Anti-Spam and Anti-Malware Protection in Exchange 2013 (Part 3)

If you would like to read the other parts in this article series please go to:

• Anti-Spam and Anti-Malware Protection in Exchange 2013 (Part 1)
• Anti-Spam and Anti-Malware Protection in Exchange 2013 (Part 2)

In the first two parts of this article series, we had a look at anti-spam in Exchange 2013 and how it is practically unchanged from Exchange 2007 and 2010, as well as some of the new features surrounding anti-malware protection in Exchange 2013.

Anti-Malware Policies

When malware filtering is first enabled in Exchange 2013, the default anti-malware policy controls the company-wide malware filtering settings. Administrators can view and edit, but not delete, this default anti-malware policy so that it is configured to best meet the organization’s requirements.

Custom malware filtering policies can also be created for greater granularity, and these can be applied to specified users, groups or even domains in the organization. Custom policies always take precedence over the default policy, but their priority (running order) can be changed.

1. In the EAP, navigate to Protection > Malware filter;
2. Do one of the following:
• Double-click the default policy in order to edit it;
• Click the  New icon to create a new policy (you can also edit existing custom policies by double-clicking them).

Figure 3.1

In this case I will be creating a new policy;

3. Specify a name for this policy;
4. Click the Settings menu option. In the Malware Detection Response section, use the option buttons to select the action to take when malware is detected in a message:

• Delete the entire message – this option (default) prevents the entire message, including attachments, from being delivered to the intended recipients;

• Delete all attachments and use default alert text – this options deletes all message attachments, not just the infected one, and inserts the following default alert text into a text file that replaces the attachments: “Malware was detected in one or more attachments included with this e-mail. All attachments have been deleted.”;

• Delete all attachments and use custom alert text – this option deletes all message attachments, not just the infected one, and inserts a custom message into a text file that replaces the attachments. Selecting this option enables the Custom alert text field where you must type a custom message.

Note that in case malware is detected in the message body, the entire message, including all attachments, will be deleted regardless of which option you select. This action is applied to both inbound and outbound messages;

Figure 3.2

5. In the Notifications section, you have the option to send a notification e-mail to senders or administrators when a message is detected as malware and is not delivered. These notifications are only sent when the entire message is deleted.
• In the Sender Notifications section, select the check boxes to Notify internal senders (those within the organization) or to Notify external senders (those outside the organization) when a detected message is not delivered;
• Similarly, in the Administrator Notifications section, select the check boxes to Notify administrator about undelivered messages from internal senders or to Notify administrator about undelivered messages from external senders. Specify the e-mail address(es) of the administrator in their respective Administrator e-mail address fields after selecting one or both of these check boxes. Use a semicolon to separate multiple addresses.

  The default notification text is “This message was created automatically by mail delivery software. Your e-mail message was not delivered to the intended recipients because malware was detected.” The language in which the default notification text is sent is dependent on the locale of the message being processed;

• In the Customize Notifications section, you can create customized notification text to be used in place of the default notification text for sender and administrator notifications. Select the Use customized notification text check box, and then specify values in the following required fields:

• From name – the name to be used as the sender of the customized notification;
• From address – the e-mail address to be used as the sender of the customized notification;
• Messages from internal senders – the Subject and Message of the notification if the detected message originated from an internal sender;
• Messages from external senders – the Subject and Message of the notification if the detected message originated from an external sender.

6. Under Apply to you can create a condition-based rule to specify the users, groups, and/or domains for whom to apply this policy (you can create multiple conditions provided that they are unique):

• To select users, select The recipient is. In the subsequent dialog box, select one or more senders from the user picker list and then click add. To add senders who are not on the list, type their e-mail addresses and click Check names. In this box, you can also use wildcards for multiple e-mail addresses such as *@domain.com). When you are done with your selections, click ok to return to the main screen;
• To select groups, select The recipient is a member of and then, in the subsequent dialog box, select or specify the groups. Click ok to return to the main screen;
• To select domains, select The recipient domain is and then, in the subsequent dialog box, add the domains. Click ok to return to the main screen.

7. You can create exceptions within the rule, for example you can filter messages from all domains except for a certain domain. Click add exception and then create your exception conditions similar to the way you created the other conditions;

Figure 3.3

8. Click Save. A summary of your default policy settings appears in the right pane.

You can select or clear the check boxes in the ENABLED column to enable or disable custom policies. All policies are enabled by default, and the default policy cannot be disabled.

Figure 3.4: Malware Policy Summary

Custom policies always take precedence over the default policy. Custom policies run in the reverse order that they were created (from oldest to newest), but you can change the priority (running order) of custom policies by clicking the up arrow and down arrow. The policy with a PRIORITY of 0 will run first, followed by 1, then 2, and so on.

You can also use the following cmdlet to manage policies and rules:

• New/Get/Remove/Set-MalwareFilterPolicy
• Disable/Enable/Get/New/Remove/Set-MalwareFilterRule

To verify that malware filtering is working correctly, we can use the EICAR.TXT antivirus test file. This is a computer file that was developed by the European Institute for Computer Antivirus Research (EICAR) and the Computer Antivirus Research Organization (CARO) to test the response of computer antivirus programs. Instead of using real malware, which could do real damage, this test file allows administrators and developers to test antivirus software without having to use a real computer virus. Antivirus programmers set the EICAR string as a verified virus, similar to other identified signatures. A compliant virus scanner, when detecting the file, will respond in exactly the same manner as if it found a harmful virus. However, not all virus scanners are compliant, and may not detect the file even when they are correctly configured.

1. Create a new text file, and then name the file EICAR.TXT;
2. Copy the following line into the text file:
   X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
   Make sure that this is the only string in the file and that the folder you are saving the file to is excluded from scanning;
3. Attach this file to an e-mail message that will be filtered by Exchange 2013. Check the recipient mailbox of the test message. Depending on the malware detection response you have configured, the entire message will be deleted, or the attachment will be deleted and replaced with the alert text file. Any configured notifications will also be distributed.

If we now send an e-mail to a user in the Sales department with attached malware, the recipient will receive attachments replaced by a TXT file with the text we entered in step 4 previously:

Figure 3.5: Malware Detection Response

Questions and Answers

This section provides a few common Q&A around the anti-malware protection feature of Exchange 2013.

Q. Where does malware scanning occur?

A. Malware scanning is performed on messages sent to or received from a mailbox server. Malware scanning is not performed on a message accessed from a mailbox because it should have already been scanned. If a message is re-sent from a mailbox, it’s rescanned. This means that e-mails imported from a PST file, for example, will not be scanned unless they are forwarded.

Q. How can I submit malware that made it past the filter to Microsoft?

A. If you have received malware such as a virus that made it past the filter, please save a copy of the e-mail message with its attached virus, go to the Malware Protection Center and submit a sample using the instructions on that page. When submitting the file, in the Product drop-down list select Other, select the I suspect this file contains malware option, and in the Comments field specify Exchange Server 2013.

Figure 3.6: Submitting Malware

Q. How can I submit a file that I believe was incorrectly detected as malware?

A. Similar to submitting malware, go to the Malware Protection Center and submit a sample using the instructions on that page. When submitting the file, in the Product drop-down list select Other, select the I believe this file should not be detected as malware option, and in the Comments field specify Exchange Server 2013.

Q. Where can I get the messages that have been deleted by the malware filter?

A. If a message contains active malicious code, it is simply deleted and, therefore, there is no way of accessing it.

Q. So what are the Get/Remove/Resume-MalwareFilterRecoveryItem cmdlets for?

A. This feature was not intended to be a quarantine for e-mails containing malware, but a way to archive e-mails that have errors during scanning (there is no quarantine feature for anti-malware). These cmdlets were specifically geared towards Exchange Online, not on-premises deployments, and they should no longer appear in on-premises deployments with CU1 or above.

Q. I am not able to receive a specific attachment because it is being filtered by Exchange’s anti-malware. Can I allow this attachment through via Exchange transport rules?

A. No. Transport rules cannot be used to bypass the malware filter. If you would like this attachment to bypass the malware filter, send the attachment to the intended recipient within a password protected .zip file. Any password protected file is bypassed by malware filtering as it will not be able to open the file for scanning.

Conclusion

In this article series, we discussed the anti-spam and anti-malware capabilities of Exchange 2013. We saw that Exchange 2013’s built-in malware scanning capabilities provide basic protection which means it is not suitable for every organization as the old Forefront Protection for Exchange was. It is possible to purchase a commercial product and disable the built-in protection. However, Microsoft recommends leaving it enabled when planning to use EOP as doing so provides a stronger and more in-depth defense with multiple scanning mechanisms being used.

If you would like to read the other parts in this article series please go to:

• Anti-Spam and Anti-Malware Protection in Exchange 2013 (Part 1)
• Anti-Spam and Anti-Malware Protection in Exchange 2013 (Part 2)