none
Malware detection fails to identify virus from external sender

    Question

  • Recently one of my users I received a virus from an external sender. The virus was a VBScript macro in a Word Document. Usually the anti-malware filter would remove any suspicious attachments but in this case it left the attachment. However, when the user forwarded the email to an internal recipient the attachment was removed by the malware filtering policy. 

    I can not see a reason why this would happen. I had assumed it must have been a setting in the Malware filter policy but I can not see anything which would cause this. 

    Does anyone know why this might have happened and how I can stop it happening again? 

    Tuesday, December 8, 2015 11:01 AM

Answers

  • Hi,

    Do you deploy other third-party anti-malware protection?

    If you use build-in anti-malware protection and experience this issue, it might be caused that the attachment received does not contain any active malicious code, or it's a new variant and our anti-malware engine has not yet released a pattern file.

    For your question, how about resend those problematic message from external sender?

    If it remain passed, please save a copy of the email message with its attached virus, go to the Malware Protection Center and submit a sample using the detailed instructions on that page. When submitting the file, in the Product drop-down list select Other, select the I believe this file contains malware option, and in the Comments field specify Exchange Server 2013. After we receive the sample, we’ll investigate and if it’s determined that the sample contains malware, we’ll take corrective action to prevent the virus from going undetected.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    • Marked as answer by EXP-S2 Monday, December 14, 2015 2:14 PM
    Wednesday, December 9, 2015 3:27 AM
    Moderator

All replies

  • Hi,

    Do you deploy other third-party anti-malware protection?

    If you use build-in anti-malware protection and experience this issue, it might be caused that the attachment received does not contain any active malicious code, or it's a new variant and our anti-malware engine has not yet released a pattern file.

    For your question, how about resend those problematic message from external sender?

    If it remain passed, please save a copy of the email message with its attached virus, go to the Malware Protection Center and submit a sample using the detailed instructions on that page. When submitting the file, in the Product drop-down list select Other, select the I believe this file contains malware option, and in the Comments field specify Exchange Server 2013. After we receive the sample, we’ll investigate and if it’s determined that the sample contains malware, we’ll take corrective action to prevent the virus from going undetected.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    • Marked as answer by EXP-S2 Monday, December 14, 2015 2:14 PM
    Wednesday, December 9, 2015 3:27 AM
    Moderator
  • Thanks for your help Allen, I think you have identified the cause of the problem. We do use a third party SMTP Gateway which also provides malware protection. Thinking about it now I seem to recall that in this scenario Exchange does not rescan the items already marked as safe by the third party anti-malware device.  

    I had a look and found the below article which indicates that it is possible to force a rescan but this article only reference the Forefront Online Protection. Do you think I can use this for a internally hosted SMTP gateway also? 

    https://technet.microsoft.com/en-us/library/jj150548(v=exchg.150).aspx 


    <o:p></o:p>

    Wednesday, December 9, 2015 12:43 PM
  • Hi,

    According to TechNet document, it indicate that it only applies to Microsoft Exchange Server 2013 customers who are using cloud-hosted email filtering.

    By default, if we implement FPE on the Edge servers scanned messages don't need to be scanned again on the hub servers, however we can set Exchange server to rescan message as link you provided above.

    For your question, you can contact program vendor to collect and feedback this variant. Sorry for any inconvenience.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Friday, December 11, 2015 3:15 AM
    Moderator