Earlier this year Microsoft announced that the on-premises Forefront Protection 2010 for Exchange (FPE) was being discontinued (see Important Changes to Forefront Product Roadmaps). This created a void in Microsoft's email hygiene offering to on-premises installations. To make up for this, Microsoft beefed up the built-in email hygiene with malware protection.
Another key fact shaping the current Exchange 2013 email hygiene landscape is the lack of an Exchange 2013 Edge server role. Rumour has it that Edge will be include in Service Pack 1, but at the moment the best option is that of running the Exchange 2010 Edge together with Exchange 2013.
Malware Protection
With this background in mind we start exploring the Exchange 2013 malware protection from the Administration Centre. Here under the Protection category we find the new configuration interface for anti-malware.
Anti-Malware scans emails at the transport. This includes internal, incoming and outgoing email flow. The filter only plugs to the transport, not the Mailbox database. So unlike Forefront the scanner won't catch malware sitting idle at a mailbox.
The anti-malware options at the Administrative Centre allow us to choose how malware is to be deleted and the type of notifications to be sent. When the filter deletes an attachment/email the deletion is permanent and there is no way to recover it.
Testing the Anti-Malware Filter
The easiest way to test and demonstrate malware filtering is by sending the harmless EICAR test virus. We create this ourselves by pasting the following character sequence to a text file:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The file should be 68 bytes long.
Before doing this, you will most likely need to create an exception at your anti-virus so as to exclude the directory where EICAR is going to be saved. Otherwise chances are that the file gets deleted as soon as it hits the disk.
Now that we have our test malware, we edit the Exchange settings under:
Exchange Administration Centre | Protection | Default
To begin with I will configure the filter to only delete the malware attachment by selecting:
Malware Detection Response | Delete all attachments and use custom alert text
Following that I specify the custom alert text to be inserted whenever malware is deleted:
Attachment Removed by Exchange 2013 Anti-Malware
Here I also enable the notification settings:
Sends a message to the sender of the undelivered message | Notify Internal Email
Notify administrator about undelivered messages from internal senders
Notify administrator about undelivered messages from external senders
These last three settings won't really matter in the first test. For the moment the filter will only remove the attachment without blocking email delivery.
Here is what the configuration looks like now:
Test 1 - Removing Infected Attachments
We now submit a malware infected email between internal mailboxes (from user1 to user2). Using OWA I create the test email attaching the EICAR virus:
Next we move to the recipient mailbox (user2) and see what the received email looks like:
Note how the attachment was replaced with:
The original attachment is gone for good. The filter doesn't save this anywhere.
Test 2 - Notification Emails
Let's take a look at the Notifications the filter generates. We go back to the Administrative Centre and set:
Malware Detection Response | Delete the entire message
Sending EICAR from user1 to user2 the email never makes it to user2 this time. Instead the sender immediately receives a non-delivery response saying:
"Your email message was not delivered to the intended recipients because malware was detected."
The sender (user1) gets this response because we earlier enabled the notification setting:
Sends a message to the sender of the undelivered message | Notify Internal Email
Since at the Administration Centre we also enabled sending of notifications to the administrator, let's check the administrator mailbox. Here we see that the same non-delivery response was sent:
Final Tips
Built-in Malware protection is a very welcome addition to Exchange 2013. Today we started exploring this functionality limiting ourselves to the configurability available at the Exchange Administration Centre. In the second part we will dig deeper and with the help of the Shell we look at Updates and other options we can use to manage this functionality.
References
Exchange 2013 Malware Protection - Part 2