In this video Sharon describes malware and why it needs to blocked, and then demonstrates how to create and configure antimalware policies in Office 365.
- [Instructor] Malicious software, or, as we also like to call it, malware, is a computer program designed to do damage. These programs can include viruses, ransomware, adware, or worms. The payload can be stealing passwords, encrypting files, or transmitting data to other sources. Exchange Online comes with built in anti-malware protection policies which are enabled by default. The Exchange Online Protection protects both inbound and outbound messages by default, and is deployed to all users. The default policy cannot be deleted, but you can edit it.
The default policy is pretty aggressive, and will just automatically delete an entire message if malware is detected. You can also create your own custom policies, and apply those to specific users. Let's go ahead and create an anti-malware policy to handle messages where malware has been detected. I've logged into the Office 365 Admin center, and I'm going to go ahead and launch the Exchange admin portal. You will find the malware filters under protection, and you will notice we already have that default policy, and it cannot be deleted. Let's take a look at it.
As I mentioned, this policy is a little aggressive. It will delete the entire message. We scroll down, it will not look for any blocked attachments, and there is no notification that malware has been detected. I'm going to go ahead and Cancel this. Let's create a new policy and explore all the options. I'm going to go ahead and click +. I'm going to go ahead, and give it a name, add a description, as necessary. Within this policy, what do we want to happen if malware is detected? We can delete the entire message, we can delete all attachments and then use a default alert text, or we can delete all the attachments and use a custom alert text.
I'm going to go ahead and delete the entire message. Next, I like to turn on Common Attachment Filter Types. You will notice there is several attachment filter types already added for us, but we can go ahead and add an additional one. By clicking the +, and I'm going to tick .lts. Click add, click OK, and now that has been added to our list. As you recall, in the default policy there were no notifications.
I also like to turn on the notifications. I can let both my internal and external senders know that there was a message that triggered the malware policy. I also like to send a message to the administrator of the undelivered message. You can go ahead, turn that on, and then enter in the administrator email address as necessary. If you'd opted to create customized notifications, you would enter that information in as required. And, finally, who do we want this policy to apply to? We can do it to a recipient, a domain, or a member of.
For this demo, I'm going to us the entire domain. It's already listed for me. Click add, and OK. That's it, click Save. As you can see, I had an error. You cannot have a white space after the policy name. I've just gone back, corrected that, hit Tab, and I'll go back down now and hit Save. That will happen quite often, actually, if you do a copy and paste. We now have our Company Policy. We can go ahead an move that up the priority list, as well. Now, let's do the same procedure in PowerShell.
I'm going to go ahead and launch PowerShell by clicking the Windows key, and then typing power. I'm going to use the PowerShell Integrated Scripting Environment, and I'm going to run as administrator, therefore I'm going to right click, and Run as administrator. I have a script already prepared for us, so I'm going to go ahead and open it. First thing I need to do is authenticate to Office 365. To do so, I'm going to use the Get-Credential command, and save that value in the user credential variable.
I'm going to go ahead and connect to the Microsoft Online Service, passing the credential. Next, I'm going to connect to exchange. I'm using the PSSession for this. My connection URI has been included. I'm passing my credential information. Our authentication is basic, and we are allowing for redirection. Finally, I'm going to go ahead and import the PSSession. Now that I'm connected, I'm going to go ahead and clear the screen.
We can now start creating the filter policies. We're going to go ahead and create a new malware filter policy. We're going to name it Company Malware Policy. Our action is to delete the message. I'm turning on EnableInternalSenderAdminNotifications, and because I have turned it on, I need to include the address of the admin, which I have done. I'm going to go ahead and run this line. Our policy has been created. I now want to modify this policy.
To do so, I'm using the set command. I'm specifying the policy that I want to edit. I want to turn on the file filters, and I want to detect files with the extensions of bat, ace, and LOL with the exclamation mark. If you want to add in custom filters, you do so using PowerShell. I'm going to go ahead and run this. LOL! is a custom extension that I am including. I know that this is a common extension for ransomware attachments.
LOL! was not in the list of pre-populated extensions, therefore if you want to add in a custom extension, you need to do so using PowerShell and the set malware filter policy. I'm now going to go ahead and take a look at that policy, and I'm formatting it as a list. If I scroll up a little bit, we're going to notice that our internal sender admin address has been enabled, and our email address is included. We see our action is to DeleteMessage, and we'll see our file types, there, are the bat, the ace, and the LOL!.
I'm going to go ahead and clear my screen. Now, we have a policy. Now, we want to apply that policy to our users. To do so, we use a New-MalwareFilterRule. I'm giving it the name Applied to All users. You'll provide a name, I'm keeping mine very simple of Applied to All users. I'm specifying the filter policy that I want to push out to my users. In this case, it's the one we just created, and I'm going to push this out to all the users in the domain.
I'm going to go ahead and run this selection. That filter rule has been created, and let's look at the details of that filter rule. The command you'll use here is Get-MalwareFilter, and you're going to specify the name of the filter rule you just created. I've just modified mine to match it. I'm going to go ahead and run that selection, and scroll up a little bit. We can now see the filter policy was Company Malware Policy. It is enabled. We can see it's been applied to all recipients in our domain, and the identity is applied to all users.
To recap, you cannot delete the default policy, but you can edit it. Furthermore, you can add your own custom policies, and if you want to filter on specific extensions that are not in the pre-populated list, you will do so using PowerShell.
- Managing anti-malware and anti-spam policies
- Using Office 365 Advanced Threat Protection
- Migrating mailboxes to Office 365
- Planning for Exchange Online
- Managing Skype for Business Online