EOP 中的反恶意软件保护Anti-malware protection in EOP

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用对象Applies to

在具有 Exchange Online 邮箱或独立 Exchange Online Protection (EOP) 组织中没有 Exchange Online 邮箱的 Microsoft 365 组织中,EOP 会自动保护电子邮件免受恶意软件的攻击。In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. 恶意软件的一个主要类别是:Some of the major categories of malware are:

  • 感染 其他程序和数据的病毒,并通过计算机或网络查找程序进行感染。Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect.

  • 收集 个人信息(如登录信息和个人数据)并将其发送回作者的间谍软件。Spyware that that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.

  • 加密数据 并要求付款以解密数据的勒索软件。Ransomware that encrypts your data and demands payment to decrypt it. 反恶意软件不会帮助你解密加密文件,但它可以检测和删除与勒索软件关联的恶意软件负载。Anti-malware software doesn't help you decrypt encrypted files, but it can detect and remove the malware payload that's associated with the ransomware.

EOP 提供多层恶意软件保护,旨在捕获进入或离开组织的所有已知恶意软件。EOP offers multi-layered malware protection that's designed to catch all known malware traveling into or out of your organization. 以下选项帮助提供反恶意软件保护:The following options help provide anti-malware protection:

  • 恶意软件的分层防御:多个反恶意软件扫描引擎有助于防范已知和未知威胁。Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. 这些引擎包括强大的启发式检测,即使在恶意软件发作的早期,该检测也可提供保护。These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. 这种多引擎方法已经显示出可以提供明显多于单一防恶意软件引擎的保护。This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.

  • 实时威胁响应:在某些爆发期间,反恶意软件团队可能有足够的有关病毒或某种形式的恶意软件的信息,以编写复杂的策略规则来检测威胁,甚至在服务使用的任何扫描引擎都提供定义之前。Real-time threat response: During some outbreaks, the anti-malware team may have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. 这些规则每两个小时就向全球网络发布一次,以向组织提供防止攻击的额外保护层。These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.

  • 快速反恶意软件定义部署:反恶意软件团队与开发反恶意软件引擎的合作伙伴保持密切关系。Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. 因此,该服务可以在恶意软件定义和修补程序公开发布之前接收和集成它们。As a result, the service can receive and integrate malware definitions and patches before they're publicly released. 我们与这些合作伙伴的联系通常也使我们能够开发自己的补救措施。Our connection with these partners often allows us to develop our own remedies as well. 该服务每小时为所有的反恶意软件引擎检查一次是否有更新的定义。The service checks for updated definitions for all anti-malware engines every hour.

在 EOP 中,发现包含任何附件中的恶意软件的邮件将被隔离,并且仅能由管理员从隔离中释放。有关详细信息,请参阅在 EOP 中以管理员角色管理隔离的邮件和文件In EOP, messages that are found to contain malware in any attachments are quarantined, and can only be released from quarantine by an admin. For more information, see Manage quarantined messages and files as an admin in EOP.

有关反恶意软件保护详细信息,请参阅 反恶意软件保护常见问题解答For more information about anti-malware protection, see the Anti-malware protection FAQ.

若要配置反恶意软件策略,请参阅配置 反恶意软件策略To configure anti-malware policies, see Configure anti-malware policies.

若要将恶意软件提交给 Microsoft,请参阅 向 Microsoft 报告邮件和文件To submit malware to Microsoft, see Report messages and files to Microsoft.

反恶意软件策略Anti-malware policies

反恶意软件策略控制恶意软件检测的设置和通知选项。Anti-malware policies control the settings and notification options for malware detections. 反恶意软件策略中的重要设置包括:The important settings in anti-malware policies are:

  • 收件人 通知:默认情况下,不会告知邮件收件人邮件因恶意软件而隔离。Recipient notifications: By default, a message recipient isn't told that a message intended for them was quarantined due to malware. 但是,您可以启用收件人通知,其形式是传递原始邮件,同时删除所有附件,并替换为名为"恶意软件警报"Text.txt包含以下文本的单个文件:But, you can enable recipient notifications in the form of delivering the original message with all attachments removed and replaced by a single file named Malware Alert Text.txt that contains the following text:

    在此电子邮件中包含的一个或多个附件中检测到恶意软件。Malware was detected in one or more attachments included with this email message.
    操作:已删除所有附件。Action: All attachments have been removed.
    <Original malware attachment name> <Malware detection result><Original malware attachment name> <Malware detection result>

    您可以使用自己的自定义文本替换恶意软件警报 Text.txt 中的默认文本。You can replace the default text in the Malware Alert Text.txt file with your own custom text.

  • 常见附件类型筛选器:有一些确实不应通过电子邮件发送的某些类型的文件 (例如,可执行文件) 。Common Attachment Types Filter: There are certain types of files that you really shouldn't send via email (for example, executable files). 为什么还要扫描这些类型的文件以寻找恶意软件,但您何时应该阻止所有这些文件呢?Why bother scanning these type of files for malware, when you should probably block them all, anyway? 这是常见附件类型筛选器出现的地方。That's where the Common Attachment Types Filter comes in. 默认情况下禁用它,但启用它时,您指定的文件类型将自动被视为恶意软件。It's disabled by default, but when you enable it, the file types you specify are automatically treated as malware. 可以使用文件类型的默认列表或自定义列表。You can use the default list of file types or customize the list. 默认文件类型为 .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs :。The default file types are: .ace, .ani, .app, .docm, .exe, .jar, .reg, .scr, .vbe, .vbs.

    通用附件类型筛选器使用最佳操作 true-typing 检测文件类型,而不考虑文件扩展名。The Common Attachment Types Filter uses best effort true-typing to detect the file type regardless of the file name extension. 如果 true-typing 失败或不支持指定文件类型,则使用简单扩展名匹配。If true-typing fails or isn't supported for the specified file type, then simple extension matching is used.

  • 恶意软件零时差自动清除 (ZAP) : 恶意软件 ZAP 隔离在传递到 Exchange Online 邮箱后发现包含恶意软件的邮件。Malware zero-hour auto purge (ZAP): Malware ZAP quarantines messages that are found to contain malware after they've been delivered to Exchange Online mailboxes. 默认情况下,恶意软件 ZAP 为打开状态,建议保持打开状态。By default, malware ZAP is on, and we recommend that you leave it on.

  • 发件人通知:默认情况下,不会告知邮件发件人其邮件已因恶意软件而隔离。Sender notifications: By default, a message sender isn't told that their message was quarantined due to malware. 但是,您可以基于发件人是内部发件人还是外部发件人为发件人启用通知邮件。But, you can enabled notification messages for senders based on whether the sender is internal or external. 默认通知消息如下所示:The default notification message looks like this:

    来源:Postmaster postmaster@ <defaultdomain> .comFrom: Postmaster postmaster@<defaultdomain>.com
    主题:无法送达邮件Subject: Undeliverable message

    此邮件由邮件传递软件自动创建。This message was created automatically by mail delivery software. 您的电子邮件未传递到预期收件人,因为检测到恶意软件。Your email message was not delivered to the intended recipients because malware was detected. 已删除所有附件。All attachments were deleted.

    ---其他信息---:--- Additional Information ---:

    主题: <message subject>Subject: <message subject>
    发件人: <message sender>Sender: <message sender>

    接收时间: <date/time>Time received: <date/time>
    邮件 ID: <message id>Message ID: <message id>
    找到的检测:Detections found:
    <attachment name> <malware detection result><attachment name> <malware detection result>

    您可以自定义内部和外部通知 的"收件人"地址 主题和邮件文本。 You can customize the From address, subject, and message text for internal and external notifications.

    您还可以指定一个其他收件人 (管理员) 接收来自内部或外部发件人的邮件中检测到的恶意软件的通知。You can also specify an additional recipient (an admin) to receive notifications for malware detected in messages from internal or external senders.

  • 收件人筛选器:对于自定义反恶意软件策略,可以指定收件人条件和例外,以确定策略的适用对象。Recipient filters: For custom anti-malware policies, you can specify recipient conditions and exceptions that determine who the policy applies to. 可以将这些属性用于条件和例外:You can use these properties for conditions and exceptions:

    • 收件人为The recipient is
    • 收件人域为The recipient domain is
    • 收件人为以下组的成员The recipient is a member of

    一次只能使用一个条件或例外,但条件或例外可以包含多个值。You can only use a condition or exception once, but the condition or exception can contain multiple values. 同一个条件或例外的多个值使用“或”逻辑(例如,<recipient1><recipient2>)。Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). 不同的条件或例外使用“和”逻辑(例如,<recipient1><member of group 1>)。Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

  • 优先级:如果创建多个自定义反恶意软件策略,可以指定其应用顺序。Priority: If you create multiple custom anti-malware policies, you can specify the order that they're applied. 没有两个策略可以具有相同的优先级,并且在应用第一个策略之后,策略处理将停止。No two policies can have the same priority, and policy processing stops after the first policy is applied.

    有关优先级顺序以及如何评估和应用多个策略的详细信息,请参阅电子邮件保护的顺序和优先级For more information about the order of precedence and how multiple policies are evaluated and applied, see Order and precedence of email protection.

安全与合规中心与 PowerShell &反恶意软件策略Anti-malware policies in the Security & Compliance Center vs PowerShell

反恶意软件策略的基本元素包括:The basic elements of an anti-malware policy are:

  • 恶意软件筛选器策略:指定收件人通知、发件人和管理员通知、ZAP 以及常见附件类型筛选器设置。The malware filter policy: Specifies the recipient notification, sender and admin notification, ZAP, and the Common Attachment Types Filter settings.
  • 恶意软件筛选器规则:指定策略应用于 (策略的优先级和) 筛选器筛选器。The malware filter rule: Specifies the priority and recipient filters (who the policy applies to) for a malware filter policy.

在安全与合规中心内管理反恶意软件策略时,这两个元素&并不明显:The difference between these two elements isn't obvious when you manage anti-malware polices in the Security & Compliance Center:

  • 创建反恶意软件策略时,实际上是同时使用同一名称创建恶意软件筛选器规则和相关恶意软件筛选器策略。When you create an anti-malware policy, you're actually creating a malware filter rule and the associated malware filter policy at the same time using the same name for both.

  • 修改反恶意软件策略时,与名称、优先级、启用或禁用以及收件人筛选器相关的设置将修改恶意软件筛选器规则。When you modify an anti-malware policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the malware filter rule. 其他设置 (收件人通知、发件人和管理员通知、ZAP 以及常见附件类型筛选器) 修改关联的恶意软件筛选器策略。Other settings (recipient notification, sender and admin notification, ZAP, and the Common Attachment Types Filter) modify the associated malware filter policy.

  • 删除反恶意软件策略时,将删除恶意软件筛选器规则和相关恶意软件筛选器策略。When you remove an anti-malware policy, the malware filter rule and the associated malware filter policy are removed.

在 Exchange Online PowerShell 或独立 EOP PowerShell 中,恶意软件筛选器策略和恶意软件筛选器规则的区别显而易见。In Exchange Online PowerShell or standalone EOP PowerShell, the difference between malware filter policies and malware filter rules is apparent. 您可以使用 * -MalwareFilterPolicy cmdlet 管理恶意软件筛选器策略,使用 * -MalwareFilterRule cmdlet 管理恶意软件筛选器规则。You manage malware filter policies by using the *-MalwareFilterPolicy cmdlets, and you manage malware filter rules by using the *-MalwareFilterRule cmdlets.

  • 在 PowerShell 中,首先创建恶意软件筛选器策略,然后创建恶意软件筛选器规则,以标识该规则应用于的策略。In PowerShell, you create the malware filter policy first, then you create the malware filter rule that identifies the policy that the rule applies to.
  • 在 PowerShell 中,分别修改恶意软件筛选器策略和恶意软件筛选器规则中的设置。In PowerShell, you modify the settings in the malware filter policy and the malware filter rule separately.
  • 从 PowerShell 删除恶意软件筛选器策略时,不会自动删除相应的恶意软件筛选器规则,反之亦然。When you remove a malware filter policy from PowerShell, the corresponding malware filter rule isn't automatically removed, and vice versa.

默认反恶意软件策略Default anti-malware policy

每个组织都有一个名为 Default 的内置反恶意软件策略,该策略具有以下属性:Every organization has a built-in anti-malware policy named Default that has these properties:

  • 即使与策略关联的收件人筛选器没有恶意软件筛选器规则, (应用于组织) 筛选器。The policy is applied to all recipients in the organization, even though there's no malware filter rule (recipient filters) associated with the policy.

  • 该策略具有无法修改的自定义优先级值“最低”(表示此策略始终最后应用)。The policy has the custom priority value Lowest that you can't modify (the policy is always applied last). 您创建的任何自定义反恶意软件策略的优先级始终高于名为 Default 的策略。Any custom anti-malware policies that you create always have a higher priority than the policy named Default.

  • 该策略是默认策略(IsDefault 属性的值为 True),你无法删除默认策略。The policy is the default policy (the IsDefault property has the value True), and you can't delete the default policy.