Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Antimalware Filter Causing NDRs

Copper Contributor

I have an antimalware policy set up which uses the common attachment filter. The issue I am having that if this policy is set, no further analysis appears to be done. An NDR will be generated with the original email as an attachment. Going outbound, the email attachment gets scanned and detected as malware, and our postmaster outbound message gets quarantined. What can be done to fix this. Obviously, it is correct that if people are sending malware to us, we should not be sending right back as an attachment. to an NDR.

2 Replies

@jmn05 Hey there! - thanks for your question and hope you're well.

The common attachment filter simply checks for file types, it does not check for malware. - Essentially the list of files specified in the common attachment filter's settings will always be blocked, so it's how you can set a policy like "regardless of content, I don't want .vbs files being emailed to my users" etc.

So the expectation that an NDR is being generated, and no further analysis is being done is expected in this instance. (I hope I've got your question right thus far!)

With regards to NDRs - I'm not seeing them get blocked when I replicate this in my tenant, I get an NDR from M365 with the detail, I'm also seeing it correctly processed on it's outbound route. - I can only guess there's an additional hop or some other complexity catching it and stopping the NDR?

Error: 550 5.0.350 One or more of the attachments in your email is of a file type that is NOT allowed by the recipient's organization.

@jmn05 

The common attachment types filter gives you one filter criteria and one action to apply to all mail addressed to all recipients covered by the policy. That can be awkward if you are also concerned about generating backscatter or need to divide the list of attachments into two categories; those types that people might legitimately / innocently send that you don't want in your organisation and those types that are probably attempts to smuggle malware onto your workstations. There are of course a lot of types that fit both categories and there is no easy answer to that question.

 

Mail flow rules offer you more flexibility. You can exempt specific senders and sender domains, and you have a wider range of actions to take.

 

The CAF is preferable for your serious anti-malware defence because (a) the antimalware filter does recursion so it can detect an EXE in a ZIP in a ZIP, and (b) if memory serves it has a degree of magic bit detection so it can spot files that have been renamed with different suffix.

 

For my antimalware policies I quarantine rather than reject with NDR. Picture attached.