Office 365 Exchange Online Protection (EOP) – Malware Filtering

Microsoft Exchange Online Protection or EOP offers in-built malware and spam filtering capabilities that help protect inbound as well as outbound messages from malicious software.  It helps in protecting your network from spam transferred through email. As an Admin, you do not need to set up or maintain the filtering technologies, which are enabled by default in EOP. However, you can make filtering customizations in the Exchange admin center (EAC) according to your organizational requirements.

Anti-malware scanning is performed after the connection filtering. A lot of malware comes from compromised home computers and other low-reputation IP ranges, and that will already be blocked by connection filters. Since there are not many resources left, there is no need to malware filter every mail that comes with an attachment.

EOP uses several antivirus engines to check email attachments for known viruses and malware.

Antivirus engines are constantly updated throughout the day, and malware scanning also handles file type restrictions so that you can restrict email attachments that are commonly used as carriers for malware such as executable files and scripts, as well Any other file type you just don't want to run the risk of accepting.

If the malware is detected, the message is discarded, but only so that an administrator can review them and decide on releasing them. Obviously, you do not want to release the actual malware, but if you are doing attachment-type filtering, assume that a software vendor sends you an executable file to install to fix a bug in a software. You can review that quarantine attachment, and then decide to release it if you need to. Most of your control over malware filtering, other than blocking attachment types, is in notifications. 

You cannot send any notification at all, or you can notify the designated recipient of the email that the email was discarded. You can choose whether to notify internal or external senders that their email was quarantined and you can customize those notifications with tailored messages to help your users understand what is happening. 

You can configure malware filtering in the portal available here in the Exchange Administration Center. The Security and Compliance Center also has an anti-malware configuration interface.

Exchange Admin Center:

Security and Compliance:

Let’s stay in the Security and Compliance Center this time. When you click on anti-malware, you can see that there is already a default malware filtering policy, and you can also create additional anti-malware policies. Click + to create a new policy. 

Let's go through the settings. First you need to give it a name.

Malware Detection Response:

No -> Do you want to notify the recipient if their messages are quarantined? Now it is quarantining malware, not spam, which is different. Should you inform users that the email sent to them was quarantined by a malware filter? If you choose this option, no notification will be sent.

Use Yes and Use Notification Text -> A notification is sent to the recipient using the default notification text (you all know that system generated notifications are usually not very good)

Yes and Use the Custom Notification –> By enabling custom response text you can specify more details about what the end user has to do when receiving this warning message. Wherever possible, it is helpful to use custom notifications that do a better job of explaining to your users what happened.

Common Attachment Type Filters:

When you first turn it on, there is a predefined set of file types that will be in this list.

You can see that this list makes great sense. This includes executable files, registry files, macro-enabled documents and much higher risk items these days. 

You can add it to the list if you need to, you can remove the extension from that list if you need to, although I do not recommend it. If you find that your list is completely empty, it may be that someone has come here before and has removed everything from the list. The EOP will not automatically bring anything back into this list for you. You must recreate the list by adding additional file types and choosing the ones you want to block. 

Now when you turn it on, it triggers Malware Detection Response, which is the first setting you were looking at. It is a good idea to inform your users, so that they know what to do.

Notifications:

Do you want to notify the sender of an undivided message? So if a message is blocked or quarantined by a malware filter, do you want to tell the sender that it happened? You say yes to internal senders, it's a good idea to let them know about their outbound email -  The malware was quarantined by the filter. For external senders, well, there is a risk of spoiling the sender address, so you are sending a notification to an address that may not be the actual sender of the email. Therefore exclude external senders and notify internal senders.

 Administrator Notifications

You can also notify administrators when the malware filter blocks or quarantines an email. You do want to notify your IT folks that this has happened, or at least a specific group of them, because that could be a sign of a compromised user or computer in the organization. But do not notify the entry every time an external sender is blocked. If you really want to turn it on, by all means, but in my experience it generates a lot of notifications.

Customize Notifications

One more notification to configure. If you are notifying internal senders that their email was blocked by the malware filter, you want it to be a good, friendly email that you understand.

Applied To:

You can limit policies so that they apply to specific recipients or recipients in a particular domain of your organization or members of a group. 

Malware was implemented so those recipients that the policy could be applied differently. 

The rest of your organization should not be allowed to receive executable files, so that there is a case for configuring two different malware filter policies and scooping them up for those two different groups of users.

Once done click on Save