反恶意软件保护Exchange ServerAntimalware protection in Exchange Server

Exchange Server 2016 中的反恶意软件保护可帮助在电子邮件环境中防止病毒和间谍软件。Antimalware protection in Exchange Server 2016 helps combat viruses and spyware in your email messaging environment. “病毒” 会感染其他程序与数据,且会在整个计算机中寻找程序进行感染。Viruses infect other programs and data, and they spread throughout your computer looking for programs to infect. 间谍软件 收集个人信息 (例如登录信息和个人数据) 并将其发送回其作者。Spyware gathers personal information (for example, sign-in information and personal data) and sends it back to its author.

Exchange 2013 中引入了 Exchange Server 中的反恶意软件保护,由名为"恶意软件代理"的传输代理提供。The antimalware protection in Exchange Server was introduced in Exchange 2013, and is provided by the Transport agent named Malware Agent. 代理在邮件通过邮箱服务器的传输服务时扫描邮件。The agent scans messages as they travel through the Transport service on a Mailbox server. 您可以使用:配置恶意软件筛选:You configure malware filtering by using:

  • 反恶意软件策略:指定入站和出站扫描以及恶意软件筛选的通知选项。Antimalware policies: Specify inbound and outbound scanning and notification options for malware filtering. 有一个应用于 Exchange 组织中所有收件人的默认策略,您可以创建按特定顺序应用的其他策略。There's a default policy that applies to all recipients in the Exchange organization, and you can create addtional policies that are applied in a specific order.

  • 反恶意软件服务器设置:指定错误和重试操作,以及恶意软件筛选的引擎和定义更新设置。Antimalware server settings: Specify the error and retry actions, and the engine and definition update settings for malware filtering. 恶意软件代理使用 TCP 端口 80 上的 Internet (HTTP) 每小时检查一次引擎和定义更新。The Malware agent uses Internet access on TCP port 80 (HTTP) to check for engine and definition updates every hour.

  • 反恶意软件脚本:在服务器上启用或禁用恶意软件筛选,并手动下载引擎和定义更新。Antimalware scripts: Enable or disable malware filtering on the server, and manually download engine and definition updates.

有关与恶意软件筛选相关的过程,请参阅反 恶意软件保护Exchange Server。For procedures related to malware filtering, see Procedures for antimalware protection in Exchange Server. 有关反垃圾邮件功能在Exchange Server,请参阅反垃圾邮件保护 Exchange ServerFor more information about the antispam features in Exchange Server, see Antispam protection in Exchange Server.

反恶意软件策略Antimalware policies

反恶意软件策略控制恶意软件检测的操作和通知选项。Antimalware policies control the actions and notification options for malware detections. 反恶意软件策略中的重要设置包括:The important settings in antimalware policies are:

  • 操作:指定在发现邮件包含恶意软件时要执行哪些操作。Action: Specifies what to do when a message is found to contain malware. 选项包括:The options are:

    • 删除邮件 (此值为默认值) 。Delete the message (this is the default value).

    • 将所有附件替换为包含此默认文本的文本文件:Replace all attachments with a text file that contains this default text:

      在此电子邮件中包含的一个或多个附件中检测到恶意软件。Malware was detected in one or more attachments included with this email. 所有附件都已被删除。All attachments have been deleted.

    • 将所有附件替换为包含您指定的自定义文本的文本文件。Replace all attachments with a text file that contains the custom text you specify.

  • 通知:将反恶意软件策略配置为删除邮件时,可以选择是否向发件人发送通知邮件。Notifications: When an antimalware policy is configured to delete messages, you can choose whether to send a notification message to the sender. 您可以根据发件人是内部发件人还是外部发件人发送通知邮件。You can send notification messages based on whether the sender is internal or external. 默认通知邮件具有以下属性:The default notification message has these properties:

    • From:Postmaster postmaster@ <defaultdomain> .comFrom: Postmaster postmaster@ <defaultdomain>.com

    • 主题:无法送达邮件Subject: Undeliverable message

    • 邮件文本:此邮件由邮件传递软件自动创建。Message text: This message was created automatically by mail delivery software. 您的电子邮件未传递到预期收件人,因为检测到恶意软件。Your email message was not delivered to the intended recipients because malware was detected.

    您可以自定义内部和外部通知的邮件属性。You can customize the message properties for internal and external notifications. 您还可以指定其他收件人 (管理员) 接收来自内部或外部发件人的未送达邮件的通知。You can also specify additional recipients (administrators) to receive notifications for undeliverable messages from internal or external senders.

  • 收件人筛选器:对于自定义反恶意软件策略,可以指定收件人条件和例外,以确定策略的适用对象。Recipient filters: For custom antimalware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. 可以将这些属性用于条件和例外:You can use these properties for conditions and exceptions:

    • 按收件人By recipient

    • 接受域By accepted domain

    • 按组成员身份By group membership

    一次只能使用一个条件或例外,但条件或例外可以包含多个值。You can only use a condition or exception once, but the condition or exception can contain multiple values. 同一个条件或例外的多个值使用“或”逻辑(例如,<recipient1><recipient2>)。Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). 不同的条件或例外使用“和”逻辑(例如,<recipient1><member of group 1>)。Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

  • 优先级:如果创建多个自定义反恶意软件策略,可以指定这些策略的应用顺序。Priority: If you create multiple custom antimalware policies, you can specify the order that they're applied.

Exchange 管理中心与 Exchange 命令行管理程序 中的反恶意软件策略Antimalware policies in the Exchange admin center vs the Exchange Management Shell

反恶意软件策略的基本元素包括:The basic elements of an antimalware policy are:

  • 恶意软件筛选器策略:指定用于恶意软件筛选的操作和通知选项。The malware filter policy: Specifies the action and notification options for malware filtering.

  • 恶意软件筛选器规则:指定策略应用于 (策略的优先级和) 筛选器筛选器。The malware filter rule: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.

当您在 Exchange 管理中心和 EAC 管理中心管理反恶意软件 (这两个元素) :The difference between these two elements isn't obvious when you manage antimalware polices in the Exchange admin center (EAC):

  • 在 EAC 中创建反恶意软件策略时,实际上是同时对两者使用相同的名称创建恶意软件筛选器规则和相关恶意软件筛选器策略。When you create an antimalware policy in the EAC, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.

  • 在 EAC 中修改反恶意软件策略时,与名称、优先级、启用或禁用以及收件人筛选器相关的设置将修改恶意软件筛选器规则。When you modify an antimalware policy in the EAC, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. 其他设置 (修改) 恶意软件筛选器策略的操作和通知选项。Other settings (actions and notification options) modify the associated malware filter policy.

  • 从 EAC 删除反恶意软件策略时,将删除恶意软件筛选器规则和相关恶意软件筛选器策略。When you remove an antimalware policy from the EAC, the malware filter rule and the associated malware filter policy are removed.

在 Exchange 命令行管理程序 中,恶意软件筛选器策略和恶意软件筛选器规则的区别显而易见。In the Exchange Management Shell, the difference between malware filter policies and malware filter rules is apparent. 您可以使用 * -MalwareFilterPolicy cmdlet 管理恶意软件筛选器策略,使用 * -MalwareFilterRule cmdlet 管理恶意软件筛选器规则。You manage malware filter policies by using the *-MalwareFilterPolicy cmdlets, and you manage malware filter rules by using the *-MalwareFilterRule cmdlets.

  • 在 Exchange 命令行管理程序 中,首先创建恶意软件筛选器策略,然后创建恶意软件筛选器规则,以标识该规则应用于的策略。In the Exchange Management Shell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.

  • 在 Exchange 命令行管理程序 中,分别修改恶意软件筛选器策略和恶意软件筛选器规则中的设置。In the Exchange Management Shell, you modify the settings in the malware filter policy and the malware filter rule separately.

  • 从 Exchange 命令行管理程序 删除恶意软件筛选器策略时,不会自动删除相应的恶意软件筛选器规则,反之亦然。When you remove a malware filter policy from the Exchange Management Shell, the corresponding malware filter rule isn't automatically removed, and vice versa.

默认反恶意软件策略Default antimalware policy

每个邮箱服务器都有一个名为 Default 的内置反恶意软件策略,该策略具有以下属性:Every Mailbox server has a built-in antimalware policy named Default that has these properties:

  • 名为"默认"的恶意软件筛选器策略将应用于 Exchange 组织的所有收件人,即使没有恶意软件筛选器规则 (收件人筛选器) 与此策略关联。The malware filter policy named Default is applied to all recipients in the Exchange organization, even though there's no malware filter rule (recipient filters) associated with the policy.

  • 名为“默认”的策略有无法修改的自定义优先级值“最低”(表示此策略始终最后应用)。The policy named Default has the custom priority value Lowest that you can't modify (the policy is always applied last). 您创建的任何自定义反恶意软件策略的优先级始终高于名为 Default 的策略。Any custom antimalware policies that you create always have a higher priority than the policy named Default.

  • 名为“默认”的策略是默认策略(IsDefault 属性的值为 True),你无法删除默认策略。The policy named Default is the default policy (the IsDefault property has the value True), and you can't delete the default policy.

反恶意软件服务器设置Antimalware server settings

您可以使用 Exchange 命令行管理程序 中的 Get-MalwareFilteringServerSet-MalwareFilteringServer cmdlet 查看和配置邮箱服务器上恶意软件代理的更新、超时和下载设置。You can use the Get-MalwareFilteringServer and Set-MalwareFilteringServer cmdlets in the Exchange Management Shell to view and configure the update, timeout, and download settings for the Malware agent on the Mailbox server. 有关使用这些 cmdlet 的过程,请参阅 Use the Exchange Management Shell to bypass malware filtering on Mailbox servers 和 Use the Exchange Management Shell to configure malware filtering to rescan messages that were already scanned by EOPFor procedures that use these cmdlets, see Use the Exchange Management Shell to bypass malware filtering on Mailbox servers and Use the Exchange Management Shell to configure malware filtering to rescan messages that were already scanned by EOP.

反恶意软件脚本Antimalware scripts

Exchange 包括两个可用于管理恶意软件筛选的 Exchange 命令行管理程序脚本:Exchange includes two Exchange Management Shell scripts that you can use to manage malware filtering:

  • Disable-Antimalwarescanning.ps1 禁用邮箱服务器上恶意软件代理以及恶意软件引擎和定义更新。Disable-Antimalwarescanning.ps1 disables the Malware agent, and malware engine and definition updates on the Mailbox server.

  • Enable-Antimalwarescanning.ps1 启用恶意软件代理,启用恶意软件引擎和定义更新,并运行邮箱服务器上引擎和定义更新。Enable-Antimalwarescanning.ps1 enables the Malware agent, enables malware engine and definition updates, and runs engine and definition updates on the Mailbox server.

  • Update-MalwareFilteringServer.ps1 手动在邮箱服务器上运行恶意软件引擎和定义更新。Update-MalwareFilteringServer.ps1 manually runs malware engine and definition updates on the Mailbox server.

有关使用这些脚本的信息,请参阅使用 Exchange 命令行管理程序 在邮箱服务器上启用或禁用恶意软件筛选和 下载反恶意软件引擎和定义更新For more information about using these scripts, see Use the Exchange Management Shell to enable or disable malware filtering on Mailbox servers and Download antimalware engine and definition updates.

反恶意软件保护选项Exchange ServerAntimalware protection options in Exchange Server

此列表介绍了 Exchange 的反恶意软件选项:This list describes the antimalware options for Exchange:

  • 内置反恶意软件保护:可以使用 Exchange 中的内置反恶意软件保护来帮助你防御恶意软件。Built-in antimalware protection: You can use the built-in antimalware protection in Exchange to help you combat malware. 您可以自行使用它,也可以与其他反恶意软件解决方案配对,以针对恶意软件提供分层防御。You can use it by itself, or you can pair it with other antimalware solutions to provide a layered defense against malware.

  • Exchange Online Protection (EOP) : 可以支付 EOP 订阅费用,EOP 是 Microsoft 365 和 Office 365 中使用的反恶意软件解决方案。Exchange Online Protection (EOP): You can pay for a subscription to EOP, which is the antimalware solution that's used in Microsoft 365 and Office 365. EOP 利用与多个反恶意软件引擎的合作关系来提供高效、经济高效的多层反恶意软件保护。EOP leverages partnerships with several antimalware engines to provide efficient, cost effective, and multi-layered antimalware protection. 将内置反恶意软件保护与 EOP 一起处理的优点有:The advantages of paring the built-in antimalware protection with EOP are:

    • EOP 使用多个反恶意软件引擎,而内置的反恶意软件保护使用单个引擎。EOP uses multiple antimalware engines, while the built-in antimalware protection uses a single engine.

    • EOP 具有报告功能,包括恶意软件统计信息。EOP has reporting capabilities, including malware statistics.

    • EOP 提供邮件跟踪功能,用于自行解决邮件流问题,包括恶意软件检测。EOP provides the message trace feature for self-troubleshooting mail flow problems including malware detections.

      有关 EOP 详细信息,请参阅 EOP 中的反恶意软件保护For more information about EOP, see Anti-malware protection in EOP.

  • 第三方反恶意软件保护:可以购买第三方反恶意软件程序。Third-party antimalware protection: You can buy a third-party antimalware program.

Exchange 反恶意软件常见问题解答Antimalware FAQ for Exchange

本节回答有关 Exchange 中内置恶意软件筛选和扫描的常见问题。This section answers the frequently asked questions about built-in malware filtering and scanning in Exchange.

为什么其他反恶意软件服务标识的恶意软件通过 Exchange 反恶意软件筛选?Why did malware that was identified by other antimalware services get past Exchange antimalware filtering?

有两个可能的原因:There are two likely reasons:

  • 最可能的情况是邮件附件实际上不包含任何活动的恶意代码。The most likely scenario is the message attachment doesn't actually contain any active malicious code. 一些反恶意软件引擎的主动性高于其他引擎,并且这些引擎可能仅因为包含实际上不执行任何操作而截断的恶意软件负载来停止邮件。Some antimalware engines are more aggressive than others, and these engines might stop messages simply because they contain truncated malware payloads that don't actually do anything.

  • 你收到的恶意软件是新变体,我们的反恶意软件引擎尚未发布其模式文件 () 。The malware you received is a new variant, and our antimalware engine hasn't released a pattern file for it (yet).

我收到了一封邮件,附件不熟悉。I received a message with an unfamiliar attachment. 或可以忽略此附件吗?Is this malware or can I disregard this attachment?

强烈建议不要打开任何无法识别的附件。We strongly advise that you don't open any attachments that you don't recognize. 如果您希望我们调查附件,请将其提交给我们,如下一项中所述。If you would like us to investigate the attachment, submit it to us as described in the next item.

如何向 Microsoft 提交已知的恶意软件、可疑文件或误报?How do I submit known malware, suspicious files, or false positives to Microsoft?

保存邮件副本,将邮件上载到 Microsoft 安全智能 网站,以便我们可以检查邮件。Save a copy of the message and upload the message to the Microsoft Security Intelligence website so we can examine it.

如果样本包含恶意软件,我们将采取纠正措施来防止未检测到病毒。If the sample contains malware, we'll take corrective action to prevent the virus from going undetected. 如果样本干净,我们将采取纠正措施来防止文件被检测为恶意软件。if the sample is clean, we'll take corrective action to prevent the file from being detected as malware.

在哪里可以获取恶意软件筛选器已删除的邮件?Where can I get the messages that have been deleted by the malware filter?

这不可能。You can't. 发现这些邮件包含活动的恶意代码,因此已删除。The messages were found to contain active malicious code, so they were deleted.

我可以使用邮件流规则绕过恶意软件筛选吗?Can I use mail flow rules to bypass malware filtering?

不能,不能将邮件流规则 (传输规则) 恶意软件代理。No, you can't use mail flow rules (also known as transport rules) to bypass the Malware agent. 相反,在密码保护的 .zip 文件中发送附件 (受密码保护的文件 .zip 文件将绕过恶意软件筛选) 。Instead, send the attachment in a password-protected .zip file (password-protected file .zip files are bypassed by malware filtering).