Forum Discussion

jmn05's avatar
jmn05
Copper Contributor
Dec 20, 2023

Antimalware Filter Causing NDRs

I have an antimalware policy set up which uses the common attachment filter. The issue I am having that if this policy is set, no further analysis appears to be done. An NDR will be generated with th...
microsoft defender for office 365
ExMSW4319's avatar
ExMSW4319
Iron Contributor
Dec 24, 2023

jmn05 

The common attachment types filter gives you one filter criteria and one action to apply to all mail addressed to all recipients covered by the policy. That can be awkward if you are also concerned about generating backscatter or need to divide the list of attachments into two categories; those types that people might legitimately / innocently send that you don't want in your organisation and those types that are probably attempts to smuggle malware onto your workstations. There are of course a lot of types that fit both categories and there is no easy answer to that question.

 

Mail flow rules offer you more flexibility. You can exempt specific senders and sender domains, and you have a wider range of actions to take.

 

The CAF is preferable for your serious anti-malware defence because (a) the antimalware filter does recursion so it can detect an EXE in a ZIP in a ZIP, and (b) if memory serves it has a degree of magic bit detection so it can spot files that have been renamed with different suffix.

 

For my antimalware policies I quarantine rather than reject with NDR. Picture attached.

Resources