• Home
  • Topics
    • Office 365
    • Teams
    • SharePoint
    • Exchange 2019
    • Exchange 2016
    • Exchange 2013
    • Hybrid
    • Certificates
    • PowerShell
    • Migration
    • Security
    • Azure
  • Blog
  • Podcast
  • Webinars
  • Books
  • About
  • Subscribe
    • Facebook
    • Twitter
    • RSS
    • YouTube

Practical 365

You are here: Home / Exchange Online / Restoring the Default Malware Filter Policy in Exchange Online Protection

Restoring the Default Malware Filter Policy in Exchange Online Protection

January 22, 2018 by Paul Cunningham Leave a Comment

I stumbled across this little quirk while I was preparing some content for my upcoming Office 365 security course. In my demo tenant I wanted to reset the default malware filter policy in Exchange Online Protection to its original settings. However, I found that even though I can turn off setting such as the administrator notifications, the Exchange admin center won’t let me remove the email addresses.

The same goes for other options such as custom notification texts. You can change the text, but not remove it entirely. I even tried just a blank space, but that didn’t work. For whatever reason, the web admin portals just won’t let you clear out certain settings.

I considered just ignoring the problem, but then I thought about when it might actually be useful to clear those settings. Perhaps an evaluation of EOP has been completed, and you want to reset the policy to its original settings… a bit of a stretch I guess. Still, it’s nice to know that it can be done, especially when I happen to need it for this course content. The solution, as with many things, is to use PowerShell.

For reference, here’s the default malware filter policy settings for a new Exchange Online organization. This assumes that the default policy in the tenant is named “Default”, which is the default name for the default policy. I’ve removed a few lines from this output that are not relevant.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PS C:\> Get-MalwareFilterPolicy -Identity Default | fl
 
 
CustomAlertText                        :
CustomInternalSubject                  :
CustomInternalBody                     :
CustomExternalSubject                  :
CustomExternalBody                     :
CustomFromName                         :
CustomFromAddress                      :
InternalSenderAdminAddress             :
ExternalSenderAdminAddress             :
BypassInboundMessages                  : False
BypassOutboundMessages                 : False
Action                                 : DeleteMessage
IsDefault                              : True
CustomNotifications                    : False
EnableInternalSenderNotifications      : False
EnableExternalSenderNotifications      : False
EnableInternalSenderAdminNotifications : False
EnableExternalSenderAdminNotifications : False
EnableFileFilter                       : False
FileTypes                              :
ZapEnabled                             : True

Note that the BypassInboundMessages and BypassOutboundMessages options can’t be changed in EOP (they are for Exchange on-premises only).

So to revert the default policy to the default settings, the following command is run in an Exchange Online PowerShell session.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
PS C:\> Set-MalwareFilterPolicy -Identity Default `
-CustomAlertText $null `
-CustomInternalSubject $null `
-CustomInternalBody $null `
-CustomExternalSubject $null `
-CustomExternalBody $null `
-CustomFromName $null `
-Action DeleteMessage `
-CustomNotifications $False `
-EnableInternalSenderNotifications $False `
-EnableExternalSenderNotifications $False `
-EnableInternalSenderAdminNotifications $False `
-EnableExternalSenderAdminNotifications $False `
-ZapEnabled $True

Excluded from that command are the CustomFromAddress, InternalSenderAdminAddress, and ExternalSenderAdminAddress. Those settings can’t be nulled. If you try, you’ll receive an error along these lines:

1
2
3
4
PS C:\> Set-MalwareFilterPolicy -Identity Default -CustomFromAddress $null
 
Cannot process argument transformation on parameter 'CustomFromAddress'. Cannot convert null to type
"Microsoft.Exchange.Data.SmtpAddress".

I did some testing to see if there was another way to clear those settings. One approach I tried was to create a brand new malware filter policy in PowerShell, then make that new policy the default. In doing so I caused both the EAC and the Security & Compliance Center web interfaces to break. After waiting to see if the errors would clear on their own, I gave up on that approach and rolled the change back.

In my command above I also excluded the list of file types for attachment blocking. The FileTypes option is blank until you enable the file filter, when it is automatically populated with the following file types:

1
2
3
4
5
6
7
8
9
10
11
12
PS C:\>
 
ace
ani
app
docm
exe
jar
reg
scr
vbe
vbs

If you later disable the file filter, the list of file types remains in the policy but has no effect on mail flow. If you modify or remove the list of file types, EOP won’t put them back for you if you re-enable the file filter later on. You can null the file types list with the following command.

1
PS C:\> Set-MalwareFilterPolicy -Identity "Default" -FileTypes @()

If you want to restore the default set file types for attachment filtering, the following commands are used.

1
2
3
4
5
6
7
8
9
10
11
12
PS C:\> $filetypes = @("ace",
"ani",
"app",
"docm",
"exe",
"jar",
"reg",
"scr",
"vbe",
"vbs")
 
PS C:\> Set-MalwareFilterPolicy -Identity Default -FileTypes $filetypes

Exchange Online EOP, Malware, PowerShell

Leave a Reply Cancel reply

You have to agree to the comment policy.

Recent Articles

  • The Practical 365 Weekly Update: S2, Ep 9 – Controversial Teams guest changes and a roundup of important Microsoft 365 announcements and features
  • Hands-on SharePoint Syntex Blog Series – Part I
  • The Practical 365 Weekly Update: S2, Ep 8 – What to expect in 2021, Solarigate, TLS in Exchange and new Teams updates
  • Security updates released for Exchange and SharePoint Servers 2010 to 2019
  • The Practical 365 Weekly Update: S2, Ep 7 – Urgent Exchange security updates, new Teams features launch
Practical 365

Related Posts

Related Posts

Training Courses

  • Configuring and Managing Office 365 Security
  • Office 365 Admin Playbook
  • Exchange 2016 Exam 70-345
  • Managing Exchange Mailboxes and Distribution Groups in PowerShell
  • More Training Courses...

Recommended Resources

  • Office 365 Security Resources
  • Office 365 Books
  • Exchange Server Books
  • Exchange Server Migrations
  • Exchange Analyzer
  • Digicert SSL Certificates

About This Site

Practical 365 is a leading site for Office 365 and Exchange Server news, tips and tutorials. Read more...

Find out more about advertising with us.

Contact us


Subscribe to our newsletter
  • Facebook
  • Twitter
  • RSS
  • YouTube

Copyright © 2021 Quadrotech Solutions AG · Disclosure · Privacy Policy
Alpenstrasse 15, 6304 Zug, Switzerland