-
Notifications
You must be signed in to change notification settings - Fork 362
Expand file tree
/
Copy pathanti-malware-protection-faq.yml
More file actions
169 lines (134 loc) · 9.79 KB
/
anti-malware-protection-faq.yml
File metadata and controls
169 lines (134 loc) · 9.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
### YamlMime:FAQ
metadata:
ms.date: 1/17/2024
title: Anti-malware protection FAQ
f1.keywords:
- NOCSH
author: chrisda
ms.author: chrisda
manager: bagol
audience: ITPro
ms.topic: faq
ms.localizationpriority: medium
search.appverid:
- MET150
ms.assetid: 013c8a5f-8990-40e4-bfa8-f92ff1042623
ms.collection:
- m365-security
- tier2
ms.custom:
- seo-marvel-apr2020
description: Admins can view frequently asked questions and answers about anti-malware protection for email in Microsoft 365.
ms.service: defender-office-365
title: Frequently asked questions - Anti-malware protection
summary: |
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
**Applies to**
- [Built-in security features for all cloud mailboxes](eop-about.md)
- [Microsoft Defender for Office 365 Plan 1 and Plan 2](mdo-about.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet)
- [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender)
This article provides frequently asked questions and answers about anti-malware protection for email in Microsoft 365 organizations with cloud mailboxes.
For questions and answers about the quarantine, see [Quarantine FAQ](quarantine-faq.yml).
For questions and answers about anti-spam protection, see [Frequently asked questions: Anti-spam protection](anti-spam-protection-faq.yml).
For questions and answers about anti-spoofing protection, see [Anti-spoofing protection FAQ](anti-phishing-protection-spoofing-faq.yml).
sections:
- name: Ignored
questions:
- question: |
What are best practice recommendations for configuring and using the service to combat malware?
answer: |
See [Anti-malware policy settings](recommended-settings-for-eop-and-office365.md#anti-malware-policy-settings).
- question: |
How often are the malware definitions updated?
answer: |
Each server checks for new malware definitions from our anti-malware partners every hour.
- question: |
How many anti-malware partners do you have? Can I choose which malware engines we use?
answer: |
As of July 2024, messages are scanned with the Microsoft anti-malware engine only.
- question: |
Where does malware scanning occur?
answer: |
We scan for malware in messages that are sent to or sent from a mailbox (messages in transit). For Exchange Online mailboxes, we also have [zero-hour auto purge (ZAP) for malware](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-for-malware) to scan messages that have already been delivered. If you resend a message from a mailbox, then it's scanned again (because it's in transit).
- question: |
If I make a change to an anti-malware policy, how long does it take after I save my changes for them to take effect?
answer: |
It might take up to 1 hour for the changes to take effect.
- question: |
Does the service scan internal messages for malware?
answer: |
For Microsoft 365 organizations with cloud mailboxes, the service scans for malware in all inbound and outbound messages, including messages sent between internal recipients.
- question: |
Is heuristic scanning enabled?
answer: |
Yes. Heuristic scanning scans for both known (signature match) and unknown (suspicious) malware.
- question: |
Can the service scan compressed files (such as .zip files)?
answer: |
Yes. Anti-malware can drill into compressed (archive) files.
- question: |
Is the compressed attachment scanning support recursive (.zip within a .zip within a .zip) and if so, how deep does it go?
answer: |
Yes, recursive scanning of compressed files scans many layers deep.
- question: |
Does the service work with legacy Exchange versions and non-Exchange environments?
answer: |
Yes, the service is server agnostic.
- question: |
What's a zero-day virus and how is it handled by the service?
answer: |
A zero-day virus is a first generation, previously unknown variant of malware that's never been captured or analyzed.
After a zero-day virus sample is captured and analyzed by our anti-malware engine, a definition and unique signature is created to detect the malware.
When a definition or signature exists for the malware, it's no longer considered zero-day.
- question: |
How can I configure the service to block specific executable files (such as \*.exe) that I fear may contain malware?
answer: |
You can configure the *common attachments filter* (also known as *common attachment blocking*) as described in [Common attachments filter in anti-malware policies](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies).
You can also create an Exchange mail flow rule (also known as transport rule) that blocks any email attachment that has executable content. For instructions, see [Use mail flow rules to block messages with executable attachments in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-block-executable-attachments).
For increased protection, we also recommend using the **Any attachment file extension includes these words** condition in mail flow rules to block some or all of the following extensions: `ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh`.
- question: |
Why did a specific malware get past the filters?
answer: |
The malware that you received is a new variant (see [What's a zero-day virus and how is it handled by the service?](#what-s-a-zero-day-virus-and-how-is-it-handled-by-the-service-)). The time it takes for a malware definition update is dependent on our anti-malware partners.
Remember, no user or admin-configurable setting can exempt email attachments from being scanned by anti-malware protection.
- question: |
How can I submit malware that made it past the filters to Microsoft? Also, how can I submit a file that I believe was incorrectly detected as malware?
answer: |
See [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md).
- question: |
I received an email message with an unfamiliar attachment. Is this malware or can I disregard this attachment?
answer: |
We strongly advise that you don't open any attachments you don't recognize. If you would like us to investigate the attachment, [report the file to Microsoft](submissions-report-messages-files-to-microsoft.md).
- question: |
Where can I get messages that were deleted by the malware filters?
answer: |
The messages contain active malicious code and therefore we don't allow access to these messages. They're unceremoniously deleted.
- question: |
I'm not able to receive a specific attachment because it's being falsely identified as malware. Can I allow this attachment through via mail flow rules?
answer: |
No. You can't use Exchange mail flow rules to skip malware filtering. The only way to skip malware filtering for a recipient is to identify the mailbox as a SecOps mailbox. For more information, see [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
- question: |
Can I get reporting data about malware detections?
answer: |
Yes, you can access reports in the Microsoft Defender portal. For more information, see [View email security reports in the Microsoft Defender portal](reports-email-security.md).
- question: |
Is there a tool that I can use to follow a malware-detected message through the service?
answer: |
Yes, the message trace tool enables you to follow email messages as they pass through the service. For more information about how to use the message trace tool to find out why a message was detected to contain malware, see [Message trace in the modern Exchange admin center](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac).
- question: |
Can I use a non-Microsoft anti-spam and anti-malware provider with Exchange Online?
answer: |
Yes. Generally, we recommend that you point your MX records to (that is, deliver email directly to) Microsoft 365. If you need to route your email somewhere else first, you need to enable [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) so Microsoft 365 can use the true message source in filtering decisions.
- question: |
Are spam and malware messages being investigated as to who sent them, or being transferred to law enforcement entities?
answer: |
The service focuses on spam and malware detection and removal, though we may occasionally investigate especially dangerous or damaging spam or attack campaigns and pursue the perpetrators.
We often work with our legal and digital crime units to take the following actions:
- Take down a spam botnet.
- Block an attacker from using the service.
- Pass the information on to law enforcement for criminal prosecution.
- question: |
For more information
answer: |
[Configure anti-malware policies](anti-malware-policies-configure.md)
[Anti-malware protection](anti-malware-protection-about.md)