Exchange 2016 already has a built-in "malware filter". I took the liberty of carrying out a small test. I simply redirected the first 6 emails from a quarantine in which a virus / Trojan had previously been found:
Sophos UTM E-Mail Protection has dutifully rejected all the virus mails. It was actually a simple task, all mails contained a ZIP archive with the Trojan or virus. After I adjusted the UTM a little, the virus-infected mails were delivered to Exchange.
The result:
All 6 virus-infected mails passed the Exchange malware filter without any problems. At least the EICAR test virus string was detected by the built-in Exchange malware filter. However, as soon as the EICAR string is hidden in a RAR archive, for example, things look bad again and the mail ends up directly in the mailbox.
I deliberately left the malware filter in the default configuration and only adjusted the notification:
The Technet says the following:
Antimalware protection is provided by the Malware agent that was introduced in Exchange Server 2013. The Malware agent is available and enabled by default on Exchange 2016 Mailbox servers.
Source: https://technet.microsoft.com/de-de/library/jj150481(v=exchg.160).aspx
The Exchange malware filter is supposedly activated by default. It's just a pity that the malware filter seems to work only poorly in the default setting.
Incidentally, the patterns were up to date. After my test, I manually updated the patterns again, which was also successful:
However, the result remains the same. As before, no mail with a virus is detected. To be on the safe side, I uploaded the attachment of a mail to VirusTotal again, here is the result:
I am now installing a new dedicated test environment and trying it out again. So far I have only been able to test two independent Exchange 2016 installations. Both deliver this bad picture. I'm curious to see if a fresh Exchange 2016 installation behaves the same way... I'll report back...
Vielleicht sollte dazu auch dieser Querverweis genannt werden: https://blogs.technet.microsoft.com/exchange/2016/09/01/deprecating-support-for-smartscreen-in-outlook-and-exchange/
Tag zusammen, das wundert mich nicht… viel schlimmer finde ich den Sophos Virenscanner. Dieser versagte regelmäßig bei der Erkennung von Ransomware!!
Na wenigstens findet er bei euch den Eicar – als ich das vor 2 Monaten per Telnet getestet hab ging selbst das durch…. ;-)
Würde auch kein Exchange betreiben ohne eine vernünftige Anti-Spam lösung, das sagt dir auch jeder bei Microsoft.
Kann dies bestätigen, nur EICAR wird gefunden, ich habe noch nie eine Virenmail bekommen, eigentlich kann man den Scanner auch ausschalten, da spart man wenigstens bissel Strom ;)
Frank, du hast nicht wirklich erwartet, dass der Virenfilter von Exchange besser ist, als der Defender bzw. Microsoft Security Essentials?