none
How to configure Attachment Filter agent on Exchange 2013 ?

    Question

  • Hi all,

    I have installed Exchange 2013 (Mailbox + Client Access role) without Edge . I tried but

    Enable-TransportAgent -Identity "Attachment Filter agent"

    isn't work , as I google The Connection Filter agent and the Attachment Filter agent are only available on an Edge Transport server .
    The default anti-malware policy doesn't let me configure what file type should be block , recipient / sender should be excluded . How can I manage it ?

    Hope somebody can help. Thanks in advance.

    Jack

    Monday, April 15, 2013 10:28 PM

Answers

  • The Malware Filter runs on every 2013 Mailbox server to protect against malware and viruses. For more info, see Anti-Malware Protection.

    Outlook and OWA are configured by default to block 'evil' attachment types like .com, .bat, .exe, .vbs, etc., so you users will never see them. The blocked Outlook 2010 types are listed here, and you can see the blocked OWA types by running the command: Get-OwaMailboxPolicy Default | select -ExpandProperty BlockedFileTypes.

    Since you definitely can't run the Attachment Filter agent on a Mailbox server, you have a couple of choices:

    • Install a down-level 2010 or 2007 Edge Transport server. That gives you Attachment Filtering and Connection Filtering. For more info, see Use an Edge Transport Server in Exchange 2013.
    • Use transport rules to search for messages with evil attachments, and then drop or redirect the messages that contain them.
    • Marked as answer by Jack Chuong Saturday, April 20, 2013 1:40 AM
    Friday, April 19, 2013 11:59 PM

All replies

  • Hello,

     

    In Exchange 2010, when you enabled the anti-spam agents on a Hub Transport server, the Attachment Filter agent was the only anti-spam agent that wasn't available. In Exchange 2013, when you enable the anti-spam agents in the Transport service on a Mailbox server, the Attachment Filter agent and the Connection Filtering agent aren't available. The Connection Filtering agent provides IP Allow List and IP Block List capabilities. For information about how to enable the anti-spam agents on a Mailbox server, see Enable Anti-Spam Functionality on a Mailbox Server.

    Thanks,


    Simon Wu
    TechNet Community Support

    Tuesday, April 16, 2013 6:57 AM
  • Thank for reply Simon,
    I enabled anti-spam agents in the Transport service on a Mailbox server , I know that Attachment Filter agent and the Connection Filtering agent aren't available .
    What if people attach exe , cmd , bat , php , vbs , ... to message and send it to my user ?
    I don't have any antivirus or security software on my Exchange server to protect it.
    I attempt to use Kaspersky Koss 3 but they haven't release version for Exchange 2013 yet.

    Thanks.

    Wednesday, April 17, 2013 2:26 AM
  • The Malware Filter runs on every 2013 Mailbox server to protect against malware and viruses. For more info, see Anti-Malware Protection.

    Outlook and OWA are configured by default to block 'evil' attachment types like .com, .bat, .exe, .vbs, etc., so you users will never see them. The blocked Outlook 2010 types are listed here, and you can see the blocked OWA types by running the command: Get-OwaMailboxPolicy Default | select -ExpandProperty BlockedFileTypes.

    Since you definitely can't run the Attachment Filter agent on a Mailbox server, you have a couple of choices:

    • Install a down-level 2010 or 2007 Edge Transport server. That gives you Attachment Filtering and Connection Filtering. For more info, see Use an Edge Transport Server in Exchange 2013.
    • Use transport rules to search for messages with evil attachments, and then drop or redirect the messages that contain them.
    • Marked as answer by Jack Chuong Saturday, April 20, 2013 1:40 AM
    Friday, April 19, 2013 11:59 PM
  • Thank you Chris,

    Cause I haven't condition to install an Edge Server , I will choose transport rules.

    What if I want to trust email from a sender whatever attached file in it's message , Add-IPAllowListEntry or Get-ContentFilterConfig -BypassedSenderDomains  -BypassedSender is enough ?

    Saturday, April 20, 2013 1:54 AM
  • The Connection Filtering agent doesn't work on Exchange 2013 Mailbox servers or Client Access servers, so it would do you no good to use Add-IPAllowListEntry. You can get Connection Filtering if you install an Exchange 2010/2007 Edge Transport server.

    You can use a combination of BypassedRecipients, BypassedSenders, or BypassedSenderDomains on Set-ContentFilterConfig to exempt specific senders or recipients from scanning by the Content Filter agent. For more information, see Manage Content Filtering.

    Monday, April 22, 2013 8:17 PM