Exchange Online Protection Common Attachment Filter Update

Andres Bohren
Hallo zusammen,

Microsoft hat im M365 Defender Portal das GUI für die Antimalware File Types überarbeitet.
Bisher waren nur folgende 13 File Extensions im Common Attachment Filter vorhanden.
  • ace
  • ani
  • app
  • cab
  • docm
  • exe
  • iso
  • jar
  • jnlp
  • reg
  • scr
  • vbe
  • vbs



Neu sind bis zu 96 Extensions in einer Liste auswählbar.


Get-MalwareFilterPolicy -Identity <Identity> | select -ExpandProperty FileTypes | measure


Get-MalwareFilterPolicy -Identity <Identity> | select -ExpandProperty FileTypes


Nun sind folgende 96 Extensions auswählbar

  • ace
  • ani
  • app
  • docm
  • exe
  • jar
  • reg
  • scr
  • vbe
  • vbs
  • ade
  • adp
  • asp
  • bas
  • bat
  • cer
  • chm
  • cmd
  • com
  • cpl
  • crt
  • csh
  • der
  • dll
  • dos
  • fxp
  • gadget
  • hlp
  • Hta
  • Inf
  • Ins
  • Isp
  • Its
  • js
  • Jse
  • Ksh
  • Lnk
  • mad
  • maf
  • mag
  • mam
  • maq
  • mar
  • mas
  • mat
  • mau
  • mav
  • maw
  • mda
  • mdb
  • mde
  • mdt
  • mdw
  • mdz
  • msc
  • msh
  • msh1
  • msh1xml
  • msh2
  • msh2xml
  • mshxml
  • msi
  • msp
  • mst
  • obj
  • ops
  • os2
  • pcd
  • pif
  • plg
  • prf
  • prg
  • ps1
  • ps1xml
  • ps2
  • ps2xml
  • psc1
  • psc2
  • pst
  • rar
  • scf
  • sct
  • shb
  • shs
  • tmp
  • url
  • vb
  • vsmacros
  • vsw
  • vxd
  • w16
  • ws
  • wsc
  • wsf
  • wsh
  • xnk

Oder man kann die Liste auf 159 erweitern. Ich habe mir die Erweiterungen aus folgenden Quellen zusammengetragen

URL (Quellen) 

Beschreibung 

https://support.microsoft.com/en-us/office/blocked-attachments-in-outlook-434752e1-02d3-4e90-9124-8b81e49a8519?ui=en-us&rs=en-us&ad=us  

Vom Office Fat Client blockierte Dateiendungen 

https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference  

Zusätzliche Office Files mit Makros 

https://www.helpnetsecurity.com/2019/09/30/outlook-blocked-extensions/  

Weitere Dateiendungen welche in OWA blockiert werden 

Set-MalwareFilterPolicy -Identity Default -FileTypes @("ace","ani","app","docm","exe","jar","reg","scr","vbe","vbs","ade","adp","asp","bas","bat","cer","chm","cmd","com","cpl","crt","csh","der","dll","dos","fxp","gadget","hlp","Hta","Inf","Ins","Isp","Its","js","Jse","Ksh","Lnk","mad","maf","mag","mam","maq","mar","mas","mat","mau","mav","maw","mda","mdb","mde","mdt","mdw","mdz","msc","msh","msh1","msh1xml","msh2","msh2xml","mshxml","msi","msp","mst","obj","ops","os2","pcd","pif","plg","prf","prg","ps1","ps1xml","ps2","ps2xml","psc1","psc2","pst","rar","scf","sct","shb","shs","tmp","url","vb","vsmacros","vsw","vxd","w16","ws","wsc","wsf","wsh","xnk","appcontent-ms","appref-ms","aspx","arj","asx","cdxml","cnt","diagcab","dotm","grp","hpj","hta","htc","img","inf","ins","iso","isp","its","jnlp","jse","ksh","lnk","lzh","mcf","msu","osd","pl","potm","ppsm","pptm","printerexport","psd1","psdm1","pssc","py","pyc","pyo","pyw","pyz","pyzw","r25","r18","r14","r01","settingcontent-ms","tar","theme","udl","vbp","vhd","vhdx","webpnp","website","wsb","xbap","xlam","xll","xlm","xlsm","xltm","xlw","xps") -EnableFileFilter $true -ZapEnabled $true



Blockieren Sie wenn möglich Dateitypen gemäss dieser Liste des National Cyber Security Centre (NCSC):
https://www.govcert.admin.ch/downloads/blocked-filetypes.txt

Schaut euch die Liste aber vorher genau an.
Hier das Command um diesen Filter anzuwenden

Set-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01 -FileTypes @("001","7z","ace","arj","bin","bz","bz2","bzip","bzip2","cab","cpio","deb","dmg","fat","gz","gzip","hfs","img","iso","lha","lzma","lz","lzh","mht","mime","ntfs","r00","r01","r02","r03","r04","r05","r06","r07","r08","r09","r10","r11","r12","r13","r14","r15","r16","r17","r18","r19","r20","r21","r22","r23","r24","r25","r26","r27","r28","r29","rev","rpm","smi","squashfs","swm","tar","taz","tbz","tbz2","tgz","tpz","txz","uu","uue","uuencode","vhd","webarchive","wim","xar","xxe","xz","z","asax","ashx","asp","bas","btm","cla","class","csh","ksh","mhtm","mhtml","pl","plg","ps1","ps1xml","ps2","ps2xml","psc1","psc2","sh","vb","wml","xbap","xdp","app","bat","cmd","com","dll","exe","jar","jnlp","js","jse","lnk","msi","msp","mst","ocx","pif","scr","tlb","url","vbe","vbs","ws","wsc","wsf","wsh","accde","ade","adp","cnv","dochtml","docm","docxml","dot","dothtml","dotm","dotx","dqy","fxp","iqy","mad","maf","mag","mam","maq","mar","mas","mat","mau","mav","maw","mda","mdb","mde","mdt","mdw","mdz","mpd","one","ops","osd","pot","potm","ppa","ppam","pps","ppsm","ppsx","pptm","pst","pub","pwz","sldm","slk","vbp","vsmacros","vss","vst","vsto","vsw","wbk","wiz","xla","xlam","xld","xlk","xll","xlm","xlsb","xlsm","xlt","xltm","xlw","xmls","xmlx","xnk","386","3gr","ani","application","appref-ms","appx","appxbundle","appxmanifest","blg","camp","cdmp","cer","chm","cnt","compositefont","cpl","crl","crt","der","drv","fon","gadget","grp","hlp","hpj","ht","hta","htt","hxs","igp","inf","ini","ins","isp","job","key","msc","msh","msh1","msh1xml","msh2","msh2xml","mshxml","pnf","prf","prg","reg","scf","sct","settingcontent-ms","shb","shs","sys","tmp","ttf","vxd","wbt") -EnableFileFilter $true -ZapEnabled $true

Get-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01 | select -ExpandProperty FileTypes | Measure




Liebe Grüsse
Andres Bohren