Configure anti-malware policies

Malware filtering is automatically enabled company-wide via the default anti-malware policy. As an administrator, you can view and edit, but not delete, the default anti-malware policy so that it is tailored to best meet the needs of your organization. For greater granularity, you can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.

The following video shows some of the configuration steps detailed in this topic for the anti-malware policies:

For more information about anti-malware policies, see Anti-malware protection.

What do you need to know before you begin?

Use the EAC to create anti-malware policies

Creating a custom anti-malware policy in the EAC creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.

  1. In the EAC, go to to Protection > Malware filter, and then click New Add Icon.

  2. In the New anti-malware policy page that opens, configure these settings:

    • Name: Enter a unique, descriptive name for the policy.

    • Description: Enter an optional description for the policy.

    • Malware detection response: Select one of these values for the Do you want to notify recipients if their messages are quarantined? setting:

      • No: Prevents the entire message, including attachments, from being delivered to the intended recipients. This is the default value.

      • Yes and use the default notification text: Replaces all message attachments (not just the detected ones) with a text file that contains this default text:

        Malware was detected in one or more attachments included with this email. All attachments have been deleted.

      • Yes and use the custom notification text: Replaces all message attachments (not just the detected ones) with a text file that contains custom text you specify in the Custom alert text box.

      Note

      If malware is detected in the message body of an inbound or outbound message, the entire message is deleted, regardless of the setting you configure for Malware detection response.

    • Common Attachment Types Filter: Select one of these values for blocking attachment types that may harm your computer.

      • Off

      • On: Emails with attachments of filtered file types will trigger the Malware Detection Response (recommended). Turning this feature on lets you add file types to be blocked.

    • Malware Zero-hour Auto Purge: Select one of these values to protect your users by automatically taking your policy's action to quarantine messages with malware detected after delivery.

      • Off

      • On (Recommended)

    • Notification: The settings in this section control notifications when malware filtering deletes the message. The settings don't apply to messages where all attachments are replaced by the default or custom alert text.

      • Sender Notifications: Select one or both of these options:

        • Notify internal senders: An internal sender is inside the organization.

        • Notify external senders: An external sender is outside the organization.

      • Administrator Notifications: Select one or both of these options:

        • Notify administrator about undelivered messages from internal senders: If you select this option, enter a notification email address in the Administrator email address field.

        • Notify administrator about undelivered messages from external senders: If you select this option, enter a notification email address in the Administrator email address field.

      • Customize Notifications: These settings replace the default notification text that's used for senders or administrators. For more information about the default values, see Anti-malware policies.

        • Use customized notification text: If you select this option, you need to use the From name and From address fields to specify the sender's name and email that's used in the customized notification message.

        • Messages from internal senders: If you elected to notify senders or administrators about undeliverable messages from internal senders, you need to use the Subject and Message fields to specify the subject and message body of the custom notification message.

        • Messages from external senders: If you elected to notify senders or administrators about undeliverable messages from external senders, you need to use the Subject and Message fields to specify the subject and message body of the custom notification message.

    • Applied to: The settings in this section identify the internal recipients that the policy applies to.

      • If: Click on the Select one drop down, and select conditions for the rule:

        • The recipient is: Specifies one or more mailboxes, mail users, or mail contacts in your organization. In the Select members dialog box that appears, select one or more recipients from the list, and then click add ->. In the Check names field, you can use wildcards for multiple email addresses (for example: *@fabrikam.com). When you're finished, click OK.

        • The recipient domain is: Specifies recipients in one or more of the configured accepted domains in Office 365. In the dialog box that appears, select one or more domains, and then click add ->. When you're finished, click OK.

        • The recipient is a member of: Specifies one or more groups in your organization. In the Select members dialog box that appears, select one or more groups from the list, and then click add ->. When you're finished, click OK.

      You can only use one a condition once, but you can specify multiple values for the condition. To add more conditions, click Add condition and select from the remaining options.

      • Except if: To add exceptions for the rule, click Add exception, click on the Select one drop down, and configure an exception for the rule. The settings and behavior is exactly like the conditions.
  3. When you're finished, click Save.

Use the EAC to view anti-malware policies

  1. In the EAC, go to Protection > Malware filter.

  2. When you select a policy, information about the policy is displayed in the details pane. To see more information about the policy, click Edit Edit icon.

    • The Enabled property value, the Priority property value, and the settings on the Applied to tab are in the malware filter rule.

    • The settings on the General and Settings tabs are in the malware filter policy.

Use the EAC to modify an anti-malware policy

  1. In the EAC, go to Protection > Malware filter.

  2. Select the policy, and then click Edit Edit icon. For information about the settings, see the Use the EAC to create anti-malware policies section in this topic.

    Notes:

    • Instead of everything on one page, the settings are divided among the General, Settings, and Applied to tabs. The Applied to tab isn't available on the default policy named Default.

    • You can't rename the default policy.

Use the EAC to enable or disable an anti-malware policy

  1. In the EAC, go to Protection > Malware filter.

  2. Select the policy from the list, and then configure one of the following settings:

    • Disable the policy: Clear the check box in the Enabled column. By default, anti-malware policies are enabled when you create them in the EAC.

    • Enable the policy: Select the check box in the Enabled column.

Use the EAC to set the priority of custom anti-malware policies

By default, anti-malware policies are given a priority that's based on the order they were created in (newer polices are lower priority than older policies). A lower priority number indicates a higher priority for the policy, and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority.

Notes:

  • In the EAC, you can only change the priority of the anti-malware policy after you create it. In PowerShell, you can override the default priority when you create the malware filter rule (which can affect the priority of existing rules).

  • In the EAC, anti-malware policies are processed in the order that they're displayed (the first policy has the Priority value 0). The default anti-malware policy named Default has the priority value Lowest, and you can't change it.

To change the priority of a policy, move the policy up or down in the list (you can't directly modify the Priority number in the EAC).

  1. In the EAC, go to Protection > Malware filter.

  2. Select a policy, and then click Move up Up Arrow icon or Move down Down Arrow icon to move the rule up or down in the list.

Use the EAC to remove anti-malware policies

When you use the EAC to remove an anti-malware policy, the malware filter rule and the corresponding malware filter policy are both removed.

  1. From the EAC, go to Protection > Malware filter.

  2. Select the anti-malware policy you want to remove from the list, and then click Delete Delete icon.

Use Exchange Online PowerShell or Exchange Online Protection PowerShell to configure anti-malware policies

Use PowerShell to create anti-malware policies

Creating an anti-malware policy in PowerShell is a two-step process:

  1. Create the malware filter policy.

  2. Create the malware filter rule that specifies the malware filter policy that the rule applies to.

Notes:

  • You can create a new malware filter rule and assign an existing, unassociated malware filter policy to it. A malware filter rule can't be associated with more than one malware filter policy.

  • There are two settings that you can configure on new anti-malware policies in PowerShell that aren't available in the EAC until after you create the policy:

    • Create the new policy as disabled (Enabled $false on the New-MalwareFilterPolicy cmdlet).

    • Set the priority of the policy during creation (Priority <Number>) on the New-MalwareFilterRule cmdlet).

  • Malware filter policies that you create in PowerShell don't appear in the EAC until you assign the malware filter policy to a malware filter rule.

Step 1: Use PowerShell to create a malware filter policy

To create a malware filter policy, use this syntax:

New-MalwareFilterPolicy -Name "<PolicyName>" [-Action <DeleteMessage | DeleteAttachmentAndUseDefaultAlert | DeleteAttachmentAndUseCustomAlert>] [-AdminDisplayName "<OptionalComments>"] [-BypassInboundMessages <$true | $false>] [-BypassOutboundMessages <$true | $false>] [-CustomNotifications <$true | $false>] [<Inbound notification options>] [<Outbound notification options>]

This example creates a new malware filter policy named Contoso Malware Filter Policy with these settings:

  • Block messages that contain malware (we aren't using the Action parameter, and the default value is DeleteMessage).

  • Don't notify the message sender when malware is detected in the message (we aren't using the EnableExternalSenderNotifications or EnableInternalSenderNotifications parameters, and the default value for both is $false).

  • Notify the administrator admin@contoso.com when malware is detected in a message from an internal sender.

New-MalwareFilterPolicy -Name "Contoso Malware Filter Policy" -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress admin@contoso.com

For detailed syntax and parameter information, see New-MalwareFilterPolicy.

Step 2: Use PowerShell to create a malware filter rule

To create a malware filter rule, use this syntax:

New-MalwareFilterRule -Name "<RuleName>" -MalwareFilterPolicy "<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments "<OptionalComments>"]

This example creates a new malware filter rule named Contoso Recipients with these settings:

  • The malware filter policy named Contoso Malware Filter Policy is associated with the rule.

  • The rule applies to recipients in the contoso.com domain.

New-MalwareFilterRule -Name "Contoso Recipients" -MalwareFilterPolicy "Contoso Malware Filter Policy" -RecipientDomainIs contoso.com

For detailed syntax and parameter information, see New-MalwareFilterRule.

Use PowerShell to view malware filter policies

To return a summary list of all malware filter policies, run this command:

Get-MalwareFilterPolicy

To return detailed information about a specific malware filter policy, use the this syntax:

Get-MalwareFilterPolicy -Identity "<PolicyName>" | Format-List [<Specific properties to view>]

This example returns all the property values for the malware filter policy named Executives.

Get-MalwareFilterPolicy -Identity "Executives" | Format-List

This example returns only the specified properties for the same policy.

Get-MalwareFilterPolicy -Identity "Executives" | Format-List Action,AdminDisplayName,CustomNotifications,Enable*Notifications

For detailed syntax and parameter information, see Get-MalwareFilterPolicy.

Use PowerShell to view malware filter rules

To return a summary list of all malware filter rules, run this command:

Get-MalwareFilterRule

To return detailed information about a specific malware filter rule, use this syntax:

Get-MalwareFilterRule -Identity "<RuleName>" | Format-List [<Specific properties to view>]

This example returns all the property values for the malware filter rule named Executives.

Get-MalwareFilterRule -Identity "Executives" | Format-List

This example returns only the specified properties for the same rule.

Get-MalwareFilterRule -Identity "Executives" | Format-List Name,Priority,State,MalwareFilterPolicy,*Is,*SentTo,*MemberOf

For detailed syntax and parameter information, see Get-MalwareFilterRule.

Use PowerShell to modify a malware filter policy

No additional settings are available when you modify a malware policy in PowerShell. They're the same settings that were available when you created the policy. Note that you can't rename the default policy.

To modify a malware filter policy, use this syntax:

Set-MalwareFilterPolicy -Identity "<PolicyName>" <Settings>

For detailed syntax and parameter information, see Set-MalwareFilterPolicy.

Use PowerShell to modify a malware filter rule

When you modify a malware filter rule in PowerShell, you can't disable or enable the rule (there's no Enabled parameter on the Set-MalwareFilterRule cmdlet). Instead, you use the Disable-MalwareFilterRule and Enable-MalwareFilterRule cmdlets as described in the next section.

To modify a malware filter rule, use this syntax:

Set-MalwareFilterRule -Identity "<RuleName>" <Settings>

For detailed syntax and parameter information, see Set-MalwareFilterRule.

Use PowerShell to enable or disable malware filter rules

By default, anti-malware policies are enabled when you create them in PowerShell, but you can use PowerShell to create a disabled malware filter rule (use the New-MalwareFilterRule cmdlet and the Enabled parameter with the value $false).

To enable or disable a malware filter rule in PowerShell, use this syntax:

<Enable-MalwareFilterRule | Disable-MalwareFilterRule> -Identity "<RuleName>"

This example disables the malware filter rule named Marketing Department.

Disable-MalwareFilterRule -Identity "Marketing Department"

This example enables same rule.

Enable-MalwareFilterRule -Identity "Marketing"

For detailed syntax and parameter information, see Enable-MalwareFilterRule and Disable-MalwareFilterRule.

Use PowerShell to set the priority of custom malware filter rules

The highest priority value you can set on a rule is 0. The lowest value you can set depends on the number of rules. For example, if you have five rules, you can use the priority values 0 through 4. Changing the priority of an existing rule can have a cascading effect on other rules. For example, if you have five rules (priorities 0 through 4), and you change the priority of a rule to 2, the existing rule with priority 2 is changed to priority 3, and the rule with priority 3 is changed to priority 4.

To set the priority of a custom malware filter rule in PowerShell, use the following syntax:

Set-MalwareFilterRule -Identity "<RuleName>" -Priority <Number>

This example sets the priority of the rule named Marketing Department to 2. All existing rules that have a priority less than or equal to 2 are decreased by 1 (their priority numbers are increased by 1).

Set-MalwareFilterRule -Identity "Marketing Department" -Priority 2

Note: To set the priority of a new rule when you create it, use the Priority parameter on the New-MalwareFilterRule cmdlet.

Use PowerShell to remove malware filter policies

When you use PowerShell to remove a malware filter policy, the corresponding malware filter rule isn't removed.

To remove a malware filter policy in PowerShell, use this syntax:

Remove-MalwareFilterPolicy -Identity "<PolicyName>"

This example removes the malware filter policy named Marketing Department.

Remove-MalwareFilterPolicy -Identity "Marketing Department"

For detailed syntax and parameter information, see Remove-MalwareFilterPolicy.

How do you know these procedures worked?

The following procedure provides instructions for using the EICAR.TXT antivirus test file to verify that malware filtering is working correctly. Use an email client that does not block the file.

Important

The EICAR.TXT file is not a virus. However, because users often have the need to test that installations function correctly, the antivirus industry, through the European Institute for Computer Antivirus Research, has adopted the EICAR standard in order to meet this need.

Use the EICAR.TXT file to verify malware filtering functionality

  1. Create a new text file, and then name the file EICAR.TXT.

  2. Copy the following line into the text file:

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    

    Make sure that this is the only string in the file. When done, you will have a 68-byte file.

    If you are using a desktop antivirus program, make sure that the folder you are saving the file to is excluded from scanning.

  3. Attach this file to an email message that will be filtered by the service.

    Check the recipient mailbox of the test message. Depending on the malware detection response you have configured, the entire message will be deleted, or the attachment will be deleted and replaced with the alert text file. Any configured notifications will also be distributed.

    The recipient may receive a notification message (if configured) that appears similar to the following: "This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected. The following additional information will also be included: the subject of the message, the sender of the message, the time the message was received by the service, the Message ID (the Internet message ID (also known as the Client ID) found in the header of the message with the "Message-ID: token), and the detection found (which will be eicar.txt).

  4. Delete the EICAR.TXT file after testing is completed so that other users are not unnecessarily alarmed.

For more information

Anti-malware protection

Anti-malware protection FAQ