Configure anti-malware policies
Malware filtering is automatically enabled company-wide via the default anti-malware policy. As an administrator, you can view and edit, but not delete, the default anti-malware policy so that it is tailored to best meet the needs of your organization. For greater granularity, you can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.
The following video shows some of the configuration steps detailed in this topic for the anti-malware policies:
What do you need to know before you begin?
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the Anti-malware entry in the Feature Permissions in Exchange Online topic.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.
Use the EAC to configure anti-malware policies
In the Exchange admin center (EAC), navigate to Protection > Malware filter.
Do one of the following:
Double-click the default policy in order to edit this company-wide policy.
Click the New icon in order to create a new policy that can be applied to users, groups, and domains in your organization. You can also edit existing custom policies by double-clicking them.
For custom policies only, specify a name for this policy. You can optionally specify a more detailed description as well. You cannot rename the default policy.
When creating a new policy, all configuration settings appear on a single screen, whereas when editing a policy you must navigate through different screens. The settings are the same in either case, but the rest of this procedure describes how to access these settings when editing a policy.
Click the Settings menu option. In the Malware Detection Response section, use the option buttons to select the action to take when malware is detected in a message:
Delete the entire message Prevents the entire message, including attachments, from being delivered to the intended recipients. This is the default value.
Delete all attachments and use default alert text Deletes all message attachments, not just the infected one, and inserts the following default alert text into a text file that replaces the attachments: Malware was detected in one or more attachments included with this email. All attachments have been deleted.
Delete all attachments and use custom alert text Deletes all message attachments, not just the infected one, and inserts a custom message into a text file that replaces the attachments. Selecting this option enables the Custom alert text field where you must type a custom message.
If malware is detected in the message body, the entire message, including all attachments, will be deleted regardless of which option you select. This action is applied to both inbound and outbound messages.
In the Common attachment types filter filter section, choose which file types you want to have the Malware Detection Response option selected above applied on. New policies have the most commonly used malicious file types selected to be detected as malware by default. The filter supports both true file types when available and file extensions.
There are several types of files that typically deliver malware through email and this on and off setting will prevent the selected files from being delivered to your inboxes as well as sent by your users.
The list of files the malware filter detects can be customized per policy by choosing and adding the additional file types to the list..
In the Notifications section, you have the option to send a notification email message to senders or administrators when a message is detected as malware and is not delivered. These notifications are only sent when the entire message is deleted.
In the Sender Notifications section, select the check boxes to Notify internal senders (those within your organization) or to Notify external senders (those outside your organization) when a detected message is not delivered.
Similarly, in the Administrator Notifications section, select the check boxes to Notify administrator about undelivered messages from internal senders or to Notify administrator about undelivered messages from external senders. Specify the email address or addresses of the administrator in their respective Administrator email address fields after selecting one or both of these check boxes.
The default notification text is "This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected." The language in which the default notification text is sent is dependent on the locale of the message being processed.
In the Customize Notifications section, you can create customized notification text to be used in place of the default notification text for sender and administrator notifications. Select the Use customized notification text check box, and then specify values in the following required fields:
From name The name you want to be used as the sender of the customized notification.
From address The email address you want to be used as the sender of the customized notification.
Messages from internal senders The Subject and Message of the notification if the detected message originated from an internal sender.
Messages from external senders The Subject and Message of the notification if the detected message originated from an external sender.
The default Subject text is "Undeliverable message."
- For custom policies only, click the Apply to menu item and then create a condition-based rule to specify the users, groups, and/or domains for whom to apply this policy. You can create multiple conditions provided that they are unique.
To select users, select The recipient is. In the subsequent dialog box, select one or more senders from your company from the user picker list and then click add. To add senders who aren't on the list, type their email addresses and click Check names. In this box, you can also use wildcards for multiple email addresses (for example: *@ domainname). When you are done with your selections, click ok to return to the main screen.
To select groups, select The recipient is a member of and then, in the subsequent dialog box, select or specify the groups. Click ok to return to the main screen.
To select domains, select The recipient domain is and then, in the subsequent dialog box, add the domains. Click ok to return to the main screen.
You can create exceptions within the rule, for example you can filter messages from all domains except for a certain domain. Click add exception and then create your exception conditions similar to the way you created the other conditions.
- Click Save. A summary of your default policy settings appears in the right pane.
You can select or clear the check boxes in the ENABLED column to enable or disable your custom policies. All policies are enabled by default, and the default policy cannot be disabled. > To delete a custom policy, select the policy, click the Delete icon, and then confirm that you want to delete the policy. The default policy cannot be deleted. > Custom policies always take precedence over the default policy. Custom policies run in the reverse order that you created them (from oldest to newest), but you can change the priority (running order) of your custom policies by clicking the up arrow and down arrow. The policy with a PRIORITY of 0 will run first, followed by 1, then 2, and so on.
Use remote PowerShell to configure anti-malware policies
You can also configure and apply malware filter policies in PowerShell. To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell. To learn how to use Windows PowerShell to connect to Exchange Online Protection, see Connect to Exchange Online Protection PowerShell.
Get-MalwareFilterPolicy View your malware filter settings.
Set-MalwareFilterPolicy Edit your malware filter settings.
New-MalwareFilterPolicy Create a new custom malware filter policy.
Remove-MalwareFilterPolicy Delete a custom malware filter policy.
To apply a custom malware filter policy to users, groups, and/or domains, use the New-MalwareFilterRule cmdlet (to create a new filter rule that can be applied to custom policies) or the Set-MalwareFilterRule cmdlet (to edit an existing filter rule that can be applied to custom policies). Use the Enable-MalwareFilterRule cmdlet or the Disable-MalwareFilterRule cmdlet to enable or disable the rule applied to the policy.
How do you know this worked?
The following procedure provides instructions for using the EICAR.TXT antivirus test file to verify that malware filtering is working correctly. Use an email client that does not block the file.
The EICAR.TXT file is not a virus. However, because users often have the need to test that installations function correctly, the antivirus industry, through the European Institute for Computer Antivirus Research, has adopted the EICAR standard in order to meet this need.
Use the EICAR.TXT file to verify malware filtering functionality
Create a new text file, and then name the file EICAR.TXT.
Copy the following line into the text file:
Make sure that this is the only string in the file. When done, you will have a 68-byte file.
If you are using a desktop antivirus program, make sure that the folder you are saving the file to is excluded from scanning. 3. Attach this file to an email message that will be filtered by the service.
Check the recipient mailbox of the test message. Depending on the malware detection response you have configured, the entire message will be deleted, or the attachment will be deleted and replaced with the alert text file. Any configured notifications will also be distributed.
The recipient may receive a notification message (if configured) that appears similar to the following: "This message was created automatically by mail delivery software. Your email message was not delivered to the intended recipients because malware was detected. The following additional information will also be included: the subject of the message, the sender of the message, the time the message was received by the service, the Message ID (the Internet message ID (also known as the Client ID) found in the header of the message with the "Message-ID: token), and the detection found (which will be eicar.txt). 4. Delete the EICAR.TXT file after testing is completed so that other users are not unnecessarily alarmed. ## For more information
Send feedback about: