forked from MicrosoftDocs/defender-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathanti-malware-protection-faq.yml
174 lines (137 loc) · 10.5 KB
/
anti-malware-protection-faq.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
### YamlMime:FAQ
metadata:
ms.date: 1/17/2024
title: Anti-malware protection FAQ
f1.keywords:
- NOCSH
ms.author: chrisda
author: chrisda
manager: deniseb
audience: ITPro
ms.topic: faq
ms.localizationpriority: medium
search.appverid:
- MET150
ms.assetid: 013c8a5f-8990-40e4-bfa8-f92ff1042623
ms.collection:
- m365-security
- tier2
ms.custom:
- seo-marvel-apr2020
description: Admins can view frequently asked questions and answers about anti-malware protection in Exchange Online Protection (EOP).
ms.subservice: mdo
ms.service: defender-office-365
title: Anti-malware protection FAQ
summary: |
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
**Applies to**
- [Exchange Online Protection](eop-about.md)
- [Microsoft Defender for Office 365 Plan 1 and Plan 2](mdo-about.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet)
- [Microsoft Defender XDR](/defender-xdr/microsoft-365-defender)
This article provides frequently asked questions and answers about anti-malware protection for Microsoft 365 organizations with mailboxes in Exchange Online, or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes.
For questions and answers about the quarantine, see [Quarantine FAQ](quarantine-faq.yml).
For questions and answers about anti-spam protection, see [Anti-spam protection FAQ](anti-spam-protection-faq.yml).
For questions and answers about anti-spoofing protection, see [Anti-spoofing protection FAQ](anti-phishing-protection-spoofing-faq.yml).
sections:
- name: Ignored
questions:
- question: |
What are best practice recommendations for configuring and using the service to combat malware?
answer: |
See [EOP anti-malware policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-malware-policy-settings).
- question: |
How often are the malware definitions updated?
answer: |
Each server checks for new malware definitions from our anti-malware partners every hour.
- question: |
How many anti-malware partners do you have? Can I choose which malware engines we use?
answer: |
As of July 2024, messages are scanned with the Microsoft anti-malware engine only.
- question: |
Where does malware scanning occur?
answer: |
We scan for malware in messages that are sent to or sent from a mailbox (messages in transit). For Exchange Online mailboxes, we also have [zero-hour auto purge (ZAP) for malware](zero-hour-auto-purge.md#zero-hour-auto-purge-zap-for-malware) to scan messages that have already been delivered. If you resend a message from a mailbox, then it's scanned again (because it's in transit).
- question: |
If I make a change to an anti-malware policy, how long does it take after I save my changes for them to take effect?
answer: |
It might take up to 1 hour for the changes to take effect.
- question: |
Does the service scan internal messages for malware?
answer: |
For organizations with Exchange Online mailboxes, the service scans for malware in all inbound and outbound messages, including messages sent between internal recipients.
A standalone EOP subscription scans messages as they enter or leave the on-premises email organization. Messages sent between internal on-premises recipients aren't scanned for malware. However, you can use the built-in anti-malware scanning features of Exchange Server. For more information, see [Anti-malware protection in Exchange Server](/Exchange/antispam-and-antimalware/antimalware-protection/antimalware-protection).
- question: |
Is heuristic scanning enabled?
answer: |
Yes. Heuristic scanning scans for both known (signature match) and unknown (suspicious) malware.
- question: |
Can the service scan compressed files (such as .zip files)?
answer: |
Yes. Anti-malware can drill into compressed (archive) files.
- question: |
Is the compressed attachment scanning support recursive (.zip within a .zip within a .zip) and if so, how deep does it go?
answer: |
Yes, recursive scanning of compressed files scans many layers deep.
- question: |
Does the service work with legacy Exchange versions and non-Exchange environments?
answer: |
Yes, the service is server agnostic.
- question: |
What's a zero-day virus and how is it handled by the service?
answer: |
A zero-day virus is a first generation, previously unknown variant of malware that's never been captured or analyzed.
After a zero-day virus sample is captured and analyzed by our anti-malware engine, a definition and unique signature is created to detect the malware.
When a definition or signature exists for the malware, it's no longer considered zero-day.
- question: |
How can I configure the service to block specific executable files (such as \*.exe) that I fear may contain malware?
answer: |
You can enable and configure the *common attachments filter* (also known as *common attachment blocking*) as described in [Common attachments filter in anti-malware policies](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies).
You can also create an Exchange mail flow rule (also known as transport rule) that blocks any email attachment that has executable content.
Follow the steps in [How to reduce malware threats through file attachment blocking in Exchange Online Protection](https://support.microsoft.com/help/2959596) to block the file types listed in [Supported file types for mail flow rule content inspection in Exchange Online](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection).
For increased protection, we also recommend using the **Any attachment file extension includes these words** condition in mail flow rules to block some or all of the following extensions: `ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh`.
- question: |
Why did a specific malware get past the filters?
answer: |
The malware that you received is a new variant (see [What's a zero-day virus and how is it handled by the service?](#what-s-a-zero-day-virus-and-how-is-it-handled-by-the-service-)). The time it takes for a malware definition update is dependent on our anti-malware partners.
Remember, no user or admin-configurable setting can exempt email attachments from being scanned by anti-malware protection.
- question: |
How can I submit malware that made it past the filters to Microsoft? Also, how can I submit a file that I believe was incorrectly detected as malware?
answer: |
See [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md).
- question: |
I received an email message with an unfamiliar attachment. Is this malware or can I disregard this attachment?
answer: |
We strongly advise that you don't open any attachments you don't recognize. If you would like us to investigate the attachment, [report the file to Microsoft](submissions-report-messages-files-to-microsoft.md).
- question: |
Where can I get messages that were deleted by the malware filters?
answer: |
The messages contain active malicious code and therefore we don't allow access to these messages. They're unceremoniously deleted.
- question: |
I'm not able to receive a specific attachment because it's being falsely identified as malware. Can I allow this attachment through via mail flow rules?
answer: |
No. You can't use Exchange mail flow rules to skip malware filtering. The only way to skip malware filtering for a recipient is to identify the mailbox as a SecOps mailbox. For more information, see [Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy).
- question: |
Can I get reporting data about malware detections?
answer: |
Yes, you can access reports in the Microsoft Defender portal. For more information, see [View email security reports in the Microsoft Defender portal](reports-email-security.md).
- question: |
Is there a tool that I can use to follow a malware-detected message through the service?
answer: |
Yes, the message trace tool enables you to follow email messages as they pass through the service. For more information about how to use the message trace tool to find out why a message was detected to contain malware, see [Message trace in the modern Exchange admin center](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac).
- question: |
Can I use a third-party anti-spam and anti-malware provider with Exchange Online?
answer: |
Yes. In most cases, we recommend that you point your MX records to (that is, deliver email directly to) EOP. If you need to route your email somewhere else first, you need to enable [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) so EOP can use the true message source in filtering decisions.
- question: |
Are spam and malware messages being investigated as to who sent them, or being transferred to law enforcement entities?
answer: |
The service focuses on spam and malware detection and removal, though we may occasionally investigate especially dangerous or damaging spam or attack campaigns and pursue the perpetrators.
We often work with our legal and digital crime units to take the following actions:
- Take down a spam botnet.
- Block an attacker from using the service.
- Pass the information on to law enforcement for criminal prosecution.
- question: |
For more information
answer: |
[Configure anti-malware policies](anti-malware-policies-configure.md)
[Anti-malware protection](anti-malware-protection-about.md)