反恶意软件保护过程Exchange ServerProcedures for antimalware protection in Exchange Server

Exchange Server邮箱服务器上安装的恶意软件代理。Exchange Server includes the Malware Agent that's installed on Mailbox servers. 有关恶意软件筛选功能Exchange,请参阅反恶意软件Exchange Server。For more information about malware filtering in Exchange, see Antimalware protection in Exchange Server.

本主题介绍以下在垃圾邮件中管理恶意软件筛选Exchange:This topic describes the following procedures for managing malware filtering in Exchange:

  • 在邮箱服务器上禁用或启用恶意软件筛选Disable or enable malware filtering on a Mailbox server

  • 绕过邮箱服务器的恶意软件筛选Bypass malware filtering on a Mailbox server

  • 创建反恶意软件策略Create antimalware policies

  • 查看反恶意软件策略View antimalware policies

  • 修改反恶意软件策略Modify antimalware policies

  • 启用和禁用反恶意软件策略Enable and disable antimalware policies

  • 设置反恶意软件策略的优先级Set the priority of antimalware policies

  • 删除反恶意软件策略Remove antimalware policies

  • 配置恶意软件筛选以扫描 EOP Exchange Online Protection (扫描) 。Configure malware filtering to scan messages that were already scanned by Exchange Online Protection (EOP).

开始前,有必要了解什么?What do you need to know before you begin?

  • 建议您在将反恶意软件引擎和定义更新投入生产Exchange服务器上手动下载。We recommend that you manually download antimalware engine and definition updates on your Exchange server prior to placing it into production. 有关详细信息,请参阅下载 反恶意软件引擎和定义更新For more information, see Download antimalware engine and definition updates.

  • 反恶意软件策略由恶意软件筛选器策略和恶意软件筛选器规则组成。An antimalware policy consists of a malware filter policy and a malware filter rule. 每个元素控制不重叠的不同设置。Each element controls different settings that don't overlap. 这些元素的区别在 EAC 中不可见,但在 Exchange 命令行管理程序中显而易见,因为使用不同的 cmdlet 管理设置 (* -MalwareFilterPolicy* -MalwareFilterRule) 。The difference between these elements isn't visible in the EAC, but it's obvious in the Exchange Management Shell because you use different cmdlets to manage the settings (*-MalwareFilterPolicy and *-MalwareFilterRule). 本主题针对 EAC 中的过程引用了反恶意软件策略,并针对 Exchange 命令行管理程序 中的过程引用了恶意软件筛选器策略和Exchange规则。This topic refers to antimalware policies for procedures in the EAC, and malware filter policies and malware filter rules for procedures in the Exchange Management Shell. 有关详细信息,请参阅反恶意软件保护Exchange Server。For more information, see Antimalware protection in Exchange Server.

  • 你必须先获得权限,然后才能执行此过程或多个过程。You need to be assigned permissions before you can perform this procedure or procedures. 若要了解所需的权限,请参阅 反垃圾邮件和反恶意软件权限主题中的" 反恶意软件" 条目。To see what permissions you need, see the "Antimalware" entry in the Antispam and antimalware permissions topic.

  • 若要了解本主题中的过程可能适用的键盘快捷键,请参阅 Exchange 管理中心内的键盘快捷键For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

提示

遇到问题?请访问以下 Exchange 论坛寻求帮助:Exchange ServerExchange OnlineExchange Online ProtectionHaving problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

使用 Exchange命令行管理程序在邮箱服务器上启用或禁用恶意软件筛选Use the Exchange Management Shell to enable or disable malware filtering on Mailbox servers

在邮箱服务器上禁用恶意软件筛选会禁用恶意软件代理、定义和引擎更新。Disabling malware filtering on a Mailbox server disables the Malware agent and definition and engine updates.

  1. 若要在本地邮箱服务器上禁用恶意软件筛选,请运行命令行管理程序Exchange以下命令:To disable malware filtering on the local Mailbox server, run this command in the Exchange Management Shell:

    & $env:ExchangeInstallPath\Scripts\Disable-AntimalwareScanning.ps1
    

    若要在本地邮箱服务器上启用恶意软件筛选,请运行命令行管理程序Exchange此命令:To enable malware filtering on the local Mailbox server, run this command in the Exchange Management Shell:

    & $env:ExchangeInstallPath\Scripts\Enable-AntimalwareScanning.ps1
    

    如果命令成功,则会看到以下消息:If the command was successful, you see this message:

    Anti-malware scanning is successfully <enabled or disabled>. Please restart MSExchangeTransport for the changes to take effect.

    注意:启用脚本还会根据需要应用恶意软件引擎和定义更新。Note: The enable script also applies malware engine and definition updates as needed.

  2. 通过Exchange重新启动传输服务,此命令将临时中断服务器上的邮件流:Restart the Exchange Transport service by running this command, which will temporarily interrupt mail flow on the server:

    Restart-Service MSExchangeTransport
    

    更改最多可能需要 10 分钟才能生效。The change might take up to 10 minutes to take effect.

如何判断是否生效?How do you know this worked?

若要验证您是否已成功启用或禁用邮箱服务器的恶意软件筛选,请运行 Exchange 命令行管理程序 中的此命令,并验证 Enabled 属性的值:To verify that you've successfully enabled or disabled malware filtering on a Mailbox server, run this command in the Exchange Management Shell, and verify the value of the Enabled property:

Get-TransportAgent "Malware Agent"

使用 Exchange命令行管理程序绕过邮箱服务器的恶意软件筛选Use the Exchange Management Shell to bypass malware filtering on Mailbox servers

绕过恶意软件筛选允许您在服务器上临时禁用恶意软件筛选,而不会中断邮件流 (而无需重新启动 Exchange 传输服务) 。Bypassing malware filtering allows you to temporarily disable malware filtering on the server without disrupting mail flow (you don't need to restart the Exchange Transport service).

注意在解决问题时 ,应仅绕过邮箱服务器上恶意软件筛选。Note: You should only bypass malware filtering on a Mailbox server when you're troubleshooting a problem. 完成后,应重新启用恶意软件筛选。When you're done, you should turn malware filtering back on.

若要绕过或重新对邮箱服务器进行恶意软件筛选,请使用以下语法:To bypass or reenable malware filtering on a Mailbox server, use this syntax:

Set-MalwareFilteringServer -Identity <ServerIdentity> -BypassFiltering <$true | $false>

本示例在名为 Mailbox01 的服务器上绕过恶意软件筛选。This example bypasses malware filtering on the server named Mailbox01.

Set-MalwareFilteringServer -Identity Mailbox01 -BypassFiltering $true

此示例在同一服务器上重新启动恶意软件筛选。This example reenables malware filtering on the same server.

Set-MalwareFilteringServer -Identity Mailbox01 -BypassFiltering $false

更改最多可能需要 10 分钟才能生效。The change might take up to 10 minutes to take effect.

有关语法和参数的详细信息,请参阅 Set-MalwareFilteringServerFor detailed syntax and parameter information, see Set-MalwareFilteringServer.

如何判断是否生效?How do you know this worked?

若要验证您是否已暂时绕过或重新激活邮箱服务器的恶意软件筛选,请运行 Exchange 命令行管理程序 中的此命令,并验证 BypassFiltering 属性的值:To verify that you've temporarily bypassed or reenabled malware filtering on a Mailbox server, run this command in the Exchange Management Shell, and verify the value of the BypassFiltering property:

Get-MalwareFilteringServer | Format-List Name,BypassFiltering

创建反恶意软件策略Create antimalware policies

使用 EAC 创建反恶意软件策略Use the EAC to create antimalware policies

在 EAC 中创建反恶意软件策略的同时,会使用相同的名称创建恶意软件筛选器规则和相关恶意软件筛选器策略。Creating an antimalware policy in the EAC creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.

  1. 在 EAC 中,转到"保护恶意软件 筛选器 > ",然后单击"新建添加图标  "。In the EAC, go to Protection > Malware filter, and then click New Add icon.

  2. 在打开 的"新建反恶意软件策略 "页中,配置这些设置:In the New anti-malware policy page that opens, configure these settings:

    • 名称:输入策略的唯一描述性名称。Name: Enter a unique, descriptive name for the policy.

    • 说明:输入策略的可选说明。Description: Enter an optional description for the policy.

    • 恶意软件检测响应:选择以下选项之一:Malware detection response: Select one of these options:

      • 删除整个邮件:阻止将整个邮件传递给目标收件人。Delete the entire message: Prevents the entire message from being delivered to the intended recipients. 此值为默认值。This is the default value.

      • 删除所有附件并使用默认警告文本:将检测到的所有 (附件替换为包含此默认文本的文本文件) 附件:Delete all attachments and use default alert text: Replaces all message attachments (not just the detected ones) with a text file that contains this default text:

        在此电子邮件中包含的一个或多个附件中检测到恶意软件。Malware was detected in one or more attachments included with this email. 所有附件都已被删除。All attachments have been deleted.

      • 删除所有附件 并使用自定义警告文本:使用包含自定义通知文本字段中指定的自定义文本的文本文件替换所有邮件附件 (并不只是检测到的邮件附件) 。 Delete all attachments and use custom alert text: Replaces all message attachments (not just the detected ones) with a text file that contains custom text you specify in the Custom alert text field.

      备注

      如果在入站或出站邮件的邮件正文中检测到恶意软件,则删除整个邮件,而不考虑为恶意软件检测响应 配置的设置If malware is detected in the message body of an inbound or outbound message, the entire message is deleted, regardless of the setting you configure for Malware detection response.

    • 通知:此部分中的设置控制恶意软件筛选删除邮件时的通知。Notification: The settings in this section control notifications when malware filtering deletes the message. 这些设置不适用于所有附件都替换为默认或自定义警告文本的邮件。The settings don't apply to messages where all attachments are replaced by the default or custom alert text.

      • 发件人通知:选择以下一个或两个选项:Sender Notifications: Select one or both of these options:

        • 通知内部发件人:内部发件人位于Exchange内部。Notify internal senders: An internal sender is inside the Exchange organization.

        • 通知外部发件人:外部发件人位于组织Exchange外部。Notify external senders: An external sender is outside the Exchange organization.

      • 管理员通知:选择以下一个或两个选项:Administrator Notifications: Select one or both of these options:

        • 通知管理员有关 来自内部发件人的未送达邮件:如果选择此选项,请在"管理员电子邮件地址"字段中输入 通知 电子邮件地址。Notify administrator about undelivered messages from internal senders: If you select this option, enter a notification email address in the Administrator email address field.

        • 通知管理员有关 来自外部发件人的未送达邮件:如果选择此选项,请在"管理员电子邮件地址"字段中输入 通知 电子邮件地址。Notify administrator about undelivered messages from external senders: If you select this option, enter a notification email address in the Administrator email address field.

      • 自定义通知:这些设置将替换发件人或管理员使用的默认通知文本。Customize Notifications: These settings replace the default notification text that's used for senders or administrators. 有关默认值详细信息,请参阅 反恶意软件策略For more information about the default values, see Antimalware policies.

        • 使用自定义通知文本:如果选择此选项,则需要使用"发件人姓名"和"发件人地址"字段指定自定义通知邮件中使用的发件人姓名和电子邮件。Use customized notification text: If you select this option, you need to use the From name and From address fields to specify the sender's name and email that's used in the customized notification message.

        • 来自内部发件人 的邮件:如果选择向发件人或管理员通知来自内部发件人的未送达邮件,则需要使用"主题"和"邮件"字段指定自定义通知邮件的主题和邮件正文。Messages from internal senders: If you elected to notify senders or administrators about undeliverable messages from internal senders, you need to use the Subject and Message fields to specify the subject and message body of the custom notification message.

        • 来自外部发件人 的邮件:如果选择向发件人或管理员通知来自外部发件人的未送达邮件,则需要使用"主题"和"邮件"字段指定自定义通知邮件的主题和邮件正文。Messages from external senders: If you elected to notify senders or administrators about undeliverable messages from external senders, you need to use the Subject and Message fields to specify the subject and message body of the custom notification message.

    • 应用于:此部分中的设置标识策略应用于的内部收件人。Applied to: The settings in this section identify the internal recipients that the policy applies to.

      • If: Click on the Select one drop down, and select conditions for the rule:If: Click on the Select one drop down, and select conditions for the rule:

        • 收件人为:指定组织中一个或多个邮箱、邮件用户或Exchange联系人。The recipient is: Specifies one or more mailboxes, mail users, or mail contacts in the Exchange organization. 在出现的 "选择成员"对话框中,从列表中选择一个或多个收件人,然后单击"添加 -"。 >In the Select members dialog box that appears, select one or more recipients from the list, and then click add ->. "检查名称 "字段中,可以使用通配符来表示多个电子邮件地址 (例如 * :@fabrikam.com) 。In the Check names field, you can use wildcards for multiple email addresses (for example: *@fabrikam.com). 完成后,单击"确定 "。When you're finished, click OK.

        • 收件人域为:指定组织中一个或多个已配置的接受域中Exchange收件人。The recipient domain is: Specifies recipients in one or more of the configured accepted domains in the Exchange organization. 在出现的对话框中,选择一个或多个域,然后单击添加 - >In the dialog box that appears, select one or more domains, and then click add ->. 完成后,单击"确定 "。When you're finished, click OK.

        • 收件人为:指定组织中一个或多个Exchange组。The recipient is a member of: Specifies one or more groups in the Exchange organization. 在出现的 "选择成员"对话框中,从列表中选择一个或多个组,然后单击"添加 -"。 >In the Select members dialog box that appears, select one or more groups from the list, and then click add ->. 完成后,单击"确定 "。When you're finished, click OK.

      一个条件只能使用一次,但可以为此条件指定多个值。You can only use one a condition once, but you can specify multiple values for the condition. 若要添加更多条件,请单击" 添加条件 ",然后从其余选项中进行选择。To add more conditions, click Add condition and select from the remaining options.

      • 例外: 若要为规则添加例外,请单击"添加例外",单击"选择一个"下拉列表,然后为规则配置例外。Except if: To add exceptions for the rule, click Add exception, click on the Select one drop down, and configure an exception for the rule. 设置和行为与条件完全相同。The settings and behavior is exactly like the conditions.
  3. 完成后,单击“保存”。When you're finished, click Save.

使用 Exchange命令行管理程序创建反恶意软件策略Use the Exchange Management Shell to create antimalware policies

在命令行管理程序Exchange反恶意软件策略的过程包括两个步骤:Creating an antimalware policy in the Exchange Management Shell is a two-step process:

  1. 创建恶意软件筛选器策略。Create the malware filter policy.

  2. 创建恶意软件筛选器规则,该规则指定该规则应用于的恶意软件筛选器策略。Create the malware filter rule that specifies the malware filter policy that the rule applies to.

注意Notes:

  • 你可以创建新的恶意软件筛选器规则,并为其分配现有的未关联的恶意软件筛选器策略。You can create a new malware filter rule and assign an existing, unassociated malware filter policy to it. 恶意软件筛选器规则不能与多个恶意软件筛选器策略关联。A malware filter rule can't be associated with more than one malware filter policy.

  • 可以在 Exchange 命令行管理程序中的新反恶意软件策略上配置两个设置,这些设置在创建策略之前在 EAC 中不可用:There are two settings that you can configure on new antimalware policies in the Exchange Management Shell that aren't available in the EAC until after you create the policy:

    • $false New-MalwareFilterPolicy cmdlet (上创建禁用的新策略) 。Create the new policy as disabled (Enabled $false on the New-MalwareFilterPolicy cmdlet).

    • <Number> New-MalwareFilterRule cmdlet cmdlet (中) 策略的优先级) 。Set the priority of the policy during creation (Priority <Number>) on the New-MalwareFilterRule cmdlet).

  • 在命令行管理程序Exchange的恶意软件筛选器策略不会显示在 EAC 中,除非将恶意软件筛选器策略分配给恶意软件筛选器规则。Malware filter policies that you create in the Exchange Management Shell don't appear in the EAC until you assign the malware filter policy to a malware filter rule.

  • 在 EAC 中不可用的 Exchange 命令行管理程序 中的设置是,可以使用 New-MalwareFilterPolicy cmdlet 上的 BypassInboundMessagesBypassOutboundMessages 参数打开或关闭入站邮件或出站邮件的恶意软件筛选。A setting that's available in the Exchange Management Shell that isn't available in the EAC is the ability to turn malware filtering on or off for inbound messages or outbound messages by using the BypassInboundMessages or BypassOutboundMessages parameters on the New-MalwareFilterPolicy cmdlet.

步骤 1:使用 Exchange命令行管理程序创建恶意软件筛选器策略Step 1: Use the Exchange Management Shell to create a malware filter policy

若要创建恶意软件筛选器策略,请使用以下语法:To create a malware filter policy, use this syntax:

New-MalwareFilterPolicy -Name "<PolicyName>" [-Action <DeleteMessage | DeleteAttachmentAndUseDefaultAlert | DeleteAttachmentAndUseCustomAlert>] [-AdminDisplayName "<OptionalComments>"] [-BypassInboundMessages <$true | $false>] [-BypassOutboundMessages <$true | $false>] [-CustomNotifications <$true | $false>] [<Inbound notification options>] [<Outbound notification options>]

此示例使用这些设置创建名为 Contoso Malware Filter Policy 的新恶意软件筛选器策略:This example creates a new malware filter policy named Contoso Malware Filter Policy with these settings:

  • 使用 Action 参数 (包含恶意软件的邮件,默认值为 DeleteMessage) 。Block messages that contain malware (we aren't using the Action parameter, and the default value is DeleteMessage).

  • 在邮件中检测到恶意软件时,不要通知邮件发件人 (我们未使用 EnableExternalSenderNotificationsEnableInternalSenderNotifications 参数,并且这两个参数的默认值为 $false) 。Don't notify the message sender when malware is detected in the message (we aren't using the EnableExternalSenderNotifications or EnableInternalSenderNotifications parameters, and the default value for both is $false).

  • 当在内部发件人发送的邮件中检测到恶意软件时通知管理员 admin@contoso.com。Notify the administrator admin@contoso.com when malware is detected in a message from an internal sender.

New-MalwareFilterPolicy -Name "Contoso Malware Filter Policy" -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress admin@contoso.com

有关语法和参数的详细信息,请参阅 New-MalwareFilterPolicyFor detailed syntax and parameter information, see New-MalwareFilterPolicy.

步骤 2:使用 Exchange命令行管理程序创建恶意软件筛选器规则Step 2: Use the Exchange Management Shell to create a malware filter rule

若要创建恶意软件筛选器规则,请使用以下语法:To create a malware filter rule, use this syntax:

New-MalwareFilterRule -Name "<RuleName>" -MalwareFilterPolicy "<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments "<OptionalComments>"]

此示例使用这些设置创建名为 Contoso Recipients 的新恶意软件筛选器规则:This example creates a new malware filter rule named Contoso Recipients with these settings:

  • 名为 Contoso Malware Filter Policy 的恶意软件筛选器策略与该规则关联。The malware filter policy named Contoso Malware Filter Policy is associated with the rule.

  • 该规则适用于域中的 contoso.com。The rule applies to recipients in the contoso.com domain.

New-MalwareFilterRule -Name "Contoso Recipients" -MalwareFilterPolicy "Contoso Malware Filter Policy" -RecipientDomainIs contoso.com

有关语法和参数的详细信息,请参阅 New-MalwareFilterRuleFor detailed syntax and parameter information, see New-MalwareFilterRule.

如何判断是否生效?How do you know this worked?

若要验证是否成功创建了反恶意软件策略,请执行下列任一步骤:To verify that you've successfully created an antimalware policy, do any of these steps:

  • 在 EAC 中,转到"保护 "" > 恶意软件筛选器"。In the EAC, go to Protection > Malware filter. 验证您创建的规则是否位于列表中。Verify that the rule you created is in the list. 单击 "  编辑编辑 "图标以验证规则的设置。Click Edit Edit icon to verify the settings of the rule.

  • 在Exchange命令行管理程序中,将 替换为恶意软件筛选器策略的名称,然后运行此命令 <PolicyName> 来验证属性值:In the Exchange Management Shell, replace <PolicyName> with the name of the malware filter policy, and run this command to verify the property values:

Get-MalwareFilterPolicy -Identity "<PolicyName>" | Format-List
  • 在Exchange命令行管理程序中,将 替换为恶意软件筛选器规则的名称,然后运行此命令 <RuleName> 来验证属性值:In the Exchange Management Shell, replace <RuleName> with the name of the malware filter rule, and run this command to verify the property values:

    Get-MalwareFilterRule -Identity "<RuleName>" | Format-List
    
  • 使用欧洲计算机防病毒研究 (EICAR) 测试文件验证恶意软件筛选器是否正常工作:Use an European Institute for Computer Antivirus Research (EICAR) test file to verify that the malware filter is working correctly:

  1. 打开记事本,然后将此文本插入 (,并且只有) 文本会插入空文件中:Open Notepad, and insert this text (and only this text) into an empty file:

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    

    将文件另存为EICAR.txt文件保存在易于您查找且计算机防病毒程序无法扫描的位置。Save the file as EICAR.txt in a location that's easy for you to find, and that's excluded from scanning by your computer's antivirus program. 文件大小为 68 字节。The file will be 68 bytes in size.

  2. 创建电子邮件,将 EICAR.txt 文件附加到邮件,并将邮件发送给 Exchange 组织中应受恶意软件策略影响的收件人。Create an email messages, attach the EICAR.txt file to the message, and send the message to a recipient in your Exchange organization who should be affected by the malware policy.

  3. 检查收件人的邮箱以验证是否对邮件进行了恶意软件筛选:邮件已删除,或邮件已随附件的替换警报文本文件一起传递,通知邮件已传递到发件人和/或管理员。Check the recipient's mailbox to verify that malware filtering acted on the message: the message was deleted, or the message was delivered with the replacement alert text file for the attachment, and the notification messages were delivered to the sender and/or administrators.

  4. 完成后,请删除EICAR.TXT文件,以便其他用户不必发出警报。When you're finished, delete the EICAR.TXT file so other users aren't unnecessarily alarmed.

查看反恶意软件策略View antimalware policies

使用 EAC 查看反恶意软件策略Use the EAC to view antimalware policies

  1. 在 EAC 中,转到"保护 "" > 恶意软件筛选器"。In the EAC, go to Protection > Malware filter.

  2. 选择策略时,有关策略的信息将显示在详细信息窗格中。When you select a policy, information about the policy is displayed in the details pane. 若要查看有关策略详细信息,请单击"编辑 编辑"  图标 To see more information about the policy, click Edit Edit icon.

    • Enabled 属性值 、Priority 属性值以及"应用于"选项卡 上的设置均 位于恶意软件筛选器规则中。The Enabled property value, the Priority property value, and the settings on the Applied to tab are in the malware filter rule.

    • "常规"和****"设置 上的设置位于恶意软件筛选器策略中。The settings on the General and Settings tabs are in the malware filter policy.

使用 Exchange命令行管理程序查看恶意软件筛选器策略Use the Exchange Management Shell to view malware filter policies

要返回所有恶意软件筛选器策略的摘要列表,请运行此命令:To return a summary list of all malware filter policies, run this command:

Get-MalwareFilterPolicy

要返回有关特定恶意软件筛选器策略的详细信息,请使用以下语法:To return detailed information about a specific malware filter policy, use the this syntax:

Get-MalwareFilterPolicy -Identity "<PolicyName>" | Format-List [<Specific properties to view>]

本示例返回名为 Executives 的恶意软件筛选器策略的所有属性值。This example returns all the property values for the malware filter policy named Executives.

Get-MalwareFilterPolicy -Identity "Executives" | Format-List

此示例仅返回同一策略的指定属性。This example returns only the specified properties for the same policy.

Get-MalwareFilterPolicy -Identity "Executives" | Format-List Action,AdminDisplayName,CustomNotifications,Enable*Notifications

有关语法和参数的详细信息,请参阅 Get-MalwareFilterPolicyFor detailed syntax and parameter information, see Get-MalwareFilterPolicy.

使用 Exchange命令行管理程序查看恶意软件筛选器规则Use the Exchange Management Shell to view malware filter rules

若要返回所有恶意软件筛选器规则的摘要列表,请运行此命令:To return a summary list of all malware filter rules, run this command:

Get-MalwareFilterRule

要返回有关特定恶意软件筛选器规则的详细信息,请使用以下语法:To return detailed information about a specific malware filter rule, use this syntax:

Get-MalwareFilterRule -Identity "<RuleName>" | Format-List [<Specific properties to view>]

本示例返回名为 Executives 的恶意软件筛选器规则的所有属性值。This example returns all the property values for the malware filter rule named Executives.

Get-MalwareFilterRule -Identity "Executives" | Format-List

下面的示例仅返回同一规则的指定属性。This example returns only the specified properties for the same rule.

Get-MalwareFilterRule -Identity "Executives" | Format-List Name,Priority,State,MalwareFilterPolicy,*Is,*SentTo,*MemberOf

有关语法和参数的详细信息,请参阅 Get-MalwareFilterRuleFor detailed syntax and parameter information, see Get-MalwareFilterRule.

修改反恶意软件策略Modify antimalware policies

在 EAC 或命令行管理程序中修改恶意软件策略时,其他Exchange可用。No additional settings are available when you modify a malware policy in the EAC or the Exchange Management Shell. 这些设置与创建策略时可用的设置相同。They're the same settings that were available when you created the policy.

使用 EAC 修改反恶意软件策略Use the EAC to modify an antimalware policy

  1. 在 EAC 中,转到"保护 "" > 恶意软件筛选器"。In the EAC, go to Protection > Malware filter.

  2. 选择该策略,然后单击"编辑 编辑  "图标 Select the policy, and then click Edit Edit icon. 有关设置的信息,请参阅本主题中的使用 EAC 创建反恶意软件策略部分。For information about the settings, see the Use the EAC to create antimalware policies section in this topic.

    注意Notes:

    • 设置在"常规"、设置和"应用到 "选项卡之间划分,而不是 一页上 的所有 内容。 Instead of everything on one page, the settings are divided among the General, Settings, and Applied to tabs. " 应用于 "选项卡在名为"默认"的默认策略上不可用。The Applied to tab isn't available on the default policy named Default.

    • 不能重命名默认策略。You can't rename the default policy.

使用 Exchange命令行管理程序修改恶意软件筛选器策略Use the Exchange Management Shell to modify a malware filter policy

若要修改恶意软件筛选器策略,请使用以下语法:To modify a malware filter policy, use this syntax:

Set-MalwareFilterPolicy -Identity "<PolicyName>" <Settings>

有关语法和参数的详细信息,请参阅 Set-MalwareFilterPolicyFor detailed syntax and parameter information, see Set-MalwareFilterPolicy.

使用Exchange命令行管理程序修改恶意软件筛选器规则Use the Exchange Management Shell to modify a malware filter rule

在 Exchange 命令行管理程序 中修改恶意软件筛选器规则时,不能禁用或启用规则 (Set-MalwareFilterRule cmdlet 上没有 Enabled 参数) 。When you modify a malware filter rule in the Exchange Management Shell, you can't disable or enable the rule (there's no Enabled parameter on the Set-MalwareFilterRule cmdlet). 而是使用 Disable-MalwareFilterRuleEnable-MalwareFilterRule cmdlet,如本主题稍后所述。Instead, you use the Disable-MalwareFilterRule and Enable-MalwareFilterRule cmdlets as described later in this topic.

若要修改恶意软件筛选器规则,请使用以下语法:To modify a malware filter rule, use this syntax:

Set-MalwareFilterRule -Identity "<RuleName>" <Settings>

有关语法和参数的详细信息,请参阅 Set-MalwareFilterRuleFor detailed syntax and parameter information, see Set-MalwareFilterRule.

启用或禁用反恶意软件策略Enable or disable antimalware policies

默认情况下,当您在 EAC 或 Exchange 命令行管理程序创建反恶意软件策略时,会启用这些策略,但您可以使用 Exchange 命令行管理程序创建已禁用的恶意软件筛选器规则 (使用 New-MalwareFilterRule cmdlet 和值为) 的 Enabled 参数。 $falseBy default, antimalware policies are enabled when you create them in the EAC or the Exchange Management Shell, but you can use the Exchange Management Shell to create a disabled malware filter rule (use the New-MalwareFilterRule cmdlet and the Enabled parameter with the value $false).

使用 EAC 启用或禁用反恶意软件策略Use the EAC to enable or disable an antimalware policy

  1. 在 EAC 中,转到"保护 "" > 恶意软件筛选器"。In the EAC, go to Protection > Malware filter.

  2. 从列表中选择策略,然后配置以下设置之一:Select the policy from the list, and then configure one of the following settings:

    • 禁用策略:清除"已启用"列中 复选框。Disable the policy: Clear the check box in the Enabled column.

    • 启用策略:选中"已启用"列中 复选框。Enable the policy: Select the check box in the Enabled column.

使用 Exchange命令行管理程序启用或禁用恶意软件筛选器规则Use the Exchange Management Shell to enable or disable malware filter rules

若要在命令行管理程序中启用或禁用Exchange筛选器规则,请使用以下语法:To enable or disable a malware filter rule in the Exchange Management Shell, use this syntax:

<Enable-MalwareFilterRule | Disable-MalwareFilterRule> -Identity "<RuleName>"

本示例禁用名为"Marketing Department"的恶意软件筛选器规则。This example disables the malware filter rule named Marketing Department.

Disable-MalwareFilterRule -Identity "Marketing Department"

下面的示例启用同一规则。This example enables same rule.

Enable-MalwareFilterRule -Identity "Marketing"

有关语法和参数的详细信息,请参阅 Enable-MalwareFilterRuleDisable-MalwareFilterRuleFor detailed syntax and parameter information, see Enable-MalwareFilterRule and Disable-MalwareFilterRule.

如何判断是否生效?How do you know this worked?

若要验证是否成功启用或禁用了反恶意软件策略,请使用以下过程之一:To verify that you've successfully enabled or disabled an antimalware policy, use either of these procedures:

  • 在 EAC 中,转到"保护 恶意软件筛选器",在反恶意软件策略列表中,验证"已启用"列中复选框 > 的状态。 In the EAC, go to Protection > Malware filter, and in the list of antimalware policies, verify the status of the check box in the Enabled column.

  • 在命令行Exchange命令行管理程序中,运行此命令以查看规则 列表及其 State 属性值:In the Exchange Management Shell, run this command to see the list of rules and their State property values:

    Get-MalwareFilterRule
    

设置自定义反恶意软件策略的优先级Set the priority of custom antimalware policies

默认情况下,根据反恶意软件策略在 (中创建策略的顺序,反恶意软件策略的优先级低于较旧策略) 。By default, antimalware policies are given a priority that's based on the order they were created in (newer polices are lower priority than older policies). 较低的优先级数字表示策略的优先级较高,并且策略将按优先级顺序进行处理 (优先级较高的策略在优先级较低的策略被) 。A lower priority number indicates a higher priority for the policy, and policies are processed in priority order (higher priority policies are processed before lower priority policies). 没有两个策略可以有相同的优先级。No two policies can have the same priority.

注意Notes:

  • 在 EAC 中,只能在创建反恶意软件策略后更改该策略的优先级。In the EAC, you can only change the priority of the antimalware policy after you create it. 在 Exchange 命令行管理程序 中,可以在创建恶意软件筛选器规则时覆盖默认优先级 (该规则会影响现有规则或规则) 。In the Exchange Management Shell, you can override the default priority when you create the malware filter rule (which can affect the priority of existing rules).

  • 名为 Default 的默认反恶意软件策略的优先级值为 Lowest,你无法更改它。The default antimalware policy named Default has the priority value Lowest, and you can't change it.

使用 EAC 设置自定义反恶意软件策略的优先级Use the EAC to set the priority of custom antimalware policies

在 EAC 中,反恶意软件策略按照其显示顺序进行处理 (第一个策略的优先级值为 0) 。 In the EAC, antimalware policies are processed in the order that they're displayed (the first policy has the Priority value 0). 若要更改策略的优先级,请向上或向下移动列表中的策略 (你无法直接修改 EAC 策略中的优先级) 。 To change the priority of a policy, move the policy up or down in the list (you can't directly modify the Priority number in the EAC).

  1. 在 EAC 中,转到"保护 "" > 恶意软件筛选器"。In the EAC, go to Protection > Malware filter.

  2. 选择策略,然后单击向上移动 ( 向上箭头图标) 或 向下移动 (向下箭头图标) 以在列表中向上或向下移动   规则。Select a policy, and then click Move up (Up Arrow Icon) or Move down (Down Arrow Icon) to move the rule up or down in the list.

使用Exchange命令行管理程序设置自定义恶意软件筛选器规则的优先级Use the Exchange Management Shell to set the priority of custom malware filter rules

可以设置的规则最高优先级值是 0。可以设置的最小优先级值取决于规则的数量。例如,如果有五个规则,则可以使用的优先级值为 0 到 4。更改现有规则的优先级可对其他规则产生级联效应。例如,假设有五个规则(优先级为 0 到 4),如果将某个规则的优先级更改为 2,则优先级为 2 的现有规则将更改为优先级 3,优先级为 3 的规则将更改为优先级 4。The highest priority value you can set on a rule is 0. The lowest value you can set depends on the number of rules. For example, if you have five rules, you can use the priority values 0 through 4. Changing the priority of an existing rule can have a cascading effect on other rules. For example, if you have five rules (priorities 0 through 4), and you change the priority of a rule to 2, the existing rule with priority 2 is changed to priority 3, and the rule with priority 3 is changed to priority 4.

若要在命令行管理程序中设置恶意软件筛选器规则的Exchange,请使用以下语法:To set the priority of a malware filter rule in the Exchange Management Shell, use the following syntax:

Set-MalwareFilterRule -Identity "<RuleName>" -Priority <Number>

下面的示例将名为“Marketing Department”的规则的优先级设置为 2。This example sets the priority of the rule named Marketing Department to 2. 优先级小于或等于 2 的所有现有规则的优先级都递减 1(即优先级数字都递增 1)。All existing rules that have a priority less than or equal to 2 are decreased by 1 (their priority numbers are increased by 1).

Set-MalwareFilterRule -Identity "Marketing Department" -Priority 2

注意:若要在创建新规则的优先级时设置该规则的优先级,请使用 New-MalwareFilterRule cmdlet 上的 Priority 参数。Note: To set the priority of a new rule when you create it, use the Priority parameter on the New-MalwareFilterRule cmdlet.

如何判断是否生效?How do you know this worked?

若要验证是否成功修改了反恶意软件策略的优先级,请使用以下过程之一:To verify that you've successfully modified the priority of an antimalware policy, use either of these procedures:

  • 在 EAC 中,转到"保护 恶意软件筛选器",并验证列表中 > 反恶意软件策略的优先级值。In the EAC, go to Protection > Malware filter, and verify the Priority value of the antimalware policies in the list.

  • 在命令行Exchange命令行管理程序中,运行此命令以查看规则列表及其 Priority 属性值:In the Exchange Management Shell, run this command to see the list of rules and their Priority property values:

    Get-MalwareFilterRule
    

删除反恶意软件策略Remove antimalware policies

注意:不能删除默认的反恶意软件策略。Note: You can't remove the default antimalware policy.

使用 EAC 删除反恶意软件策略Use the EAC to remove antimalware policies

使用 EAC 删除反恶意软件策略时,会同时删除恶意软件筛选器规则以及相应的恶意软件筛选器策略。When you use the EAC to remove an antimalware policy, the malware filter rule and the corresponding malware filter policy are both removed.

  1. 从 EAC 中,转到"保护 恶意软件 > 筛选器"。From the EAC, go to Protection > Malware filter.

  2. 选择要从列表中删除的反恶意软件策略,然后单击"删除 (  删除图标 ) 。Select the antimalware policy you want to remove from the list, and then click Delete (Delete icon).

使用 Exchange命令行管理程序删除恶意软件筛选器策略Use the Exchange Management Shell to remove malware filter policies

使用命令行管理Exchange删除恶意软件筛选器策略时,不会删除相应的恶意软件筛选器规则。When you use the Exchange Management Shell to remove a malware filter policy, the corresponding malware filter rule isn't removed.

若要在命令行管理程序中删除Exchange筛选器策略,请使用以下语法:To remove a malware filter policy in the Exchange Management Shell, use this syntax:

Remove-MalwareFilterPolicy -Identity "<PolicyName>"

此示例删除名为 Marketing Department 的恶意软件筛选器策略。This example removes the malware filter policy named Marketing Department.

Remove-MalwareFilterPolicy -Identity "Marketing Department"

有关语法和参数的详细信息,请参阅 Remove-MalwareFilterPolicyFor detailed syntax and parameter information, see Remove-MalwareFilterPolicy.

使用 Exchange 命令行管理程序删除恶意软件筛选器规则Use the Exchange Management Shell to remove malware filter rules

使用命令行管理Exchange删除恶意软件筛选器规则时,不会删除关联的恶意软件筛选器策略。When you use the Exchange Management Shell to remove a malware filter rule, the associated malware filter policy isn't removed.

若要在命令行管理程序中删除Exchange规则,请使用以下语法:To remove a malware filter rule in the Exchange Management Shell, use this syntax:

Remove-MalwareFilterRule -Identity "<RuleName>"

本示例删除名为"Marketing Department"的恶意软件筛选器规则:This example removes the malware filter rule named Marketing Department:

Remove-MalwareFilterRule -Identity "Marketing Department"

有关语法和参数的详细信息,请参阅 Remove-MalwareFilterRuleFor detailed syntax and parameter information, see Remove-MalwareFilterRule.

如何判断是否生效?How do you know this worked?

若要验证是否成功删除了反恶意软件策略,请使用以下过程之一:To verify that you've successfully removed an antimalware policy, use either of these procedures:

  • 在 EAC 中,转到" 保护 > "" 恶意软件筛选器",并验证已删除的策略是否不再位于列表中。In the EAC, go to Protection > Malware filter, and verify that the policy you removed is no longer in the list.

  • 在Exchange命令行管理程序中,运行此命令以验证已删除的恶意软件筛选器策略是否不再列出:In the Exchange Management Shell, run this command to verify that the malware filter policy you removed is no longer listed:

    Get-MalwareFilterPolicy
    
  • 在命令行Exchange命令行管理程序中,运行此命令以验证已删除的恶意软件筛选器规则是否不再列出:In the Exchange Management Shell, run this command to verify that the malware filter rule you removed is no longer listed:

    Get-MalwareFilterRule
    

使用 Exchange 命令行管理程序 配置恶意软件筛选以重新扫描 EOP 已扫描的邮件Use the Exchange Management Shell to configure malware filtering to rescan messages that were already scanned by EOP

默认情况下,已由 EOP Exchange Online Protection (扫描) 中的恶意软件代理不会再次扫描 Exchange。By default, messages in transit that have been scanned by Exchange Online Protection (EOP) aren't scanned again by the Malware agent in Exchange. 但是,重新扫描这些邮件可以提供另一层恶意软件防御。But, rescanning these messages can provide another layer of defense against malware.

若要启用或禁用 EOP 扫描的邮件中的恶意软件扫描,请使用命令行管理程序中的以下Exchange语法:To enable or disable scanning for malware in messages that have been already been scanned by EOP, use this syntax in the Exchange Management Shell:

Set-MalwareFilteringServer -Identity <ServerIdentity> -ForceRescan <$true | $false>

本示例在名为 Mailbox01 的邮箱服务器上启用对 EOP 扫描的邮件中的恶意软件扫描。This example enables scanning for malware in messages that have already been scanned by EOP on the Mailbox server named Mailbox01.

Set-MalwareFilteringServer -Identity Mailbox01 -ForceRescan $true

本示例禁止扫描同一服务器上 EOP 已扫描的邮件中的恶意软件。This example disables scanning for malware in messages that have already been scanned by EOP on the same server.

Set-MalwareFilteringServer -Identity Mailbox01 -ForceRescan $false

如何判断是否生效?How do you know this worked?

若要验证是否配置了恶意软件筛选以重新扫描 EOP 扫描的邮件,请运行 Exchange 命令行管理程序 中的此命令,并验证 ForceRescan 属性的值:To verify that you've configured malware filtering to rescan messages that were already scanned by EOP, run this command in the Exchange Management Shell, and verify the value of the ForceRescan property:

Get-MalwareFilteringServer | Format-List Name, ForceRescan