Setup Anti-Malware and Anti-Spam in Exchange Server 2016/2019

Read time 4 minutes

Exchange Server receives a vast number of emails in business organizations, in addition to sending many emails outside the organization. An Exchange Administrator must secure its mail recipients from external threats like spamming, phishing, virus attacks, and hacking attempts. Microsoft has some inbuilt protection like anti-malware and anti-spam features, which you can configure to safeguard the data.

• Anti-spam protection is a feature available in several transport agents like Content Filter Agent, Sender Filter Agent, Sender ID Agent, and Protocol Analysis agent. You need to manually enable them at the mailbox server to activate anti-spam protection.

  Note: These agents are by default ‘Enabled’ on Edge Transport Servers.

• Anti-malware protection was introduced with the Malware Agent since Exchange Server 2013 and is in ‘Enabled’ state by default on the Exchange Mailbox Servers. So, there is no need to enable it manually.

Let’s dig deep and learn how we can enable anti-spam and anti-malware protection using various transport agents. But first, we must understand how they work and protect the data.

Anti-spam agent for Mailbox Servers

In the typical condition, the Exchange Administrator must enable the anti-spam agents on Mailbox Servers when there is no Edge Transport server or a robust anti-spam protection application in the organization. These agents have a priority value, and a lower value indicates a higher priority. Based on the default priority value, here is the order of agents in which they are applied to the messages of the mailbox –

• Sender Filter Agent: It compares the sender server to a list of server domains that are blocked by your organization.
• Sender ID Agent: It checks the IP address of the sending Server and the Purported Responsible Address (PRA) to determine whether the sending message is clean or not.
• Content Filter Agent: It provides a particular spam confidence level (SCL) to every message to check its legitimacy. It also prevents a legitimate message from being recognized as spam messages.
• Protocol Analysis Agent: It checks and provides a sender reputation level to each sender who is sending the message. The sender’s reputation tells the Administrator about the type of incoming message and whether it is spam or not.

Note: It’s crucial to remember that the mailbox servers already have a Recipient Filter Agent. However, you must refrain from configuring it. If the recipient filter agent identifies any blocked or invalid receiver in the list of other receivers within a message, the entire message will be rejected. You only need to enable the Recipient Filter Agent with antispam agents enabled on the mailbox server without configuring it to block any recipients.

Installing anti-spam agents on mailbox servers

You can install all these agents using an Exchange Management Shell script only and here is its whole procedure in a stepwise manner.

1. Start the Exchange Management Shell on Exchange Server and run the following script.

   & $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

   When the script runs successfully, it will ask you to restart the Exchange Server.

2. Restart the Microsoft Exchange Transport services with the command.

   Restart-Service MSExchangeTransport

3. Now, mention the incoming SMTP servers which you want to ignore by the sender ID agent. You can specify multiple numbers of SMTP servers, but you need to specify at least one server necessarily.

   Set-TransportConfig -InternalSMTPServers @{Add=”IP address1″,”IP address2”,}

   Example

   Set-TransportConfig -InternalSMTPServers @{Add=”10.0.21.21″,”10.0.21.22″, “10.0.21.23” }

   To verify the presence of SMTP server in the configuration list, run the command –

   Get-TransportConfig | Format-List InternalSMTPServers

4. Install all the agent with this command.

   Get-TransportAgent

   And

   Get-ContentFilterConfig | Format-Table Name,Enabled; Get-SenderFilterConfig | Format-Table Name,Enabled; Get-SenderIDConfig | Format-Table Name,Enabled; Get-SenderReputationConfig | Format-Table Name,Enabled

   Check the status of each agent by running following commands one by one.

   Get-ContentFilterConfig | Format-List *Enabled,RejectionResponse,*Postmark*,Bypassed*,Quarantine*;
   Get-SenderFilterConfig | Format-List *Enabled,*Block*
   Get-SenderIDConfig | Format-List *Enabled*,*Action,Bypassed*
   Get-SenderReputationConfig | Format-List *Enabled*,*Proxy*,*Block*,*Ports*

All these agents work on the mailbox server, and you need to install and configure them manually. However, many administrators overlook the importance of anti-spam protection and face severe corruption issues in the Exchange. There is an in-built utility called ESEUTIL to repair the Exchange Server database using multiple switches, but it can further delete the corrupt data rather than recover it.

Installing anti-malware agents on mailbox servers

Run the following commands in the Exchange Management Shell on the Mailbox server to setup the anti-malware agents:

Step1: Create a malware filter policy

Use the following command to create a malware filter policy:

New-MalwareFilterPolicy -Name “” [-Action ] [-AdminDisplayName ““] [-BypassInboundMessages <$true | $false>] [-BypassOutboundMessages <$true | $false>] [-CustomNotifications <$true | $false>] [] []

This will create a new malware filter policy with the following settings:

• Block malware containing email messages.
• Do not send notifications to senders if malware is diagnosed in a message.
• Alert the administrator about malware that’s detected in the sent message by a sender within the organization.

Step2: Create malware filter rule

Execute the following command to create a malware filter rule:

New-MalwareFilterRule -Name “” -MalwareFilterPolicy “” [] [-Comments ““]

A new malware filter rule is created with the given settings:

• The filter rule is applied to all recipients within a domain.
• The malware filter policy created above is related to this rule.

Step3: Verify the policy

Run the given command to verify that policies are successfully created:

Get-MalwareFilterPolicy -Identity “” | Format-List

Conclusion

With these basic steps and commands, one can set up anti malware and anti spam in Exchange Server. However, there can also be instances when data loss or breaches occur even after enabling them. Here comes the Kernel for Exchange Server software at your rescue. The software is a specialized data recovery software which can handle corruption, recover accidentally deleted messages from the Exchange database, and bring all the data back to you.