Related Articles
- Configure Anti-Phishing Policies in Microsoft Defender for Office 365
- Enable and Configure Safe Links Policies
- Enable and Configure Safe Attachments Policies
- Configure Anti-Malware Policies in Microsoft 365
- Configure Spoof Intelligence and Anti-Spoofing Protection in Microsoft 365
- Enable DKIM for Exchange Online
- Disable Legacy Authentication for Exchange Online
- Using Preset Security Policies in Microsoft Defender for Office 365
Configure Anti-Malware Policies in Microsoft 365
Overview
Anti-Malware policies in Microsoft 365 provide baseline protection against known malware threats delivered through email attachments.
This protection is included in Exchange Online Protection (EOP) and Microsoft Defender for Office 365. Anti-malware scanning inspects inbound and outbound email attachments to detect viruses, trojans, ransomware, and other known malicious payloads.
If you are searching for:
- Office 365 anti malware policy configuration
- Configure anti-malware policy Microsoft 365
This guide explains how to configure anti-malware policies properly and what administrators should verify.
Why Anti-Malware Policies Are Important
Anti-malware policies serve as the first layer of defense against:
- Known ransomware strains
- Trojan executables
- Malicious scripts
- Weaponized documents
- Infected compressed files
They rely on signature-based detection, heuristic analysis, and Microsoft threat intelligence feeds.
While advanced features like Safe Attachments provide sandbox detonation, anti-malware policies ensure immediate baseline filtering of known threats.
Licensing Requirements
Anti-Malware protection is included in:
- Exchange Online Protection (EOP)
- Microsoft Defender for Office 365 Plan 1
- Microsoft Defender for Office 365 Plan 2
- Microsoft 365 Business Premium
- Microsoft 365 E3 and E5
No additional Defender licensing is required for baseline anti-malware filtering.
How to Configure Anti-Malware Policies
Step 1: Navigate to Anti-Malware Settings
-
Go to Microsoft 365 Defender Portal
https://security.microsoft.com -
Navigate to:
Email & Collaboration → Policies & Rules → Threat Policies → Anti-malware
You will see:
- Default anti-malware policy
- Option to create custom policies
Key Configuration Areas
File Type Filtering
File type filtering allows administrators to block specific attachment extensions.
Common high-risk file types include:
- .exe
- .js
- .vbs
- .scr
- .bat
- .cmd
- .ps1
- .iso
- .img
To configure:
- Edit policy
- Enable file type filtering
- Add extensions to block list
- Save policy
Best practice: Block executable and script-based file types unless business-required.
Common Attachment Types to Monitor
Beyond executables, monitor:
- Macro-enabled Office documents (.docm, .xlsm)
- Password-protected ZIP files
- HTML attachments
- Embedded script files
Anti-malware scanning may not inspect encrypted attachments. Consider policy restrictions if these are frequently abused.
Custom Malware Filter Policy
Creating a custom policy allows more granular control.
To create:
- Click Create policy
- Name the policy clearly (e.g., "Strict Malware Policy")
- Define recipients (users, groups, domains)
- Configure actions
Policy scope best practice:
- Apply stricter controls to high-risk users
- Ensure all users are covered by at least one policy
Policy priority matters. Higher priority policies override lower ones.
Malware Detection Actions
When malware is detected, you can configure:
- Delete the entire message
- Delete attachment and deliver message
- Quarantine message
- Redirect message
Recommended production setting:
- Quarantine or remove attachment
- Notify administrators
Avoid delivering malware attachments under any circumstance.
Notification Settings
You can configure:
- Sender notification
- Recipient notification
- Admin notification
Options include:
- Internal sender notification
- External sender notification
- Custom alert message
Best practice:
- Notify administrators
- Avoid detailed information in user notifications that may aid attackers
Monitoring and Reporting
Administrators and analysts can monitor:
- Quarantine reports
- Malware detections
- Message trace
- Defender portal alerts
Use Threat Explorer (Plan 2) for advanced investigation.
Search by:
- File name
- File hash
- Sender
- Detection verdict
Common Misconfigurations
- Relying only on default policy without review
- Not enabling file type filtering
- Allowing high-risk attachment types
- Not applying policy to all users
- Ignoring encrypted attachment risks
Regular review of file type lists is recommended.
Limitations to Understand
Anti-Malware policies focus on known malware patterns and signature-based detection.
Limitations include:
- Encrypted attachments may not be fully inspected
- Newly emerging threats may evade signature detection
- Embedded malicious links inside otherwise benign files may not be detected
- Social engineering-based threats are outside scope
For advanced file analysis and sandbox detonation, Safe Attachments should be enabled.
For scenarios where attachments contain embedded links that may later become malicious, browser isolation solutions such as CyberCheck360 Safe Browsing can provide additional containment by opening links in an isolated environment instead of directly on the user’s device.
A layered protection model improves resilience against evolving threats.
Frequently Asked Questions (FAQ)
Is Anti-Malware included in Office 365 by default?
Yes. Anti-Malware protection is included in Exchange Online Protection (EOP).
What is the difference between Anti-Malware and Safe Attachments?
Anti-Malware uses signature and heuristic detection for known threats.
Safe Attachments detonates files in a sandbox to analyze behavior.
Should executable attachments be blocked?
Yes, unless there is a documented business requirement. Executables are a common malware vector.
Can Anti-Malware scan encrypted attachments?
Inspection may be limited if attachments are password-protected. Consider restricting encrypted attachments if frequently abused.
Does Anti-Malware protect against phishing links?
No. Anti-Malware focuses on malicious files. Phishing links are addressed by Safe Links and Anti-Phishing policies.
Do I need Defender Plan 1 or Plan 2 for Anti-Malware?
No. Baseline Anti-Malware is included in Exchange Online Protection.
Summary
Anti-Malware policies provide essential baseline protection against known malware threats in Microsoft 365.
To ensure effective configuration:
- Enable file type filtering
- Block high-risk extensions
- Create custom policies where needed
- Configure appropriate notification settings
- Monitor quarantine and detection reports
While Anti-Malware provides foundational protection, combining it with Safe Attachments, Safe Links, and additional containment controls strengthens overall email security posture.