18.9.45.11.2 Ensure 'Turn on e-mail scanning' is set to 'Enabled'

Information

This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac).

The recommended state for this setting is: Enabled.

Rationale:

Incoming e-mails should be scanned by an antivirus solution such as Microsoft Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software.

Impact:

E-mail scanning by Microsoft Defender Antivirus will be enabled.

Solution

To establish the recommended configuration, set the following Device Configuration Policy to Enabled:

To access the Device Configuration Policy from the Intune Home page:

Click Devices

Click Configuration profiles

Click Create profile

Select the platform (Windows 10 and later)

Select the profile (Custom)

Click Create

Enter a Name

Click Next

Configure the following Setting

Name: <Enter name>
Description: <Enter Description>
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Defender/AllowEmailScanning
Data type: Integer
Value: 0

Select OK

Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)

Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.

Default Value:

Disabled. (E-mail scanning by Microsoft Defender Antivirus will be disabled.)

See Also

https://workbench.cisecurity.org/files/3358

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, 800-53|SI-16, CSCv7|8.1

Plugin: Windows

Control ID: f98571377f00c4dd895af5be9b21e046651039f462a0c68b995f4fe52c47b3a3