learn.microsoft.com Open in urlscan Pro
2a02:26f0:3100:1a4::3544  Public Scan

Submitted URL: http://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide
Effective URL: https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide
Submission: On July 25 via api from DE — Scanned from DE

Form analysis 3 forms found in the DOM

Name: site-header-search-form-mobileGET /en-us/search/

<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form-mobile" data-bi-name="site-header-search-form-mobile" name="site-header-search-form-mobile" aria-label="Search" action="/en-us/search/">
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control ">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input-mobile"
        data-test-id="site-header-search-autocomplete-input-mobile" class="autocomplete-input input 
						
						width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-1-listbox" aria-controls="ax-1-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-mobile-description"
        placeholder="Search" data-bi-name="site-header-search-autocomplete-input-mobile" pattern=".*">
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--site-header-search-autocomplete-input-mobile-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-1-listbox" data-test-id="site-header-search-autocomplete-input-mobile-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
</form>

Name: site-header-search-formGET /en-us/search/

<form class="flex-grow-1" method="GET" role="search" id="ms--site-header-search-form" data-bi-name="site-header-search-form" name="site-header-search-form" aria-label="Search" action="/en-us/search/">
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control ">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="site-header-search-autocomplete-input" data-test-id="site-header-search-autocomplete-input" class="autocomplete-input input input-sm
						
						width-full" type="search" name="terms" aria-expanded="false" aria-owns="ax-0-listbox" aria-controls="ax-0-listbox" aria-activedescendant="" aria-label="Search" aria-describedby="ms--site-header-search-autocomplete-input-description"
        placeholder="Search" data-bi-name="site-header-search-autocomplete-input" pattern=".*">
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--site-header-search-autocomplete-input-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-0-listbox" data-test-id="site-header-search-autocomplete-input-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
  <!-- mobile safari will not dispatch submit event unless there's a submit button that is not display:none -->
  <button type="submit" class="visually-hidden" tabindex="-1" aria-hidden="true"></button>
  <input name="category" hidden="" value="">
</form>

javascript:

<form action="javascript:" role="search" aria-label="Search" class="margin-bottom-xxs"><label class="visually-hidden" for="ax-2">Search</label>
  <div class="autocomplete display-block" data-bi-name="autocomplete"><!---->
    <div class="field-body control has-icons-left">
      <input role="combobox" maxlength="100" aria-autocomplete="list" autocapitalize="off" autocomplete="off" autocorrect="off" spellcheck="false" id="ax-2" data-test-id="ax-2" class="autocomplete-input input input-sm
						control has-icons-left
						width-full" type="text" aria-expanded="false" aria-owns="ax-3-listbox" aria-controls="ax-3-listbox" aria-activedescendant="" aria-describedby="ms--ax-2-description" placeholder="Filter by title" pattern=".*">
      <span aria-hidden="true" class="icon is-small is-left">
        <span class="has-text-primary docon docon-filter-settings"></span>
      </span>
      <span aria-hidden="true" class="autocomplete-loader loader has-text-primary " hidden=""></span>
      <span hidden="" id="ms--ax-2-description"> Suggestions will filter as you type </span>
    </div>
    <ul role="listbox" id="ax-3-listbox" data-test-id="ax-2-listbox" class="autocomplete-suggestions is-vertically-scrollable padding-xxs " aria-label="Suggestions" hidden="">
    </ul>
    <!---->
  </div>
</form>

Text Content

Skip to main content

We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies

Accept Reject Manage cookies

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Learn
Suggestions will filter as you type
Sign in


 * Profile
 * Settings

Sign out

Learn
   
 * Discover
      
    * Documentation
      
      In-depth articles on Microsoft developer tools and technologies
   
      
    * Training
      
      Personalized learning paths and courses
   
      
    * Credentials
      
      Globally recognized, industry-endorsed credentials
   
      
    * Q&A
      
      Technical questions and answers moderated by Microsoft
   
      
    * Code Samples
      
      Code sample library for Microsoft developer tools and technologies
   
      
    * Assessments
      
      Interactive, curated guidance and recommendations
   
      
    * Shows
      
      Thousands of hours of original programming from Microsoft experts
   
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Product documentation
      
    * ASP.NET
      
    * Azure
      
    * Dynamics 365
      
    * Microsoft 365
      
    * Microsoft Edge
      
    * Microsoft Entra
      
    * Microsoft Graph
      
    * Microsoft Intune
      
    * Microsoft Purview
      
    * Microsoft Teams
      
    * .NET
      
    * Power Apps
      
    * Power Automate
      
    * Power BI
      
    * Power Platform
      
    * PowerShell
      
    * SQL
      
    * Sysinternals
      
    * Visual Studio
      
    * Windows
      
    * Windows Server
      
   
   View all products
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Development languages
      
    * C++
      
    * C#
      
    * DAX
      
    * Java
      
    * OData
      
    * OpenAPI
      
    * Power Query M
      
    * VBA
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   
 * Topics
      
    * Artificial intelligence
      
    * Compliance
      
    * DevOps
      
    * Platform engineering
      
    * Security
      
   
   Microsoft Learn for Organizations
   
   Boost your team's technical skills
   
   Access curated resources to upskill your team and close skills gaps.

   

Suggestions will filter as you type
Sign in


 * Profile
 * Settings

Sign out
Microsoft Defender
   
 * Microsoft Defender products & services
     
   * Microsoft Defender XDR
     
   * Microsoft Defender for Endpoint
     
   * Microsoft Defender for Office 365
     
   * Microsoft Defender for Identity
     
   * Microsoft Defender Vulnerability Management
     
   * Microsoft Defender for Cloud Apps
     
   * Microsoft Defender for Business
     
   * Microsoft Defender for Cloud
     
   * Microsoft External Attack Surface Management
     
   * Microsoft Defender for IoT
     
   
 * Security resources
     
   * Microsoft security documentation
     
   * Microsoft Zero Trust guidance center
     
   * Microsoft Copilot for Security
     
   * Microsoft Defender training and certification
     
   
 * More
     
   * Microsoft Defender products & services
       
     * Microsoft Defender XDR
       
     * Microsoft Defender for Endpoint
       
     * Microsoft Defender for Office 365
       
     * Microsoft Defender for Identity
       
     * Microsoft Defender Vulnerability Management
       
     * Microsoft Defender for Cloud Apps
       
     * Microsoft Defender for Business
       
     * Microsoft Defender for Cloud
       
     * Microsoft External Attack Surface Management
       
     * Microsoft Defender for IoT
       
     
   * Security resources
       
     * Microsoft security documentation
       
     * Microsoft Zero Trust guidance center
       
     * Microsoft Copilot for Security
       
     * Microsoft Defender training and certification
       
     
   

Table of contents Exit focus mode

Search
Suggestions will filter as you type
 * Office 365 security
 * Overview
 * Get started
 * Evaluate
 * Deploy
 * Migrate
 * Protect and Detect
   * Defender for Office 365 SecOps Guide
   * Defender for Office 365 in Microsoft Teams
   * Security recommendations for priority accounts
   * Usage card in Defender for Office 365
   * Protection policies
     * Preset security policies
     * Recommended settings for configuring EOP and Defender for Office 365
       Security
     * Configuration analyzer for protection policies
     * Anti-malware in EOP
       * Anti-malware protection
       * Configure anti-malware policies
       * Anti-malware protection FAQ
       * Zero-hour auto purge (ZAP)
       * Virus detection in SharePoint Online
     * Anti-spam in EOP
     * Anti-phishing in EOP and Defender for Office 365
     * Safe Attachments in Defender for Office 365
     * Safe Links in Defender for Office 365
     * Outbound spam protection in EOP
     * Connection filtering in EOP
   * Audit log search
   * Advanced delivery policy
   * Alert policies
   * Allow and block
   * Attack simulation training in Defender for Office 365
   * Connectors for mail flow
   * Delegated administration
   * Exchange mail flow rules (transport rules)
   * Message trace
   * Quarantine
   * Reports
   * Safe Documents in Microsoft 365 A5 or E5 Security
 * Investigate and Respond
 * Reference
 * Microsoft Defender XDR docs
 * Step-by-step guides

Download PDF
    
 1. Learn
    
    
 2. Microsoft Defender
    
    
 3. Microsoft Defender for Office 365
    

    
 1. Learn
    
    
 2. Microsoft Defender
    
    
 3. Microsoft Defender for Office 365
    

Read in English Save
 * Add to Collections
 * Add to Plan
 * Add to Challenges

Table of contents Read in English Add to Collections Add to Plan Edit


--------------------------------------------------------------------------------

SHARE VIA

Facebook x.com LinkedIn Email

--------------------------------------------------------------------------------

Print
Table of contents


BUILT-IN VIRUS PROTECTION IN SHAREPOINT ONLINE, ONEDRIVE, AND MICROSOFT TEAMS

 * Article
 * 06/24/2024
 * 5 contributors
 * Applies to: ✅ Exchange Online Protection, ✅ Microsoft Defender for Office 365
   Plan 1 and Plan 2

Feedback


IN THIS ARTICLE

    
 1. What happens if an infected file is uploaded to SharePoint Online?
    
 2. What happens when a user tries to download an infected file by using the
    browser?
    
 3. Can admins bypass DisallowInfectedFileDownload and extract infected files?
    
 4. What happens when the OneDrive sync client tries to sync an infected file?
    
 5. Extended capabilities with Microsoft Defender for Office 365
    
 6. Related articles
    

Show 2 more

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365
Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft
Defender portal trials hub. Learn about who can sign up and trial terms here.

Microsoft 365 uses a common virus detection engine for scanning files that users
upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is
included with all subscriptions that include SharePoint Online, OneDrive, and
Microsoft Teams.

Important

The built-in anti-virus capabilities are a way to help contain viruses. They
aren't intended as a single point of defense against malware for your
environment. We encourage all customers to investigate and implement
anti-malware protection at various layers and apply best practices for securing
their enterprise infrastructure.


WHAT HAPPENS IF AN INFECTED FILE IS UPLOADED TO SHAREPOINT ONLINE?

The Microsoft 365 virus detection engine scans files asynchronously (at some
time after upload). If a user tries to download a file in a web browser or from
Teams that hasn't been scanned, a scan is triggered before the download is
allowed. All file types are not automatically scanned. Heuristics determine the
files to scan. When a file is found to contain a virus, the file is flagged.

Here's what happens:

 1. A user uploads a file to SharePoint Online.
 2. SharePoint Online, as part of its virus scanning processes, later determines
    if the file meets the criteria for a scan.
 3. If the file meets the criteria for a scan, the virus detection engine scans
    the file.
 4. If a virus is found within the scanned file, the virus engine sets a
    property on the file that indicates the file is infected.


WHAT HAPPENS WHEN A USER TRIES TO DOWNLOAD AN INFECTED FILE BY USING THE
BROWSER?

By default, users can download infected files from SharePoint Online. Here's
what happens:

 1. In a web browser, a user tries to download a file from SharePoint Online
    that happens to be infected.
 2. The user is shown a warning that a virus was detected in the file. The user
    is given the option to proceed with the download and attempt to clean it
    using anti-virus software on their device.

To change this behavior so users can't download infected files, even from the
anti-virus warning window, admins can use the DisallowInfectedFileDownload
parameter on the Set-SPOTenant cmdlet in SharePoint Online PowerShell. The value
$true for the DisallowInfectedFileDownload parameter completely blocks access to
detected/blocked files for users.

For instructions, see Use SharePoint Online PowerShell to prevent users from
downloading malicious files.


CAN ADMINS BYPASS DISALLOWINFECTEDFILEDOWNLOAD AND EXTRACT INFECTED FILES?

SharePoint admins and global admins* are allowed to do forensic file extractions
of malware-infected files in SharePoint Online PowerShell with the
Get-SPOMalwareFileContent cmdlet. Admins don't need access to the site that
hosts the infected content. As long as the file is marked as malware, admins can
use Get-SPOMalwareFileContent to extract the file.

For more information about the infected file, admins can use the
Get-SPOMalwareFile cmdlet to see the type of malware that was detected and the
status of the infection.

Important

* Microsoft recommends that you use roles with the fewest permissions. Using
lower permissioned accounts helps improve security for your organization. Global
Administrator is a highly privileged role that should be limited to emergency
scenarios when you can't use an existing role.


WHAT HAPPENS WHEN THE ONEDRIVE SYNC CLIENT TRIES TO SYNC AN INFECTED FILE?

When a malicious file is uploaded to OneDrive, the file is synced to the local
machine before being marked as malware. After the file is marked as malware, the
user can't open the synced file from their local machine.


EXTENDED CAPABILITIES WITH MICROSOFT DEFENDER FOR OFFICE 365

Microsoft 365 organizations that have Microsoft Defender for Office 365 included
in their subscription or purchased as an add-on can enable Safe Attachments for
SharePoint, OneDrive, and Microsoft Teams for enhanced reporting and protection.
For more information, see Safe Attachments for SharePoint, OneDrive, and
Microsoft Teams.


RELATED ARTICLES

Malware and ransomware protection in Microsoft 365

Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.





--------------------------------------------------------------------------------


FEEDBACK

Was this page helpful?

Yes No
Provide product feedback


FEEDBACK

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the
feedback mechanism for content and replacing it with a new feedback system. For
more information see: https://aka.ms/ContentUserFeedback.

Submit and view feedback for

This product This page
View all page feedback

--------------------------------------------------------------------------------


ADDITIONAL RESOURCES





English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
 * Light
 * Dark
 * High contrast

 * Manage cookies
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2024


ADDITIONAL RESOURCES






IN THIS ARTICLE



English (United States)
California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy Choices
Theme
 * Light
 * Dark
 * High contrast

 * Manage cookies
 * Previous Versions
 * Blog
 * Contribute
 * Privacy
 * Terms of Use
 * Trademarks
 * © Microsoft 2024