malware policies.
To submit malware to Microsoft, see Report messages and files to Microsoft.
Anti-malware policies control the settings and notification options for malware detections. The important settings in anti-malware policies are:
Recipient notifications: By default, a message recipient isn't told that a message intended for them was quarantined due to malware. But, you can enable recipient notifications in the form of delivering the original message with all attachments removed and replaced by a single file named Malware Alert Text.txt that contains the following text:
Malware was detected in one or more attachments included with this email message.
Action: All attachments have been removed.
<Original malware attachment name> <Malware detection result>
You can replace the default text in the Malware Alert Text.txt file with your own custom text.
Common Attachment Types Filter: There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these type of files for malware, when you should probably block them all, anyway? That's where the Common Attachment Types Filter comes in. It's disabled by default, but when you enable it, the file types you specify are automatically treated as malware. You can use the default list of file types or customize the list. The default file types are:
.ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs.
The Common Attachment Types Filter uses best effort true-typing to detect the file type regardless of the file name extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is used.
Malware zero-hour auto purge (ZAP): Malware ZAP quarantines messages that are found to contain malware after they've been delivered to Exchange Online mailboxes. By default, malware ZAP is on, and we recommend that you leave it on.
Sender notifications: By default, a message sender isn't told that their message was quarantined due to malware. But, you can enabled notification messages for senders based on whether the sender is internal or external. The default notification message looks like this:
From: Postmaster postmaster@<defaultdomain>.com
Subject: Undeliverable message
This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected. All attachments were deleted.
--- Additional Information ---:
Subject: <message subject>
Sender: <message sender>
Time received: <date/time>
Message ID: <message id>
<attachment name> <malware detection result>
You can customize the From address, subject, and message text for internal and external notifications.
You can also specify an additional recipient (an admin) to receive notifications for malware detected in messages from internal or external senders.
Recipient filters: For custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:
- The recipient is
- The recipient domain is
- The recipient is a member of
You can only use a condition or exception once, but the condition or exception can contain multiple values. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).
Priority: If you create multiple custom anti-malware policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied.
For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.
Anti-malware policies in the Security & Compliance Center vs PowerShell
The basic elements of an anti-malware policy are:
- The malware filter policy: Specifies the recipient notification, sender and admin notification, ZAP, and the Common Attachment Types Filter settings.
- The malware filter rule: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.
The difference between these two elements isn't obvious when you manage anti-malware polices in the Security & Compliance Center:
When you create an anti-malware policy, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.
When you modify an anti-malware policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. Other settings (recipient notification, sender and admin notification, ZAP, and the Common Attachment Types Filter) modify the associated malware filter policy.
When you remove an anti-malware policy, the malware filter rule and the associated malware filter policy are removed.
In Exchange Online PowerShell or standalone EOP PowerShell, the difference between malware filter policies and malware filter rules is apparent. You manage malware filter policies by using the *-MalwareFilterPolicy cmdlets, and you manage malware filter rules by using the *-MalwareFilterRule cmdlets.
- In PowerShell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.
- In PowerShell, you modify the settings in the malware filter policy and the malware filter rule separately.
- When you remove a malware filter policy from PowerShell, the corresponding malware filter rule isn't automatically removed, and vice versa.
Default anti-malware policy
Every organization has a built-in anti-malware policy named Default that has these properties:
The policy is applied to all recipients in the organization, even though there's no malware filter rule (recipient filters) associated with the policy.
The policy has the custom priority value Lowest that you can't modify (the policy is always applied last). Any custom anti-malware policies that you create always have a higher priority than the policy named Default.
The policy is the default policy (the IsDefault property has the value
True), and you can't delete the default policy.