Problem solve Get help with specific problems with your technologies, process and projects.

Exchange 2013 anti-malware protection: Will you need anything else?

Trusting native Exchange 2013 anti-malware protection to protect your environment is an option, but that doesn't necessarily mean it's the best one.

While Microsoft includes native anti-malware protection in Exchange 2013, it raises an important question for potential...

adopters: Is it enough to replace the anti-malware software they already have in place?

Malware has long been a security problem for messaging systems like Exchange Server. Administrators with on-premises deployments prior to Exchange 2013 were forced to invest in anti-malware software to protect mailboxes against viruses. In Exchange Server 2013, however, Microsoft has integrated anti-malware capabilities into the product, providing admins with a "free" option for protecting Exchange.

Microsoft’s decision to include anti-malware protection in Exchange Server 2013 is similar to its decision to include self-signed certificates in Exchange 2010. When Microsoft built Exchange Server 2010, it included self-signed certificates as a way for customers to perform encryption without investing in a certificate from a commercial certificate authority. Self-signed certificates aren't ideal because messaging clients such as Outlook do not trust self-signed certificates; nor should they. That said, a self-signed certificate is better than no certificate at all.

This basic philosophy also applies to Microsoft's built-in anti-malware protection for Exchange Server 2013. The integrated anti-malware features provide basic protection against email viruses, but the software does not deliver the comprehensive protection that commercial anti-malware products do.


Before I explain how native protection does and does not protect Exchange Server 2013, it's important to understand that the built-in Exchange 2013 anti-malware protection is different from Forefront Online Protection for Exchange (FOPE) and Exchange Online Protection (EOP). EOP is an add-on solution for Exchange anti-malware protection, while FOPE is Microsoft's cloud-based antivirus solution.

Both products are fee-based and use multiple scanning engines. Both EOP and FOPE also offer full reporting capabilities as well as a message-trace feature. As you can see, the capabilities are similar to what you'd find in some of the more well-known commercial antivirus products.

Exchange 2013 anti-malware protection capabilities

Exchange Server 2013's built-in anti-malware protection is much more modest in scope. The first distinction between the built-in software and Microsoft's commercial products is that the Exchange 2013 anti-malware protection only uses a single scanning engine, not multiple scanning engines.

This fact might not be an automatic deal breaker -- especially when you consider that Exchange checks for virus definition updates on an hourly basis -- but it's definitely worth calling out.

A major limitation has to do with how the scanning is performed. Exchange 2013 anti-malware protection performs transport-level scanning. In other words, messages are scanned for malicious content as they pass through the transport pipeline.

Now, there's no denying that transport-level scanning is important, but Exchange 2013 anti-malware protection doesn't scan the mailbox store. In theory, this shouldn't be a problem because anything that makes it into the mailbox database has already been scanned at the transport level, right? Well, imagine that a new type of malware is received before the built-in scanning engine has acquired a definition for it. In this situation, the infected message would pass into the mailbox store.

Let's suppose that immediately after the infected message is delivered, Exchange 2013 is updated with a signature for the virus. The built-in Exchange 2013 protection would actually prevent users from forwarding the infected message to others, because the act of doing so would require the message to re-enter the transport pipeline, where it would be rescanned.

Unfortunately there is nothing stopping a user from opening the infected attachment, because opening a message that has already been delivered to the user's mailbox doesn't require the message to pass through the transport pipeline.

Final thoughts

Exchange 2013's built-in malware scanning capabilities provide basic protection but are anything but full proof. Commercial anti-malware products provide much more comprehensive protection.

If you do opt to purchase a commercial product, it's possible to disable the built-in anti-malware protection. However, Microsoft recommends leaving it enabled if you plan on using EOP or FOPE. Doing so provides a stronger and more in-depth defense because multiple scanning mechanisms are being used.

About the author:
Brien Posey is a ten-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a chief information officer at a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the nation's largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Exchange Server setup and troubleshooting

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Great Article for Exchange 2013 On-Premises customers :-)
Exchange anti spam solution is in its bud, it is just microsoft's market gimmi to promot its Exchange Online Protection.

Excelent article! I have a question: I have a Exchange 2013 environment and I have installed Trend Micro on the Windows server 2012 that hosts the exchange software. This anti-virus is a file-level protection. Now the question: Can I use both (trend and exchange anti-malware) together or should I disable one of them?