[KB6102] Configure ESET Mail Security for Microsoft Exchange Server to protect against ransomware

Issue

Details

Click to expand

Using the default Antispam rules, incoming emails are already filtered on the mail server. This ensures that the attachment containing the malicious dropper will not be delivered to the end user's mailbox, and the ransomware cannot execute.

To further help prevent ransomware malware on your Microsoft Exchange server, create the following rules in the latest ESET Mail Security for Microsoft Exchange Server, or create and apply an ESET PROTECT or ESET PROTECT On-Prem policy.

Solution

Do not adjust settings on production systems

The following settings are additional configurations; the specific settings required for your security environment may vary. We recommend that you test the settings for each implementation in a test environment before using them in a production environment.

Configure additional antispam settings in ESET Mail Security for Microsoft Exchange Server to protect against ransomware malware (file coder)

  1. Open the main program window of your ESET Windows application.

  2. Press the F5 key to access Advanced setup.

  3. Click Mail Transport Protection and click Edit next to Mail transport protection rules.

  4. Click Add.

  5. Type Ransomware droppers into the Name field and click Add condition.

  6. Select Attachment name from the Type drop-down menu and click Add.

  7. Click Enter multiple values.

  8. Copy/paste the following list of extensions into the empty field and click OKOK.

    *.js
*.hta
*.doc
*.docm
*.xls
*.xlsm
*.ppt
*.pptm
*.vbs
*.bat
*.wsf
*.7z
*.zip
*.rar

  9. Click Add in the Action type section and select your preferred option from the Type drop-down menu. In this example, Quarantine message is selected. Click OKOK.

    Add multiple actions

    You can add multiple actions for the rule.

  10. In the Mail transport protection rules window, select the check box next to Dangerous executable file attachments and click Edit.

  11. Select the Attachment type entry in the Condition type list and click Edit.

  12. Click the expand icon next to Executable files, select the check box next to each file type you want to delete from messages (the file will be deleted by the Action type pre-configured in the rule), and click OKOK.

    Executable files

    If your environment requires using any of the listed executable file formats, you can modify which file formats are blocked. In most cases, users deselect the .exe and .msi file formats.

  13. Click OKOK to save the changes and exit Advanced setup.

Create a policy in ESET PROTECT or ESET PROTECT On-Prem with additional antispam settings for ESET Mail Security for Microsoft Exchange Server to protect against ransomware malware (file coder)

  1. Open the ESET PROTECT Web Console.

  2. Create a policy in ESET PROTECT or ESET PROTECT On-Prem.

  3. In the Settings section, select ESET Mail Security for Microsoft Exchange Server (V6+) from the drop-down menu, click Mail Transport Protection, and click Edit next to Mail transport protection rules.

  4. Click Add.

  5. Type Ransomware droppers into the Name field and click Add condition.

  6. Select Attachment name from the Type drop-down menu and click Add.

  7. Click Enter multiple values.

  8. Copy/paste the following list of extensions into the empty field and click OK.

    *.js
*.hta
*.doc
*.docm
*.xls
*.xlsm
*.ppt
*.pptm
*.vbs
*.bat
*.wsf
*.7z
*.zip
*.rar

  9. Click OK.

  10. Click Add in the Action type section and select your preferred option from the Type drop-down menu. In this example, Quarantine message is selected. Click OKOK.

    Add multiple actions

    You can add multiple actions for the rule.

  11. In the Mail transport protection rules window, select the check box next to Dangerous executable file attachments and click Edit.

  12. Select the Attachment type entry in the Condition type list and click Edit.

  13. Click the expand icon next to Executable files, select the check box next to each file type you want to delete from messages (the file will be deleted by the Action type pre-configured in the rule), and click OK.

    Executable files

    If your environment requires using any of the listed executable file formats, you can modify which file formats are blocked. In most cases, users deselect the .exe and .msi file formats.

  14. Click OK.

  15. Click Save.

  16. Assign the policy to a client or assign the policy to a group. The policy will be applied when the assigned devices check in to ESET PROTECT or ESET PROTECT On-Prem.

Download and import the ESET PROTECT or ESET PROTECT On-Prem policy

The ESET PROTECT or ESET PROTECT On-Prem policy for ESET Mail Security for Microsoft Exchange Server, with additional Antispam settings to protect against ransomware malware (file coder), can be downloaded and imported from the link below.

The ESET PROTECT policy is available only for the latest version of ESET applications. Compatibility with earlier versions cannot be guaranteed.

  1. Download the Additional Ransomware Protection ESET PROTECT or ESET PROTECT On-Prem policy.

  2. Open the ESET PROTECT Web Console.

  3. Import the policy.

    ESET PROTECT

    Click ConfigurationAdvanced setupActionsImport.

    ESET PROTECT On-Prem

    Click PoliciesActionsImport.

  4. Click Choose file to upload, select the downloaded policy, and click Import.

  5. Assign the policy to a client or assign the policy to a group. The policy will be applied when the assigned devices check in to ESET PROTECT or ESET PROTECT On-Prem.

Ransomware dropper filtering example

The following is an example of the Ransomware dropper policy filtering a ransomware dropper, along with a corresponding mail quarantine report.

Last Updated: Jun 17, 2026

Additional resources

User guides

ESET Forum

YouTube videos
ESET Support News ESET Customer Advisories ESET Status Portal ESET Technical Support

Existing customer?