Recall Emails sent in error from Outlook Web Access (OWA)

WinDeveloper IMF Tune
WinDeveloper IMF Tune

Exchange 2013 Malware Protection - Part 2

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

Cast your Vote
Poor Excellent

The Exchange 2013 Management Shell provides a number of scripts and cmdlets for administering Malware Protection. When it comes to managing filter updates or enabling/disabling the filter the shell is our only administrative interface.

In Exchange 2013 Malware Protection - Part 1, we configured Malware Protection from the Administrative Centre. We saw the main options that determine how malware is handled and the notification emails that are generated. Nevertheless this interface doesn't provide access to everything. Filter update management and more settings are waiting for us at the shell.

Under the hood, malware filtering plugs to Exchange as a transport agent. We can see this listed as the second agent on running:
Get-TransportAgent

Malware Agent

Malware filtering can be enabled immediately at installation time.

Exchange 2013 Setup - Enable Malware Protection

Otherwise it can be enabled/disabled using the shell scripts:
Enable-AntimalwareScanning.ps1
Disable-AntimalwareScanning.ps1

You will find these under the directory:
<Program Files>\Microsoft\Exchange Server\V15\Scripts

There is a lot to learn from these scripts. I suggest opening these files and see which cmdlets are being used. The first thing I noticed was that the scripts are loading the Forefront PowerShell snap-in to do their work:
Add-PSSnapin Microsoft.Forefront.Filtering.Management.Powershell

As discussed in part 1, on-premises Forefront Protection 2010 for Exchange is being discontinued and Microsoft is making available some of this technology out-of-the-box. A Malware Filter that has the quality of Forefront in its DNA is surely a good thing.

The downside is that sometimes you might need to load this extra snap-in which can be a bit annoying.

Enabling/Disabling Malware Filtering

Peeking into Enable-AntimalwareScanning.ps1 we learn that the malware functionality is enabled at various levels. The transport agent itself is enabled using the Exchange cmdlet:
Enable-TransportAgent -Identity:"Malware Agent"

Malware filtering is also enabled within the configuration in two places:
Set-AntivirusScanSettings -Enabled $true
Set-ConfigurationValue -XPath "/fs-conf:Configuration/fs-sys:System/fs-sys:AntiMalwareSettings/fs-sys:Enabled" -Value "true"

I know these details may sound redundant once we have the script. However in practice these nuggets become very handy when troubleshooting.

The script also enables malware engine updates using the Forefront cmdlet:
Set-EngineUpdateCommonSettings -EnableUpdates $true

...and kicks off updates using:
Start-EngineUpdate

Updates & Filter Administration

You will work at the shell whenever dealing with filter updates. We already mentioned Start-EngineUpdate that starts an immediate update. Let's take a closer look at:
Get-EngineUpdateCommonSettings
Set-EngineUpdateCommonSettings

Get-EngineUpdateCommonSettings

Here we find many interesting properties that are common to all engines. Don't forget that Forefront used to provide multiple filtering engines. Exchange 2013 is inheriting this architecture even though only one engine is provided. So effectively these settings only apply to the Malware Filter. Some properties worth highlighting include:

PrimaryUpdatePath/SecondaryUpdatePath - The URLs from where updates are downloaded

EnableUpdates - Turns on/off downloading of updates

UpdateFrequency - Time interval between updates initialized to 1hour

More interesting than EngineUpdateCommonSettings is MalwareFilteringServer. This is an Exchange cmdlet, thus loading the Forefront snap-in is not necessary.
Get-MalwareFilteringServer | List

Get-MalwareFilteringServer

MalwareFilteringServer wraps some of the properties available from EngineUpdateCommonSettings. For example both expose the update URL and update frequency. However the UpdateFrequency is expressed in minutes. So if I wanted to download updates every 2 hours I would run:
Set-MalwareFilteringServer -Identity WIN12-TEST -UpdateFrequency 120

Other interesting properties include:

ForceRescan - If running Online Forefront Protection at the cloud with Exchange 2013, we end up with two malware scanning layers. By default the Exchange 2013 malware agent does not rescan emails already scanned at the cloud. Setting this to true forces email rescanning.

BypassFiltering - If set to true, the malware filter stops scanning emails. The agent is still enabled but all emails go through unfiltered. Use this to temporarily pause the filter without going through a complete disablement (that would also disable updates and cause the Exchange Transport Server to restart).

DeferWaitTime, DeferAttempts, ScanTimeout, ScanErrorAction - All deal with how the filter is to handle scanning failures i.e. cases when it cannot tell whether an email is infected.

UpdateFrequency, UpdateTimeout - Control the updating process. Update frequency specifies how often updates are downloaded in minutes. The update timeout determines the amount of time (in seconds) the update service waits for a response from the update servers at the configured URLs.

For more details on each of these check the documentation for Get-MalwareFilteringServer.

User Comments - Page 1 of 1

Add New Comment...

Thom 3 Oct 2013 06:03
How can I set Proxy-Settings for the updates?
Stephan 28 Jun 2013 01:41
But how to obtain a report of numbers of blocked mail?
amit shinde 23 Apr 2013 21:59
Good one
Charles Derber 17 Feb 2013 16:58
Thanks & It is informative.
Copyright © 2005 - 2014 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation