How to Configure anti-malware policies in Office 365
In this post I will go through the options of creating a new anti-malware policy and only apply it to a specific domain in Office 365.
Malware filtering is automatically enabled for all user in the company with the default anti-malware policy.
The default policy can be viewed, edited but cannot be deleted by administrators. To achieve greater granularity custom policies can be created and be applied to specified user, groups or domains in the exchange online organization. A note to remember is that the default policy always takes priority over the default policy, but the priority order can be changed.
To get started we need to login to the Office 365 Exchange Online admin center and then navigate to the protection section.
For this custom policy I will do the following:
- Send Malware Detection Response using custom text
- Applies to a specific domain
- Add additional file extensions to be blocked
- Send notification to internal staff about undelivered message.
To get started I will click on the + tab to create a new anti-malware policy, On the new custom policy page give the policy a name and description.
Also select the “yes and use custom notification text” under Malware Detection Response. By enabling the custom response text we can specify more details about what the end user needs to do when they receive this alert message.
Going further down on the page I will continue and add more known file types which will be blocked by this custom policy.
From the Common Attachment Type Filter section click on the + tab and select the extra file extensions which you would like to block with this policy. Once the file extensions has been selected click on Ok to go back to previous screen.
The next part of the policy is to create the customize notification for send and administrator notification.
Once completed with specifying the details for the custom notification, I will continue and select to which part of the organization I want this policy to apply to.
For the purpose of this post I will only apply this policy to one domain in the Exchange Online organization.
To continue I will click on “The recipient domain is” and then select “ThatLazyAdmin.com” from the list of available domains.
Once completed click on Save and then you done.
How do we know that this policy is working ? And do what it needs to do.
To verify that the malware filtering policy is working, we need to create a test file called EICAR.TXT.
Use the EICAR.TXT file to verify malware filtering functionality
- Create a new text file, and then name the file EICAR.TXT.
- Copy the following line into the text file:
- X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Make sure that this is the only string in the file. When done, you will have a 68-byte file.
Note that if you using a desktop antivirus program, make sure to exclude the directory where this file is stored from scanning.
Attach this file to an email message that will be filtered by the service.
Check the recipient mailbox of the test message. Depending on the malware detection response you have configured, the entire message will be deleted, or the attachment will be deleted and replaced with the alert text file. Any configured notifications will also be distributed.
The recipient may receive a notification message as per above image showing that the original email was removed.
Delete the EICAR.TXT file after testing is completed so that other users are not unnecessarily alarmed.