In Exchange 2013 Malware Protection - Part 1, we configured Malware Protection from the Administrative Centre. We saw the main options that determine how malware is handled and the notification emails that are generated. Nevertheless this interface doesn't provide access to everything. Filter update management and more settings are waiting for us at the shell.
Under the hood, malware filtering plugs to Exchange as a transport agent. We can see this listed as the second agent on running:
Get-TransportAgent
Malware filtering can be enabled immediately at installation time.
Otherwise it can be enabled/disabled using the shell scripts:
Enable-AntimalwareScanning.ps1
Disable-AntimalwareScanning.ps1
You will find these under the directory:
<Program Files>\Microsoft\Exchange Server\V15\Scripts
There is a lot to learn from these scripts. I suggest opening these files and see which cmdlets are being used. The first thing I noticed was that the scripts are loading the Forefront PowerShell snap-in to do their work:
Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell
As discussed in part 1, on-premises Forefront Protection 2010 for Exchange is being discontinued and Microsoft is making available some of this technology out-of-the-box. A Malware Filter that has the quality of Forefront in its DNA is surely a good thing.
The downside is that sometimes you might need to load this extra snap-in which can be a bit annoying.
Enabling/Disabling Malware Filtering
Peeking into Enable-AntimalwareScanning.ps1 we learn that the malware functionality is enabled at various levels. The transport agent itself is enabled using the Exchange cmdlet:
Enable-TransportAgent -Identity:"Malware Agent"
Malware filtering is also enabled within the configuration in two places:
Set-AntivirusScanSettings -Enabled $true
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:System/fs-sys:AntiMalwareSettings/fs-sys:Enabled" -Value "true"
I know these details may sound redundant once we have the script. However in practice these nuggets become very handy when troubleshooting.
The script also enables malware engine updates using the Forefront cmdlet:
Set-EngineUpdateCommonSettings -EnableUpdates $true
...and kicks off updates using:
Start-EngineUpdate
Updates & Filter Administration
You will work at the shell whenever dealing with filter updates. We already mentioned Start-EngineUpdate that starts an immediate update. Let's take a closer look at:
Get-EngineUpdateCommonSettings
Set-EngineUpdateCommonSettings
Here we find many interesting properties that are common to all engines. Don't forget that Forefront used to provide multiple filtering engines. Exchange 2013 is inheriting this architecture even though only one engine is provided. So effectively these settings only apply to the Malware Filter. Some properties worth highlighting include:
PrimaryUpdatePath/SecondaryUpdatePath - The URLs from where updates are downloaded
EnableUpdates - Turns on/off downloading of updates
UpdateFrequency - Time interval between updates initialized to 1hour
More interesting than EngineUpdateCommonSettings is MalwareFilteringServer. This is an Exchange cmdlet, thus loading the Forefront snap-in is not necessary.
Get-MalwareFilteringServer | List
MalwareFilteringServer wraps some of the properties available from EngineUpdateCommonSettings. For example both expose the update URL and update frequency. However the UpdateFrequency is expressed in minutes. So if I wanted to download updates every 2 hours I would run:
Set-MalwareFilteringServer -Identity WIN12-TEST -UpdateFrequency 120
Other interesting properties include:
ForceRescan - If running Online Forefront Protection at the cloud with Exchange 2013, we end up with two malware scanning layers. By default the Exchange 2013 malware agent does not rescan emails already scanned at the cloud. Setting this to true forces email rescanning.
BypassFiltering - If set to true, the malware filter stops scanning emails. The agent is still enabled but all emails go through unfiltered. Use this to temporarily pause the filter without going through a complete disablement (that would also disable updates and cause the Exchange Transport Server to restart).
DeferWaitTime, DeferAttempts, ScanTimeout, ScanErrorAction - All deal with how the filter is to handle scanning failures i.e. cases when it cannot tell whether an email is infected.
UpdateFrequency, UpdateTimeout - Control the updating process. Update frequency specifies how often updates are downloaded in minutes. The update timeout determines the amount of time (in seconds) the update service waits for a response from the update servers at the configured URLs.
For more details on each of these check the documentation for Get-MalwareFilteringServer.