SOLVED

Malware Filter Rules

%3CLINGO-SUB%20id%3D%22lingo-sub-2496486%22%20slang%3D%22de-DE%22%3EMalware%20Filter%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2496486%22%20slang%3D%22de-DE%22%3E%3CP%3EHey%20guys%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20got%20a%20Problem%3A%20I've%20created%20multiple%20Malware%20Filter%20Rules%20which%20all%20have%20Extension%20Filter%20activated.%20But%20now%20only%20the%20rule%20with%20Priority%200%20blocks%20extensions%20like%20%22.docm%22.%20Is%20this%20normal%3F%20Is%20it%20possible%20to%20solve%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2496486%22%20slang%3D%22de-DE%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2498206%22%20slang%3D%22en-US%22%3ERe%3A%20Malware%20Filter%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2498206%22%20slang%3D%22en-US%22%3EDo%20you%20perhaps%20have%20the%20%22stop%20processing%20other%20rules%22%20option%20toggled%3F%20A%20message%20trace%20would%20tell%20you%20that%20(the%20detailed%20one)%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fmonitoring%2Ftrace-an-email-message%2Fmessage-trace-modern-eac%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Fmonitoring%2Ftrace-an-email-message%2Fmessage-trace-modern-eac%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20check%20the%20conditions%2Fexceptions%2C%20make%20sure%20that%20the%20message%20is%20actually%20matching%20them.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2499102%22%20slang%3D%22de-DE%22%3ERe%3A%20Malware%20Filter%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2499102%22%20slang%3D%22de-DE%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20tip%2C%20but%20I%20can't%20find%20the%20option%20to%20stop%20other%20rules%20from%20being%20processed...%20Where%20can%20I%20find%20it%3F%20I%20know%20where%20to%20find%20it%20for%20anti-spam%20rules%20but%20not%20for%20malwarefilter%20rules.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hey guys,

 

I've got a Problem: I've created multiple Malware Filter Rules which all have Extension Filter activated. But now only the rule with Priority 0 blocks extensions like ".docm". Is this normal? Is it possible to solve this?

 

Thanks in advance...

5 Replies
Do you perhaps have the "stop processing other rules" option toggled? A message trace would tell you that (the detailed one): https://docs.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/message-trace-modern-eac

Also check the conditions/exceptions, make sure that the message is actually matching them.

@Vasil Michev 

 

Thanks for your tip, but I can't find the option to stop other rules from being processed... Where can I find it? I know where to find it for anti-spam rules but not for malwarefilter rules.

best response confirmed by cedric_menzi (Occasional Contributor)
Solution
Oh, that's on me, I though you're talking about mail flow rules... Lost in translation again :)
When it comes to Malware filter policies, processing is always stopped once the first matching policy is triggered, as detailed here: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-anti-malware-p...
So if you have multiple policies, you need to scope them to cover different users/groups/domains, otherwise any "lower" priority policy will be ignored.
@Vasil Michev
I guess I'll have to search for another solution. :( Thanks for your help!

Have you considered www.spambrella.com as a bolt on? (I work for Spambrella) Far easier to administer and uses enterprise services stacked on the backend for optimum performance. 85% of the Spambrella customer base are O365/Azure users.