Skip to main content

Antimalware

The Antimalware module protects Exchange mail servers against all kinds of malware threats (viruses, Trojans, spyware, rootkits, adware, etc.), by detecting infected or suspect items and attempting to disinfect them or isolating the infection, according to the specified actions.

Antimalware scanning is performed at two levels:

  • Transport Level

  • Exchange Store

Transport-level scanning

Bitdefender Endpoint Security Tools integrates with the mail transport agents to scan all email traffic.

By default, transport level scanning is enabled. Bitdefender Endpoint Security Tools is filtering the email traffic and, if required, informs the users of the taken actions by adding a text in the email body.

Use the Antimalware filtering check box to disable or re-enable this feature.

To configure the notification text, click the Settings link. The following options are available:

  • Add footer to scanned emails. Select this check box to add a sentence at the bottom of the scanned emails. To change the default text, enter your message in the text box below.

  • Replacement text. For emails whose attachments have been deleted or quarantined, a notification file can be attached. To modify the default notification texts, enter your message in the corresponding text boxes.

The antimalware filtering relies on rules. Each email that reaches the mail server is checked against the antimalware filtering rules, by order of priority, until it matches a rule. The email is then processed according to the options specified by that rule.

Managing filtering rules

You can view all existing rules listed in the table, together with information on their priority, status and scope. The rules are ordered by priority with the first rule having the highest priority.

Any antimalware policy has a default rule that becomes active once the antimalware filtering is enabled. What you need to know about the default rule:

  • You cannot copy, disable or delete the rule.

  • You can modify only the scanning settings and actions.

  • The default rule priority is always the lowest.

Creating rules

You have two alternatives for creating filtering rules:

  • Start from the default settings, by following these steps:

    1. Click add.png Add button at the upper side of the table to open the configuration window.

    2. Configure the rule settings. For details regarding the options, refer to Rule Options.

    3. Click Save. The rule is listed first in the table.

  • Use a clone of a custom rule as a template, by following these steps:

    1. Select the rule that you want from the table.

    2. Click the clone.png Clone button at the upper side of the table to open the configuration window.

    3. Adjust the rule options according to your needs.

    4. Click Save. The rule is listed first in the table.

Editing rules

To edit an existing rule:

  1. Click the rule name to open the configuration window.

  2. Enter the new values for the options you want to modify.

  3. Click Save. The changes take effect after the policy is saved.

Setting rule priority

To change a rule’s priority:

  1. Select the rule to be moved.

  2. Use the up.png Up or down.png Down buttons at the upper side of the table to increase or decrease the rule priority.

Removing rules

You can delete one or several custom rules at once. All you need to do is:

  1. Select the check box of the rules to be deleted.

  2. Click the delete.png Delete button at the upper side of the table. Once a rule is deleted, you cannot recover it.

Rule options

The following options are available:

  • General. In this section you must set a name for the rule, otherwise you cannot save it. Select the Active check box if you want the rule to be effective after the policy is saved.

  • Rule scope. You can restrict the rule to apply only to a subset of emails, by setting the following cumulative scope options:

    • Apply to (direction). Select the email traffic direction to which the rule applies.

    • Senders. You can decide whether the rule applies for any sender or only for specific senders. To narrow the senders range, click the Specific button and select the desired groups from the table on the left. View the selected groups in the table on the right.

    • Recipients. You can decide whether the rule applies for any recipient or only for specific recipients. To narrow the recipients range, click the Specific button and select the desired groups from the table on the left. You can view the selected groups in the table on the right.

      The rule applies if any of the recipients matches your selection. If you want to apply the rule only if all recipients are in the selected groups, select Match all recipients.

      Note

      The addresses in the Cc and Bcc fields also count as recipients.

      Important

      The rules based on user groups apply only to Hub Transport and Mailbox roles.

  • Options. Configure the scan options for emails matching the rule:

    • Scanned file types. Use this option to specify which file types you want to be scanned. You can choose to scan all files (regardless of their file extension), application files only, or specific file extensions you consider to be dangerous. Scanning all files provides the best protection, while scanning only applications is recommended for a quicker scan.

      Note

      Application files are far more vulnerable to malware attacks than other types of files. For more information, refer to appendices.extensions.app.

      If you want to scan only files with specific extensions, you have two alternatives:

      • User defined extensions, where you must provide only the extensions to be scanned.

      • All files, except specific extensions, where you must enter only the extensions to be skipped from scanning.

    • Attachment / email body maximum size (MB). Select this check box and enter a value in the corresponding field to set the maximum accepted size of an attached file or of the email body to be scanned.

    • Archive maximum depth (levels). Select the check box and choose the maximum archive depth from the corresponding field. The lower the depth level is, the higher the performance and the lower the protection grade.

    • Scan for Potentially Unwanted Applications (PUA). Select this check box to scan for possibly malicious or unwanted applications, such as adware, which may install on systems without user’s consent, change the behavior of various software products and lower the system performance.

  • Actions. You can specify different actions for the security agent to automatically take on files, based on the detection type.

    The detection type separates the files into three categories:

    • Infected files. Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.

    • Suspect files. These files are detected as suspicious by the heuristic analysis and other Bitdefender technologies. These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.

    • Unscannable files. These files cannot be scanned. Unscannable files include but are not limited to password-protected, encrypted or over-compressed files.

    For each detection type, you have a default or main action and an alternative action in case the main one fails. Though not recommended, you can change these actions from the corresponding menus. Choose the action to be taken:

    • Disinfect. Removes the malware code from infected files and reconstructs the original file. For particular types of malware, disinfection is not possible because the detected file is entirely malicious. It is recommended to always keep this as the first action to be taken on infected files. Suspect files cannot be disinfected, because no disinfection routine is available.

    • Reject / Delete email. On servers with Edge Transport role, the detected email is rejected with a 550 SMTP error code. In all other cases, the email is deleted without any warning. It is advisable to avoid using this action.

    • Delete file. Deletes the attachments with issues without any warning. It is advisable to avoid using this action.

    • Replace file. Deletes the files with issues and inserts a text file that notifies the user of the actions taken.

    • Move file to quarantine. Moves detected files to the quarantine folder and inserts a text file that notifies the user of the actions taken. Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears. You can manage quarantine files from the Quarantine page.

      Note

      The quarantine for Exchange Servers requires additional hard-disk space on the partition where the security agent is installed. The quarantine size depends on the number of items stored and their size.

    • Take no action. No action will be taken on detected files. These files will only appear in the scan log. Scan tasks are configured by default to ignore suspect files. You may want to change the default action in order to move suspect files to quarantine.

    • By default, when an email matches the rule scope, it is processed exclusively in accordance with the rule, without being checked against any other remaining rule. If you want to continue checking against the other rules, clear the check box If the rule conditions are matched, stop processing more rules.

Exchange store scanning

Exchange Protection uses Exchange Web Services (EWS) from Microsoft to allow scanning the Exchange mailbox and public folder databases. You can configure the antimalware module to run on-demand scan tasks regularly on the target databases, according to the schedule you specify.

Note

  • On-demand scanning is available only for Exchange Servers with the Mailbox role installed.

  • On-demand scanning increases resource consumption and, depending on the scanning options and the number of objects to be scanned, can take considerable time to complete.

On-demand scanning requires an Exchange administrator account (service account) to impersonate Exchange users and to retrieve the target objects to be scanned from the user mailboxes and public folders. It is recommended to create a dedicated account for this purpose.

The Exchange administrator account must meet the following requirements:

  • It is a member of the Organization Management group (Exchange 2016, 2013 and 2010)

  • It is a member of the Exchange Organization Administrators group (Exchange 2007)

  • It has a mailbox attached.

Enabling on-demand scanning

  1. In the Scan tasks section, click the Add credentials link.

  2. Enter the service account username and password.

  3. If the email differ from the username, you need to also provide the email address of the service account.

  4. Enter the Exchange Web Services (EWS) URL, necessary when the Exchange Autodiscovery does not work.

Note

  • The username must include the domain name, as in user@domain or domain\user.

  • Do not forget to update the credentials in Control Center, whenever they have changed.

Managing scan tasks

The scan tasks table shows all scheduled tasks and provides information on their targets and recurrence.

To create tasks for scanning the Exchange Store:

  1. In the Scan tasks section, click the add.png Add button at the upper side of the table to open the configuration window.

  2. Configure the task settings as described in the following section.

  3. Click Save. The task is added in the list and it becomes effective once the policy is saved.

You can edit a task at any time by clicking the task name.

To remove tasks from the list, select them and click the delete.png Delete button at the upper side of the table.

Scan task settings

Tasks have a series of settings which you can find described herein:

  • General. Enter a suggestive name for the task.

    Note

    You can view the task name in Bitdefender Endpoint Security Tools timeline.

  • Scheduler. Use the scheduling options to configure the scan schedule. You can set the scan to run every few hours, days or weeks, starting with a specified date and time. For large databases, the scan task may take a long time and may impact the server performance. In such cases, you can configure the task to stop after a specified time.

  • Target. Select the containers and objects to be scanned. You can choose to scan mailboxes, public folders or both. Beside emails, you can choose to scan other objects such as Contacts, Tasks, Appointments and Post items. You can furthermore set the following restrictions to the content to be scanned:

    • Only unread messages

    • Only items with attachments

    • Only new items, received in a specified time interval

    For example, you can choose to scan only emails from user mailboxes, received in the last seven days.

    Select the Exclusions check box, if you want to define scan exceptions. To create an exception, use the fields from the table header as follows:

    1. Select the repository type from the menu.

    2. Depending on the repository type, specify the object to be excluded:

      Repository type

      Object format

      Mailbox

      Email address

      Public Folder

      Folder path, starting from the root

      Database

      The database identity

      Note

      To obtain the database identity, use the Exchange shell command:

      Get-MailboxDatabase | fl name,identity

      You can enter only one item at a time. If you have several items of the same type, you must define as many rules as the number of items.

    3. Click the add.png Add button at the upper side of the table to save the exception and add it to the list.

    To remove an exception rule from the list, click the corresponding delete.png Delete button.

  • Options. Configure the scan options for emails matching the rule:

    • Scanned file types. Use this option to specify which file types you want to be scanned. You can choose to scan all files (regardless of their file extension), application files only, or specific file extensions you consider to be dangerous. Scanning all files provides the best protection, while scanning only applications is recommended for a quicker scan.

      Note

      Application files are far more vulnerable to malware attacks than other types of files. For more information, refer to Application file types.

      If you want to scan only files with specific extensions, you have two alternatives:

      • User defined extensions, where you must provide only the extensions to be scanned.

      • All files, except specific extensions, where you must enter only the extensions to be skipped from scanning.

    • Attachment / email body maximum size (MB). Select this check box and enter a value in the corresponding field to set the maximum accepted size of an attached file or of the email body to be scanned.

    • Archive maximum depth (levels). Select the check box and choose the maximum archive depth from the corresponding field. The lower the depth level is, the higher the performance and the lower the protection grade.

    • Scan for Potentially Unwanted Applications (PUA). Select this check box to scan for possibly malicious or unwanted applications, such as adware, which may install on systems without user’s consent, change the behavior of various software products and lower the system performance.

  • Actions. You can specify different actions for the security agent to automatically take on files, based on the detection type.

    The detection type separates the files into three categories:

    • Infected files. Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.

    • Suspect files. These files are detected as suspicious by the heuristic analysis and other Bitdefender technologies. These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.

    • Unscannable files. These files cannot be scanned. Unscannable files include but are not limited to password-protected, encrypted or over-compressed files.

    For each detection type, you have a default or main action and an alternative action in case the main one fails. Though not recommended, you can change these actions from the corresponding menus. Choose the action to be taken:

    • Remediate. Move the infected files to quarantine, denies access to them, and disinfect them by removing the malware code and reconstructing the original files. For particular types of malware, disinfection is not possible because the detected file is entirely malicious. It is recommended to always keep this as the first action to be taken on infected files. Suspicious files cannot be disinfected, because no disinfection routine is available.

    • Reject / Delete email. The email is deleted without any warning. It is advisable to avoid using this action.

    • Delete file. Deletes the attachments with issues without any warning. It is advisable to avoid using this action.

    • Replace file. Deletes the files with issues and inserts a text file that notifies the user of the actions taken.

    • Move file to quarantine. Moves detected files to the quarantine folder and inserts a text file that notifies the user of the actions taken. Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears. You can manage quarantine files from the Quarantine page.

      Note

      Please note that the quarantine for Exchange Servers requires additional hard-disk space on the partition where the security agent is installed. The quarantine size depends on the number and size of the emails stored.

    • Report only. No action will be taken on detected files. These files will only appear in the scan log. Scan tasks are configured by default to ignore suspect files. You may want to change the default action in order to move suspect files to quarantine.

    • By default, when an email matches the rule scope, it is processed exclusively in accordance with the rule, without being checked against any other remaining rule. If you want to continue checking against the other rules, clear the check box If the rule conditions are matched, stop processing more rules.