Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Exchange 2013 Malware Protection - Part 1

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

Cast your Vote
Poor Excellent

Since Exchange 2003 we grew to expect basic email hygiene to be include out-of-the-box in every new Exchange release. Today we look at the way Exchange 2013 is evolving in this area starting from the new malware protection.

Earlier this year Microsoft announced that the on-premises Forefront Protection 2010 for Exchange (FPE) was being discontinued (see Important Changes to Forefront Product Roadmaps). This created a void in Microsoft's email hygiene offering to on-premises installations. To make up for this, Microsoft beefed up the built-in email hygiene with malware protection.

Another key fact shaping the current Exchange 2013 email hygiene landscape is the lack of an Exchange 2013 Edge server role. Rumour has it that Edge will be include in Service Pack 1, but at the moment the best option is that of running the Exchange 2010 Edge together with Exchange 2013.

Malware Protection

With this background in mind we start exploring the Exchange 2013 malware protection from the Administration Centre. Here under the Protection category we find the new configuration interface for anti-malware.

Exchange 2013 Administrative Centre

Anti-Malware Default Settings

Anti-Malware scans emails at the transport. This includes internal, incoming and outgoing email flow. The filter only plugs to the transport, not the Mailbox database. So unlike Forefront the scanner won't catch malware sitting idle at a mailbox.

The anti-malware options at the Administrative Centre allow us to choose how malware is to be deleted and the type of notifications to be sent. When the filter deletes an attachment/email the deletion is permanent and there is no way to recover it.

Testing the Anti-Malware Filter

The easiest way to test and demonstrate malware filtering is by sending the harmless EICAR test virus. We create this ourselves by pasting the following character sequence to a text file:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The file should be 68 bytes long.

Before doing this, you will most likely need to create an exception at your anti-virus so as to exclude the directory where EICAR is going to be saved. Otherwise chances are that the file gets deleted as soon as it hits the disk.

Now that we have our test malware, we edit the Exchange settings under:
Exchange Administration Centre | Protection | Default

To begin with I will configure the filter to only delete the malware attachment by selecting:
Malware Detection Response | Delete all attachments and use custom alert text

Following that I specify the custom alert text to be inserted whenever malware is deleted:
Attachment Removed by Exchange 2013 Anti-Malware

Here I also enable the notification settings:

  • Sends a message to the sender of the undelivered message | Notify Internal Email
  • Notify administrator about undelivered messages from internal senders
  • Notify administrator about undelivered messages from external senders

These last three settings won't really matter in the first test. For the moment the filter will only remove the attachment without blocking email delivery.

Here is what the configuration looks like now:

Anti-Malware | Delete Attachment

Test 1 - Removing Infected Attachments

We now submit a malware infected email between internal mailboxes (from user1 to user2). Using OWA I create the test email attaching the EICAR virus:

EICAR

Test Malware Email

Next we move to the recipient mailbox (user2) and see what the received email looks like:

Received Email with Stripped Attachment

Note how the attachment was replaced with:

Anti-Malware Attachment

The original attachment is gone for good. The filter doesn't save this anywhere.

Test 2 - Notification Emails

Let's take a look at the Notifications the filter generates. We go back to the Administrative Centre and set:
Malware Detection Response | Delete the entire message

Anti-Malware | Delete Email

Sending EICAR from user1 to user2 the email never makes it to user2 this time. Instead the sender immediately receives a non-delivery response saying:
"Your email message was not delivered to the intended recipients because malware was detected."

Sender NDR

The sender (user1) gets this response because we earlier enabled the notification setting:
Sends a message to the sender of the undelivered message | Notify Internal Email

Since at the Administration Centre we also enabled sending of notifications to the administrator, let's check the administrator mailbox. Here we see that the same non-delivery response was sent:

Administrator Notification

Final Tips

Built-in Malware protection is a very welcome addition to Exchange 2013. Today we started exploring this functionality limiting ourselves to the configurability available at the Exchange Administration Centre. In the second part we will dig deeper and with the help of the Shell we look at Updates and other options we can use to manage this functionality.

References

Exchange 2013 Malware Protection - Part 2

User Comments - Page 1 of 1

Add New Comment...

sajid 3 Aug 2013 21:47
great man..
mohammed 18 Dec 2012 06:31
nice article and feature in Exchange 2013
We expecte the second part. Thanks
Copyright © 2005 - 2014 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation