Malware Detections Report

One of the challenges faced by an Exchange Online administrator is to isolate vulnerable mailboxes that may get infected by malware. Administrators also need to analyse the trend of the mailboxes that were infected by malware and identify the senders sending the malware and the receivers who are receiving the malware. Analyzing the pattern of malware detection helps administrators in assessing the severity of malware infection and review the configuration of malware protection policies of Exchange Online from time to time. The Malware Detections report offered by eG Enterprise helps administrators in this regard. Using this report, administrators can strengthen the security of their Exchange Online environment and proactively protect the environment.

To generate the report, do the following:

  1. Follow the menu sequence: REPORTS BY FUNCTION -> Domain-specific Reports -> Microsoft Exchange Online -> Malware Detections.
  2. Figure 1 then appears. In Figure 1, select a criteria for analysis from the Analyze By list box.

    Figure 1 : Specifying the criteria for generating the Malware Detections report

  3. Using this report, you can analyze the license usage of one/more managed components, or those that are part of a zone, service or segment. The options provided by the Analyze By list box are discussed hereunder:

    • Component: Select this option to choose the component(s) from across all the managed components in the environment.
    • Zone: To generate a report for one/more components that are included in a zone, pick the Zone option. A Zone drop-down list will then appear, from which you would have to select the zone to which the components of interest to you belong. A Sub zone flag also appears. Indicate whether the components present within the sub-zones of the chosen zone are also to be to be considered for report generation, by setting the Sub zone flag to Yes.
    • Segment: If you want to generate a report for one/more chosen components that belong to a segment, select the Segment option from Analyze By list box, and then pick the Segment from the drop-down list that appears.
    • Service: If you want to generate a report for one/more components involved in the delivery of a service, select the Service option from Analyze By, and then pick the required Service from the drop-down list that appears.
  4. Choose a Component Type for which the report is to be generated.
  5. The Components list will now be populated with all the components that are managed in your environment for the chosen component type. If the Components list consists of too many components, then viewing all the components and selecting the ones you need for report generation could require endless scrolling. To avoid this, you can click the button next to the Components list. A Components pop up window will then appear using which you can view almost all the components in a single interface and Select the ones to be included in this report.
  6. Then, specify the Timeline for generating this report. You can either provide a fixed time line such as 1 hour, 2 days, etc., or select the Any option from the list to provide a From and To date/time for report generation.


    For every user registered with the eG Enterprise system, the administrator can indicate the maximum timeline for which that user can generate a report. Once the maximum timeline is set for a user, then, whenever that user logs into eG Reporter and attempts to generate a report, the Timeline list box in the report page will display options according to the maximum timeline setting of that user. For instance, if a user can generate a report for a maximum period of 3 days only, then 3 days will be the highest option displayed in the Timeline list - i.e., 3 days will be the last option in the fixed Timeline list. Similarly, if the user chooses the Any option from the Timeline list and proceeds to provide a start date and end date for report generation using the From and To specifications, eG Enterprise will first check if the user's Timeline specification conforms to his/her maximum timeline setting. If not, report generation will fail. For instance, for a user who is allowed to generate reports spanning over a maximum period of 3 days only, the difference between the From and To dates should never be over 3 days. If it is, then, upon clicking the Run Report button a message box will appear, prompting the user to change the From and To specification.

  7. In addition to the settings discussed above, this report comes with a set of default specifications. These settings are hidden by default. If you do not want to disturb these default settings, then you can proceed to generate the report by clicking the Run Report button soon after you pick one/more components for report generation. However, if you want to view and then alter these settings (if required), click on the icon. The default settings will then appear in the MORE OPTIONS drop down window (See Figure 2). The steps below discuss each of these settings and how they can be customized.

    Figure 2 : The default settings for generating the report

  8. If the timeline specified for the report needs to exclude the data collected during the Weekends, then set Exclude weekends to Yes. If not, select No.


    By default, the weekend constitutes Saturday and Sunday. To override this default setting, do the following:

    • Edit the eg_report.ini file in the <EG_INSTALL_DIR>\manager\config directory.
    • In the [EXCLUDE_WEEKEND] section of the file, the Days parameter is set to Saturday,Sunday by default. You can modify this by setting the Days parameter to a comma-separated list of other days of the week - say Friday,Saturday.
    • Save the file after making the required changes.
  9. Next, indicate the report Time period.


    By default, the Time period is set to 24 hours. Accordingly, the From and To parameters in the [timeframe] section of the eg_report.ini file (in the <eg_install_dir>\manager\config directory) are set to 00:00 and 24:00 respectively. If need be, you can override this default setting by configuring a different timeframe against the From and/or To parameters. 

  10. In large environments, reports generated using months of data can take a long time to complete. Administrators now have the option of generating reports on-line or in the background. When a report is scheduled for background generation, administrators can proceed with their other monitoring, diagnosis, and reporting tasks, while the eG manager is processing the report. This saves the administrator valuable time. To schedule background processing of a report, you can either select the Background Save - PDF option from the Report Generation list. To process reports in the foreground, select the Foreground Generation - HTML option from this list.


    • The Report Generation list will appear only if the EnableBackgroundReport flag in the [BACKGROUND_PROCESS] section of the eg_report.ini file (in the <EG_INSTALL_DIR>\manager\config directory) is set to Yes.
    • The default selection in the Report Generation list will change according to the Timeline specified for the report. If the Timeline set is greater than or equal to the number of days specified against the MinDurationForReport parameter in the [BACKGROUND_PROCESS] section of the eg_report.ini file, then the default selection in the Report Generation list will be Background Save - PDF. On the other hand, if the Timeline set for the report is lesser than the value of the MinDurationForReport parameter, then the default selection in the Report Generation list will be Foreground. This is because, the MinDurationForReport setting governs when reports are to be processed in the background. By default, this parameter is set to 2 weeks - this indicates that by default, reports with a timeline of 2 weeks and above will be processed in the background.
  11. Click the Done button if any changes were made to the More Options drop down window.
  12. Finally, click the Run Report button to generate the report.
  13. If the Report type is Foreground Generation - HTML, then Figure 3 will appear as soon as you click the Run Report button.

    Figure 3 : The generated Malware Detections Report

    The generated report (see Figure 3) contains the following sections:

    • The Summary section provides an at-a-glance view of the count of emails carrying malwares in the Microsoft Exchange Online environment. The total size of inbound and outbound emails carrying malwares are also provided in this section for a chosen time period. Using this section, administrators can figure out which type of mail traffic is severely infected by malware - whether incoming mail traffic? or outgoing mail traffic?.
    • The next section is a series of bar graphs that helps administrators figure out the top 10 receivers and senders in terms of number of malware-infected mails they received/sent. Using this information, administrators can tell over which email communication - i.e., communication between which sender and receiver - the maximum number of malware items were trafficked; such email communication may be pulled up for closer monitoring. The top 10 receivers and senders in terms of malware-infected mails can also be identified in the chosen time period.
    • The next section reveals a series of area graphs using which administrators can perform time based analysis on the number of malware-infected mails sent/received in the target environment. Using this analysis, administrators can figure out the time/date on which the maximum number of malware-infected mails were detected in the organization. Administrators can also figure out the unique senders and receivers who were most affected by malware-infected mails.