18.9.77.10.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'

Information

This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac).
The recommended state for this setting is: Enabled.

Rationale:
Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Antivirus\Scan\Turn on e-mail scanning
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).

Impact:
E-mail scanning by Windows Defender Antivirus will be enabled.

Default Value:
Disabled. (E-mail scanning by Windows Defender Antivirus will be disabled.)

References:
1. CCE-33906-9

See Also

https://workbench.cisecurity.org/files/2754

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, CSCv6|13, CSCv7|8.1, CSCv7|8.2

Plugin: Windows

Control ID: 410b4fc22c19b5bfa6a1168f5dafa7df88cf0fd9ea20142e9c02c97ccfaa3708