Anti-malware
The purpose of this policy is to filter out attachment extensions you don't want your users receiving such as executables and scripts. It also allows you to configure how malware in a message is treated.
Quickconfig
Quick configs provide a list of settings, Microsoft's recommendation, my typical recommendation, links to Microsoft's documentation, and my documentation. These are provided for convenience and educational purposes, consider your scenario and testing before using these in your environment.
| Setting | Msft Standard Rec | Typical Recomendation | MSDoc |
|---|---|---|---|
| Common attachments filter | Enabled | Enabled | Docs |
| File types | Add PowerShell | Docs | |
| Common filter action | Reject | Quarantine | Docs |
| ZAP malware | Enabled | Enabled | Docs |
| Notify admin internal senders | No recommendation | Disabled | Docs |
| Notify admin external senders | No recommendation | Disabled | Docs |
| Customize notifications | No recommendation | Disabled | Docs |
| Quarantine Policy | AdminOnlyAccessPolicy | AdminOnlyAccessPolicy | Docs |
Considerations before deployment
Nothing in particular comes to mind. While you can make it so users can see these quarantined messages that generally wouldn't be advised.
Policy Configuration
This policy is pretty basic and straightforward, a pilot policy is perfectly fine but usually changes you are making are chances to protect your users and not up for much debate.
Scoping users, groups, and domains
Pay attention to the conditions on custom policies, they are evaluated together because of the AND statements. If you put a user and a group, the user must be a member of the group and anyone else who is a member of that group will not be included in this policy unless they are listed on the user list.
Enable the common attachments filter
This is a great feature to protect your users from files that could be malicious in nature.
Customize file types
Here is where you will pick the file extensions you want to block. Whenever you want to add a new extension just type the extension without the period, for example type ps1 not .ps1.
There is a default list of extensions included in here which is pretty comprehensive but does not include blocks for PowerShell files, usually that is worth adding:
- ps1
- psm
- ps1xml
Default extensions
- ace
- ani
- apk
- app
- appx
- arj
- bat
- cab
- cmd
- com
- deb
- dex
- dll
- docm
- elf
- exe
- hta
- img
- iso
- jar
- jnlp
- kext
- lha
- lib
- library
- lnk
- lzh
- macho
- msc
- msi
- msix
- msp
- mst
- pif
- ppa
- ppam
- reg
- rev
- scf
- scr
- sct
- sys
- uif
- vb
- vbe
- vbs
- vxd
- wsc
- wsf
- wsh
- xll
- xz
- z
Microsoft also states some of these extensions support "true type", meaning if you have a file such as a .docx and you attempt to rename the extension to .txt they will try to determine its original file type by looking at the bytes of the file. Also note that along with true type, .zip files are also scanned, so simply zipping a blocked extension will not allow a message through the common attachments filter.
The below expandable section contains a full list of currently supported extensions for the common attachments filter along with if they support "true type" as of December 6th, 2024.
All supported extensions
| Extensions | Supports True Type |
|---|---|
| 7z | False |
| 7zip | True |
| a | False |
| accdb | False |
| accde | False |
| ace | True |
| action | False |
| ade | False |
| adp | False |
| ani | True |
| apk | False |
| app | False |
| appx | False |
| appxbundle | False |
| arj | True |
| asf | True |
| asp | False |
| aspx | False |
| avi | True |
| bas | False |
| bat | False |
| bin | False |
| bundle | False |
| bz | True |
| bz2 | True |
| bzip2 | False |
| cab | True |
| caction | False |
| cer | False |
| chm | True |
| cmd | False |
| com | False |
| command | False |
| cpl | False |
| crt | False |
| csh | False |
| css | False |
| deb | True |
| der | False |
| dex | True |
| dgz | False |
| dll | True |
| dmg | True |
| doc | True |
| docm | True |
| docx | True |
| dos | False |
| dot | True |
| dotm | True |
| dtox [sic] | False |
| dylib | False |
| elf | False |
| exe | True |
| font | False |
| fxp | False |
| gadget | False |
| gz | False |
| gzip | True |
| hlp | False |
| Hta | False |
| hta | False |
| htm | False |
| html | True |
| img | False |
| imp | False |
| inf | False |
| ins | False |
| ipa | False |
| iso | False |
| isp | False |
| its | False |
| jar | True |
| jnlp | True |
| js | False |
| jse | False |
| kext | False |
| ksh | False |
| lha | False |
| lib | True |
| library | False |
| Lnk | True |
| lnk | True |
| lqy | False |
| lzh | True |
| macho | True |
| mad | False |
| maf | False |
| mag | False |
| mam | False |
| maq | False |
| mar | False |
| mas | False |
| mat | False |
| mau | False |
| mav | False |
| maw | False |
| mda | False |
| mdb | False |
| mde | False |
| mdt | False |
| mdw | False |
| mdz | False |
| mht | False |
| mhtml | True |
| msc | False |
| mscompress | True |
| msh | False |
| msh1 | False |
| msh1xml | False |
| msh2 | False |
| msh2xml | False |
| mshxml | False |
| msi | False |
| msix | False |
| msixbundle | False |
| msp | True |
| mst | False |
| o | False |
| obj | True |
| odp | True |
| ods | True |
| odt | True |
| one | True |
| onenote | False |
| ops | False |
| os2 | False |
| package | False |
| pages | False |
| pbix | False |
| pcd | False |
| pdb | False |
| True | |
| php | False |
| pif | True |
| pkg | False |
| plg | False |
| plugin | False |
| ppa | False |
| ppam | True |
| pps | True |
| ppsm | True |
| ppsx | True |
| ppt | True |
| pptm | True |
| pptx | True |
| prf | False |
| prg | False |
| ps1 | False |
| ps1xml | False |
| ps2 | False |
| ps2xml | False |
| psc1 | False |
| psc2 | False |
| pst | False |
| pub | True |
| py | False |
| rar | True |
| reg | False |
| rev | False |
| rpm | True |
| rtf | True |
| scf | False |
| scpt | False |
| scr | False |
| sct | False |
| service | False |
| sh | False |
| shb | False |
| shs | False |
| shtm | False |
| shx | False |
| so | False |
| sys | False |
| tar | True |
| tarz | False |
| terminal | False |
| tgz | False |
| tmp | False |
| tool | False |
| uif | False |
| url | False |
| vb | False |
| vbe | False |
| vbs | False |
| vhd | False |
| vsd | True |
| vsdm | True |
| vsdx | True |
| vsmacros | False |
| vss | True |
| vssx | True |
| vst | True |
| vstm | True |
| vstx | True |
| vsw | False |
| vxd | False |
| w16 | False |
| workflow | False |
| ws | False |
| wsc | False |
| wsf | False |
| wsh | False |
| xhtml | False |
| xla | False |
| xlam | True |
| xll | False |
| xls | True |
| xlsb | True |
| xlsm | True |
| xlsx | True |
| xlt | True |
| xltm | True |
| xltx | True |
| xnk | False |
| xz | True |
| z | True |
| zi | False |
| zip | True |
| zipx | False |
When these file types are found
Specify if you would like to quarantine these emails allowing them to be released by an admin or if these emails should be rejected sending a non-delivery report (NDR) to the original sender. The reject setting can be good to allow the sender to know that attachment isn't accepted, however it could also allow an attacker to know that file type won't be accepted as well.
Enable zero-hour auto purge for malware (Recommended)
This setting is highly recommended. Zero-hour auto purge (ZAP) means if an attachment was originally delivered to a user's mailbox, Microsoft can go and remove that message from the mailbox later if they determine the attachment was malware at a later date.
Notify admin about undelivered messages from internal senders
This setting will email the admin mailbox you specify if a message containing malware was sent to a mailbox from an internal sender.
Notify admin about undelivered messages from external senders
This setting will email the admin mailbox you specify if a message containing malware was sent to a mailbox from an external sender.
Customize notifications
Enabling this allows you to customize the sender name and email address for the admin notifications configured in the last section.
Quarantine policy
Here you can specify the quarantine policy to apply to messages detected as malware. Regardless of the quarantine policy selected here a user can not release the message on their own. An admin will have to approve the release of the message. By default, the AdminOnlyAccessPolicy is specified, depending on the policy you specify users will be able to see these quarantined messages but again the Allow recipients to release a message from quarantine option is never honored for malware.
What about common attachments filter?
It would make more sense if they allowed you to specify a quarantine policy for common attachments vs malware. Microsoft makes it seem like messages in the common attachments filter aren't scanned for malware at all though so maybe that has something to do with the decision here.