Malware Filter Policy Updates in Office 365


Updated October 2024

In March 2017 I wrote a blog post that showed how to take the attachment filter list from Edge Server and add those attachment block types to EOP, as EOP had a very small list of attachments.

In June 2017 in one of my client tenants I noticed this precanned list of attachment extension types is now at 96 items, which is a considerable change from the list back in March 2017. The list in March 2017 was ace, ani, app, docm, exe, jar, reg, scr, vbe, vbs.

And in 2023 I wrote an article on updating the malware filter file types to a very long list, and including modifying the preset filters.

But while Microsoft has added new attachment types to the picker UI, there was no notification in 2017 to the administrators that they might want to update their MalwareFilterPolicy to take account of these new attachment types that Microsoft have considered worthy of being blocked. This was changed after the original writing of this blog post and now it is possible to add additional extensions, extensions of your choice and to enable blocking of attachments based on these extensions.

Therefore, now is the time to check your existing MalwareFilterPolicy to include the new extension types (listed below).

For reference, the new attachment filter types that have been added in March 2017 are

asp,cer,der,dll,dos,gadget,hta,inf,ins,isp,its,jse,ksh,lnk,mad,maf,mag,mam,maq,mar,mas,mat,mau,mav,maw,msh,msh1,msh1xml,msh2,msh2xml,mshxml,obj,os2,plg,pst,rar,tmp,vsmacros,vsw,vxd,w16,ws

Since 2017 and up to current time, Microsoft are adding more suggested file types for blocking, but not blocking them by default – for example .7z and .zip are now both in the list to select from and you can type into the Malware Filter Policy file type control your own extensions as well.

I am assuming attachment blocking is not case sensitive and so the following extensions are if added from the attachment list picker will be duplicates – Hta, Inf, Ins, Jse, Ksh if you imported a matching, but lower case, list from your Edge servers.

To turn on the attachment blocking (block attachments with the named file type extensions) as part of the malware filter policy (so block them even if they are not malware) you need to run the following:

$filetypes = (Get-MalwareFilterPolicy Default).FileTypes
$filetypes = $filetypes + "shtml" + "shtm"
# and to add many other file types
$filetypes = $filetypes + "ade" + "adp" + "cpl" + "app" + "bas" + "asx" + "bat" + "chm" + "cmd" + "com" + "crt" + "csh" + "exe" + "fxp" + "hlp" + "hta" + "inf" + "ins" + "isp" + "js" + "jse" + "ksh" + "lnk" + "mda" + "mdb" + "mde" + "mdt" + "mdw" + "mdz" + "msc" + "msi" + "msp" + "mst" + "ops" + "pcd" + "pif" + "prf" + "prg" + "ps1" + "ps11" + "ps11xml" + "ps1xml" + "ps2" + "ps2xml" + "psc1" + "psc2" + "reg" + "scf" + "scr" + "sct" + "shb" + "shs" + "url" + "vb" + "vbe" + "vbs" + "wsc" + "wsf" + "wsh" + "xnk" + "ace" + "ani" + "docm" + "jar" + "asp" + "cer" + "der" + "dll" + "dos" + "gadget" + "Hta" + "Inf" + "Ins" + "Isp" + "Its" + "Jse" + "Ksh" + "Lnk" + "mad" + "maf" + "mag" + "mam" + "maq" + "mar" + "mas" + "mat" + "mau" + "mav" + "maw" + "msh" + "msh1" + "msh1xml" + "msh2" + "msh2xml" + "mshxml" + "obj" + "os2" + "plg" + "pst" + "rar" + "tmp" + "vsmacros" + "vsw" + "vxd" + "w16" + "ws" + "apk" + "appx" + "cab" + "iso" + "library" + "lib" + "msix" + "mhtml" + "msixbundle" + "terminal" + "plugin" + "font" + "command" + "bundle"

# And then to apply the $filetypes list to the Default policy (sorted and duplicates removed)
$filetypes = $filetypes | Sort -Unique
Set-MalwareFilterPolicy Default -FileTypes $filetypes -EnableFileFilter $true

by

Tags:

Comments

3 responses to “Malware Filter Policy Updates in Office 365”

  1. Rick avatar
    Rick

    The formatting of the site pushed some of those off the page, but I got the list from source.

    So you’re saying that the last list is going to appear in O365 by default at some point? Only the shorter list is showing here still, but the longer list includes some very strange choices, like w16, vsw, plg, obj, and some others that are also a bit of a stretch. It’s almost like someone used a list of possible extensions rather than a list of extensions that could possibly be dangerous. One of them is a log file (by a different name)! And it’s hard to believe that MS is going to block rar files, since they don’t block zip files.

    1. Brian Reid avatar

      Thanks for the note on the formatting – made the long list work with WordPress today.

      As for if this list is coming to everyone, it is appearing in some of my tenants, so yes – but never as the default list – just the list that you can easily pick from. You can, via PowerShell add any extension that you want and I covered this in the March post on the subject – http://c7solutions.com/2017/03/exchange-edge-server-and-common-attachment-blocking-in-exchange-online-protection – where I added the default list from the Edge Server, but you could add anything to this list that you wanted to.

  2. […] Malware Filter Policy Updates in Office 365 […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.