WinDeveloper O365 Mailer FREE for 1 Year

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Exchange 2013 Malware Protection - Part 2

Alexander Zammit

Alexander Zammit Photo

Software Development Consultant. Involved in the development of various Enterprise software solutions. Today focused on Blockchain and DLT technologies.

Cast your Vote
Poor Excellent

The Exchange 2013 Management Shell provides a number of scripts and cmdlets for administering Malware Protection. When it comes to managing filter updates or enabling/disabling the filter the shell is our only administrative interface.

In Exchange 2013 Malware Protection - Part 1, we configured Malware Protection from the Administrative Centre. We saw the main options that determine how malware is handled and the notification emails that are generated. Nevertheless this interface doesn't provide access to everything. Filter update management and more settings are waiting for us at the shell.

Under the hood, malware filtering plugs to Exchange as a transport agent. We can see this listed as the second agent on running:
Get-TransportAgent

Malware Agent

Malware filtering can be enabled immediately at installation time.

Exchange 2013 Setup - Enable Malware Protection

Otherwise it can be enabled/disabled using the shell scripts:
Enable-AntimalwareScanning.ps1
Disable-AntimalwareScanning.ps1

You will find these under the directory:
<Program Files>\Microsoft\Exchange Server\V15\Scripts

There is a lot to learn from these scripts. I suggest opening these files and see which cmdlets are being used. The first thing I noticed was that the scripts are loading the Forefront PowerShell snap-in to do their work:
Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell

As discussed in part 1, on-premises Forefront Protection 2010 for Exchange is being discontinued and Microsoft is making available some of this technology out-of-the-box. A Malware Filter that has the quality of Forefront in its DNA is surely a good thing.

The downside is that sometimes you might need to load this extra snap-in which can be a bit annoying.

Enabling/Disabling Malware Filtering

Peeking into Enable-AntimalwareScanning.ps1 we learn that the malware functionality is enabled at various levels. The transport agent itself is enabled using the Exchange cmdlet:
Enable-TransportAgent -Identity:"Malware Agent"

Malware filtering is also enabled within the configuration in two places:
Set-AntivirusScanSettings -Enabled $true
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:System/fs-sys:AntiMalwareSettings/fs-sys:Enabled" -Value "true"

I know these details may sound redundant once we have the script. However in practice these nuggets become very handy when troubleshooting.

The script also enables malware engine updates using the Forefront cmdlet:
Set-EngineUpdateCommonSettings -EnableUpdates $true

...and kicks off updates using:
Start-EngineUpdate

Updates & Filter Administration

You will work at the shell whenever dealing with filter updates. We already mentioned Start-EngineUpdate that starts an immediate update. Let's take a closer look at:
Get-EngineUpdateCommonSettings
Set-EngineUpdateCommonSettings

Get-EngineUpdateCommonSettings

Here we find many interesting properties that are common to all engines. Don't forget that Forefront used to provide multiple filtering engines. Exchange 2013 is inheriting this architecture even though only one engine is provided. So effectively these settings only apply to the Malware Filter. Some properties worth highlighting include:

PrimaryUpdatePath/SecondaryUpdatePath - The URLs from where updates are downloaded

EnableUpdates - Turns on/off downloading of updates

UpdateFrequency - Time interval between updates initialized to 1hour

More interesting than EngineUpdateCommonSettings is MalwareFilteringServer. This is an Exchange cmdlet, thus loading the Forefront snap-in is not necessary.
Get-MalwareFilteringServer | List

Get-MalwareFilteringServer

MalwareFilteringServer wraps some of the properties available from EngineUpdateCommonSettings. For example both expose the update URL and update frequency. However the UpdateFrequency is expressed in minutes. So if I wanted to download updates every 2 hours I would run:
Set-MalwareFilteringServer -Identity WIN12-TEST -UpdateFrequency 120

Other interesting properties include:

ForceRescan - If running Online Forefront Protection at the cloud with Exchange 2013, we end up with two malware scanning layers. By default the Exchange 2013 malware agent does not rescan emails already scanned at the cloud. Setting this to true forces email rescanning.

BypassFiltering - If set to true, the malware filter stops scanning emails. The agent is still enabled but all emails go through unfiltered. Use this to temporarily pause the filter without going through a complete disablement (that would also disable updates and cause the Exchange Transport Server to restart).

DeferWaitTime, DeferAttempts, ScanTimeout, ScanErrorAction - All deal with how the filter is to handle scanning failures i.e. cases when it cannot tell whether an email is infected.

UpdateFrequency, UpdateTimeout - Control the updating process. Update frequency specifies how often updates are downloaded in minutes. The update timeout determines the amount of time (in seconds) the update service waits for a response from the update servers at the configured URLs.

For more details on each of these check the documentation for Get-MalwareFilteringServer.

To force a filter update we have a dedicated script:
Update-MalwareFilteringServer.ps1

This wraps the Forefront cmdlet Start-EngineUpdate that we already met when discussing Enable-AntimalwareScanning.ps1

Sometimes we may need to check if the automatic updating service is working. This is when we need the Forefront cmdlet:
Get-EngineUpdateInformation

Get-EngineUpdateInformation

Most importantly it provides us with the last update date/time and the current update version.

Another cmdlet encountered on enabling/disabling the filter was:
Get-AntiVirusScanSettings
Set-AntiVirusScanSettings

Get-AntiVirusScanSettings

You may find the Enabled property useful when verifying the enablement status of the filter.

Malware Filtering Policy

The Malware Filtering Policy discussed in Exchange 2013 Malware Protection - Part 1 is configurable using the MalwareFilterPolicy Exchange cmdlets:
Get-MalwareFilterPolicy
Set-MalwareFilterPolicy

Get-MalwareFilterPolicy

Again this is an Exchange cmdlet so loading the Forefront snap-in is not necessary. Looking closely at the returned properties we can see that almost all of them are configurable at: Exchange Administrative Centre | Protection | Malware | Default Policy, with the exception of:
BypassInboundMessages
BypassOutboundMessages

These allow us to disable filtering for inbound and outbound messages.

Final Tips

Although many would have preferred Microsoft to continue providing on-premises Forefront, others will be happy to get an important piece of this product out-of-the-box in Exchange 2013.

Today we used the shell to manage the Malware Filter. This is the administrative interface of choice whenever managing updates. Amongst others we saw how to enable/disable the filter, start an immediate filter update, configure the updating frequency and verify the current update version.

References

Exchange 2013 Malware Protection - Part 1

User Comments - Page 1 of 1

Adwait 5 Jun 2016 00:04
WHat is the pattern how Malware agents considers the message as a spam and deletes the same.

Is there any configuration of malware agent or any algorithm for the same like we had in Forefront Security Agent.
VISWANATHAN 15 Jun 2015 03:00
HI all , i want to schedule the " Get-EngineUpdateInformation " reports for all our Exchange servers updated with Latest AntiMalware Definitions , Is there any PS1 file available to fetch this information in MAIL format every day and send it to our EXCHANGE admins.
Thom 3 Oct 2013 06:03
How can I set Proxy-Settings for the updates?
Stephan 28 Jun 2013 01:41
But how to obtain a report of numbers of blocked mail?
amit shinde 23 Apr 2013 21:59
Good one
Charles Derber 17 Feb 2013 16:58
Thanks & It is informative.
Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation