In last article Managing Exchange 2013 Anti Malware Scanning – Part 1 we looked at a tradition way to configure Anti Malware Protection in Exchange 2013. In Part 2, I am going to write little more about how to configure a policy using powershell. At the end of this part, you will be able to notice few differences in the way EAC can be used to configure Anti Malware Protection and the way powershell can be used to do some additional tasks.
I have no clue why Microsoft named that black and white CLI; powershell but it truly is. It is really powerful in many ways. It proves its power here with configuration stuff as well. There are several tasks in Exchange which cannot be performed using GUI interfaces. Powershell is an only option unless someone writes some custom code to get a whole new interface for doing those tasks. With said all this, anti malware protection topic is no exception to it. EAC does not provide any option to configure malware policies but powershell does.
Let us take a look at how do we use powershell to configure a new malware policy. To create a new malware policy we use a cmdlet New-MalwareFilterPolicy. This cmdlet accepts 22 usable named parameters and 2 for internal use by MS.
I am going to use translate the policy that I configured in Part 1 to powershell in this example. A powershell translation of the configured policy will look like below:
New-MalwareFilterPolicy -Name “Custom Policy” -AdminDisplayName “Custom Policy Configured for AMP testing” –CustomNotifications: $true FromName “Anti Malware Protection” -Action DeleteAttachmentAndUseCustomAlertText -CustomFromAddress “firstname.lastname@example.org” -CustomInternalSubject “A message from internal sender was deleted but generated NDR” -CustomInternalBody “A message from internal sender was found harmful and deleted. A notification was sent but generated a NDR. Please check logs”
This newly created policy then can be edited using EAC.
Okay smarty, you showed me your knowledge of powershell and now I know how to create the policy. What’s next? It does not stop here for sure.
Anti malware protection uses Microsoft AV scanning engine to provide protection. Like other filtering solutions this one also needs at least some human intervention configure it.
It uses an antivirus scanning engine to ensure your messages are clean. That means, it would require updates to maintain the latest definitions. You can configure the update settings using Get-EngineUpdateCommonSettings.
In an event of troubleshooting some scenarios, you may also need to find out the definition updates installed on the servers. You can simply use Get-EngineUpdateInformation to find out the current updates status.
Similar to Get-EngineUpdateCommonSettings with some additional settings to it. For example:
BypassFiltering – configures the engine to not scan the messages. If you configure this setting, you will notice that the malware agent is still on. It does not disable the agent but stops scanning emails until you set the settings back to False. I would use this to troubleshoot a related problem.
ForceRescan – tells this piece of code whether to rescan a message even if it is already scanned by Exchange Online Protection. Well, a good idea to do so. Probably you get an additional layer of security with that. But it is always tricky to suggest a very generic solution on whether to this kind of double check or not.
DeferWaitTime, DeferAttempts, etc, tell the engine about how to handle a message if it is not scan-able. I do not want to duplicate the knowledge that already exists on Technet, a best read about all these settings is already available at Set-MalwareFilteringServer
When we add a powershell snap in named Microsoft.Forefront.Filtering.Management.PowerShell we get two more cmdlets to work with.
Get-AntivirusScanPreferenceGroup and Get-AntivirusScanSettings (actually 4 cmdlnets. Set- for both of them). There is not much that you configure using Set-AntivirusScanPreferenceGroup or Set-AntivirusScanSettings except enabling or disabling the scanning.
Although nothing looks very much configurable, I guess at some time you will have an ability to use additional or third party scanning engines to make the anti malware protection much better. The reason I think that is because of the way Microsoft AV worked in initial days. I remember someone telling me about 8 different scanning engines that this AV used.
Anti malware protection is an in the box feature that can help you reducing attack surface significantly. Indeed, there is no 100% safe solution for viruses or spammers but you can always use an available solution with an another equivalently intelligent solution to achieve maximum security.