Microsoft Exchange 2019 Transport Filtering Agent

Overview

Detects potential malware with libyara.NET (we use our own build with different fixes).
Extracts archives with SevenZipSharp.
Disarms potentially malicious PDFs with based on xdpdf algorithm.
Parses subject/body/headers with regex, aho-corasik.
Checks MessageId and source subnet of messages.
Can send user email notifications about potentially malicious messages.
Marks potentially malicious message with special header, which helps you archive and reject malicious messages on your Exchange server.
Uses metrics to decide whether a message is malicious.
Bruteforces archive attachments with the dictionary generated on message text (bad guys like that way to hide malicious files from antiviruses).

Using third party libraries:

Linyaranet requires .Net version 4.6 and higher. You can check if your server support it:

Stop-Service msexchangetransport
ls "c:\Path\To\FilterBinaries" -Recurse | Unblock-File
Install-TransportAgent -Name "ExchangeFilter" -TransportAgentFactory "ExchangeFilterAgentFactory " -AssemblyPath "c:\Path\To\FilterBinaries\ExchangeFilter.dll"
Set-TransportAgent "ExchangeFilter" -Priority 10
Enable-TransportAgent -identity ExchangeFilter
Start-Service msexchangetransport

Config.cs - Class contains necessary configurations, without which agents work is impossible.
default_config.xml - once configured, will be backup fuse, and if you change config.xml with mistake, agent will use default configuration
config.xml - main configuration file.

Information about messages processing is stored as JSON on filesystem via log4net.Ext.Json. Its useful to process these logs via ELK stack.

MIT License

Language:C# 86.2%Language:YARA 13.1%Language:Batchfile 0.7%