locked
Malware filter isn't blocking anything. RRS feed

  • Question

  • My organization is being flooded with spam carrying malware attachments, and the malware filter isn't blocking any of them.  The Exchange 2016 was installed with a mailbox role and is directly handling the mail without any other servers involved.  Here is the agent summary, showing the antispam and malware agents enabled:

    Identity                                           Enabled         Priority       
    --------                                           -------         --------       
    Transport Rule Agent                               True            1              
    DLP Policy Agent                                   True            2              
    Malware Agent                                      True            3              
    Content Filter Agent                               True            4              
    Sender Id Agent                                    True            5              
    Sender Filter Agent                                True            6              
    Recipient Filter Agent                             True            7              
    Protocol Analysis Agent                            True            8              
    Text Messaging Routing Agent                       True            9              
    Text Messaging Delivery Agent                      True            10             
    System Probe Drop Smtp Agent                       True            11             
    System Probe Drop Routing Agent                    True            12  

    Ironically, if a user in OWA clicks the spam button on one of these infected mails and tries to submit it to Microsoft, the OUTBOUND message is caught by the malware agent and blocked.  It's just doing nothing whatsoever to inbound messages.  I've checked and confirmed that the malware definitions are being regularly updated and are current.  Pulling up an infected message with get-agentlog shows that the message was assigned a SCL of 0 and accepted.

    Friday, May 6, 2016 6:20 PM

Answers

  • I believe I've solved the issue myself.  Despite the install windows for Exchange saying that the antimalware agent will be installed unless you manually override, and despite the malware agent showing up as being enabled, it actually is not.  Only after manually re-enabling it in Exchange Shell did it actually start blocking anything.  The command I put in is:
    & $env:ExchangeInstallPath\Scripts\Enable-Antimalwarescanning.ps1
    • Marked as answer by GeorgeJack Tuesday, May 17, 2016 10:46 PM
    Tuesday, May 17, 2016 10:45 PM

All replies

  • Have you read this guide to setting up the Antispam and malware protection in Exchange 2016? Maybe it has some answers for you.

    https://technet.microsoft.com/en-us/library/jj218660(v=exchg.160).aspx 

    My organization uses an external spam filtering service to stop spam before it gets to our network. There are many of them and some of them are quite good at stopping spam and malware. If you insist on doing your own filtering on your own network using the filtering in Exchange 2016, I would recommend putting in an Edge Transport server and running your filtering from there and not on the mailbox server.

    Please remember to select Mark as Answer if someone provides the answer or mark as helpful if the response helps to lead you in the right direction.


    Friday, May 6, 2016 6:34 PM
  • Yes, all of those steps were done after the initial install, you can see the antispam agents enabled in the get-transportagent output from my original post.  Additionally, the Technet article only covers the antispam agents, not the antimalware agent, which is installed by default in the Exchange 2016 installer unless you override the setting.
    Friday, May 6, 2016 6:58 PM
  • I believe I've solved the issue myself.  Despite the install windows for Exchange saying that the antimalware agent will be installed unless you manually override, and despite the malware agent showing up as being enabled, it actually is not.  Only after manually re-enabling it in Exchange Shell did it actually start blocking anything.  The command I put in is:
    & $env:ExchangeInstallPath\Scripts\Enable-Antimalwarescanning.ps1
    • Marked as answer by GeorgeJack Tuesday, May 17, 2016 10:46 PM
    Tuesday, May 17, 2016 10:45 PM
  • Thanks for the pointer to the article.  After reading, I realized anti-spam was not enabled, so I took care of that.

    Saturday, September 3, 2016 11:03 AM