Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
False positive detections of malware in Microsoft SharePoint occur when a safe file is mistakenly identified as malware by Microsoft scanning engines. This article explains how to identify which feature flagged the file, how to report it for analysis, and how to unblock the file, if it's necessary. Although the information in this article focuses on files in SharePoint, it applies also to files that are stored on OneDrive and in Microsoft Teams.
Tip
Admins or security operations (SecOps) personnel who have Security Administrator permissions in organizations that use cloud mailboxes have access files on the following pages in the Microsoft Defender portal:
- The Files tab of the Quarantine page at https://security.microsoft.com/quarantine?viewid=Files
- The Email Attachments tab of the Submissions page at https://security.microsoft.com/reportsubmission?viewid=emailAttachment
- The Files tab of the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=FileHash
However, the Files tab on the Submissions page at https://security.microsoft.com/reportsubmission?viewid=fileSubmissions is available only to organizations that have Microsoft Defender XDR or Microsoft Defender for Endpoint Plan 2.
For permissions and the most current information about the SharePoint Online Management Shell, see Intro to SharePoint Online Management Shell.
Malware detection in SharePoint
SharePoint uses two main malware scanning engines:
- Microsoft Defender for Office 365: Files are tested in a cloud virtual environment (also known as a sandbox). For more information, see Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
- Microsoft Defender for Endpoint: Built-in virus protection that uses frequently updated signature-based detections.
File scanning isn't always immediate. Scanning occurs asynchronously based on such factors as file type and sharing status. If a file is detected as malware, access to the file is blocked, and a warning message appears.
Handle and prevent false positives
Use the steps in this section to resolve false positives in SharePoint.
Step 1: Identify the engine that flagged the file
Use any of the following methods:
Simple: Use either of the following methods in the Defender portal:
Quarantine: On the Files tab of the Quarantine page at https://security.microsoft.com/quarantine?viewid=Files, the Detected by property contains one of the following values in Defender for Office 365:
- AV for the signature detection
- MDO for Safe Attachments detection
For more information, see Use the Microsoft Defender portal to manage quarantined files in Defender for Office 365.
Threat Explorer (Explorer) or Real-time detections: The Content malware view on one of the following pages:
- Explorer (Defender for Office 365 Plan 2): https://security.microsoft.com/threatexplorerv3
- Real-time Detections (Defender for Office 365 Plan 1): https://security.microsoft.com/realtimereportsv3
The Detection technology field in the filterable properties contains one of the following values:
- Antimalware protection for signature detection
- File detonation or File reputation for Safe Attachments detection
For more information, see Content malware view in Threat Explorer and Real-time detections.
Advanced: Use either of the following methods:
Microsoft Purview Audit: Review the audit log for FileMalwareDetected operations. By default, the log holds information for 180 days.
- The AuditData column contains the VirusVendor field:
- Default for signature-based detection
- Advanced Threat Protection for Safe Attachments detection
- The VirusInfo field contains the full name of the malware variant.
For more information, see Search the audit log.
- The AuditData column contains the VirusVendor field:
SharePoint Online PowerShell: Use the Get-SPOMalwareFile for details about the detection. The MalwareInfo field indicates the detection type. For example,
Win32/CryptInject!MSRorTrojan_PDF_LinkedUrlCookie_A.- Signature detection malware variants include forward slashes ('/').
- Safe Attachments detection malware variants include underscores ('_') or the text, Malicious Payload.
For example:
PS C:\WINDOWS\system32\> Get-SPOMalwareFile -FileUri 'https://contoso.sharepoint.com/sites/Everyone/Shared Documents/eic_order.log' File : Microsoft.SharePoint.Client.File FilePath : Microsoft.SharePoint.Client.ResourcePath MalwareInfo : DOS/EICAR_Test_File MalwareStatus : Infected SiteURL : <https://contoso.sharepoint.com/sites/Everyone> Context : Microsoft.Online.SharePoint.PowerShell.CmdLetContext Tag : Path : Microsoft.SharePoint.Client.ObjectPathMethod ObjectVersion : ServerObjectIsNull : False TypedObject : Microsoft.Online.SharePoint.TenantAdministration.SPOMalwareFile
Step 2: Submit files to Microsoft for analysis
If multiple files are flagged, submit all affected files by using the following steps.
Download the files by using one of the following methods:
Caution
Downloading files that contain malware poses risks. Always adhere to your organization's security guidelines before you proceed.
Defender portal: On the Files tab of Quarantine page at https://security.microsoft.com/quarantine?viewid=Files, select the file, and then select Download. For more information, see Download quarantined files from quarantine.
SharePoint Online PowerShell: Use the Get-SPOMalwareFileContent cmdlet.
Submit the files by using one of the following methods, based on how the file was detected:
Safe Attachments detection: Use the Email attachments tab on the Submissions page in the Defender portal at https://security.microsoft.com/reportsubmission?viewid=emailAttachment. For instructions, see Report good email attachments to Microsoft.
Defender for Endpoint signature detection (Microsoft Defender XDR or Microsoft Defender for Endpoint Plan 2): Submit a file for malware analysis by using the Files tab on the Submissions page in the Defender portal at https://security.microsoft.com/reportsubmission?viewid=fileSubmissions. For instructions, see Submit files in Microsoft Defender for Endpoint. Or, submit the file through the Microsoft Security Intelligence portal at https://www.microsoft.com/wdsi/filesubmission.
Step 3: Verify the outcome
If Microsoft identifies a false positive and updates the definitions, the file shouldn't be flagged again. If the file continues to be flagged, contact Microsoft Support, and specify whether the issue involves a single file or multiple files.
Unblock files
Important
Only unblock files that you're confident are safe.
Use any of the following methods:
Admins can release files from quarantine within 30 days. For more information, see Release quarantined files from quarantine.
To submit a blocked file for Safe Attachments malware detection, admins can use the Email attachments tab (that also applies to Sharepoint files) on the Submissions page in the Defender portal at https://security.microsoft.com/reportsubmission?viewid=emailAttachment. After you select I've confirmed it's clean, you can then select Allow this file to create an allow entry for the file on the Files tab of the Tenant Allow/Block List. For instructions, see Report good email attachments to Microsoft.
Tip
Uploading a file again might restore access, but the file might also be flagged again unless the definitions are updated.
For files that are blocked for more than 30 days, contact Microsoft Support and provide the following information:
- Evidence that the file is safe
- The detection type
- The file path from the relevant source:
- The SharePoint library details
- Output from the Get-SPOMalwareFile cmdlet
Here's an example path from the SharePoint library details: https://contoso.sharepoint.com/sites/Everyone/Shared%20Documents/General/MyDoc1.docx
More information
Manage quarantined messages and files as an admin
Built-in virus protection in SharePoint, OneDrive, and Microsoft Teams
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams