learn.microsoft.com
Open in
urlscan Pro
2a02:26f0:3500:295::3544
Public Scan
Submitted URL: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide
Effective URL: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-abou...
Submission: On March 09 via api from DE — Scanned from DE
Effective URL: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-abou...
Submission: On March 09 via api from DE — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to main content
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.
Download Microsoft Edge More info about Internet Explorer and Microsoft Edge
Table of contents Exit focus mode
Read in English Save
Table of contents Read in English Save Edit Print
Twitter LinkedIn Facebook Email
Table of contents
BUILT-IN VIRUS PROTECTION IN SHAREPOINT ONLINE, ONEDRIVE, AND MICROSOFT TEAMS
* Article
* 03/01/2023
* 3 minutes to read
* 5 contributors
Feedback
IN THIS ARTICLE
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365
Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft
365 Defender portal trials hub. Learn about who can sign up and trial terms
here.
Applies to
* Exchange Online Protection
* Microsoft Defender for Office 365 plan 1 and plan 2
Microsoft 365 uses a common virus detection engine for scanning files that users
upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is
included with all subscriptions that include SharePoint Online, OneDrive, and
Microsoft Teams.
Important
The built-in anti-virus capabilities are a way to help contain viruses. They
aren't intended as a single point of defense against malware for your
environment. We encourage all customers to investigate and implement
anti-malware protection at various layers and apply best practices for securing
their enterprise infrastructure.
WHAT HAPPENS IF AN INFECTED FILE IS UPLOADED TO SHAREPOINT ONLINE?
The Microsoft 365 virus detection engine scans files asynchronously (at some
time after upload). If a file has not yet been scanned by the asynchronous virus
detection process, and a user tries to download the file from the browser or
from Teams, a scan on download is triggered by SharePoint before the download is
allowed. All file types are not automatically scanned. Heuristics determine the
files to scan. When a file is found to contain a virus, the file is flagged.
Here's what happens:
1. A user uploads a file to SharePoint Online.
2. SharePoint Online, as part of its virus scanning processes, later determines
if the file meets the criteria for a scan.
3. If the file meets the criteria for a scan, the virus detection engine scans
the file.
4. If a virus is found within the scanned file, the virus engine sets a
property on the file that indicates the file is infected.
WHAT HAPPENS WHEN A USER TRIES TO DOWNLOAD AN INFECTED FILE BY USING THE
BROWSER?
By default, users can download infected files from SharePoint Online. Here's
what happens:
1. In a web browser, a user tries to download a file from SharePoint Online
that happens to be infected.
2. The user is shown a warning that a virus has been detected in the file. The
user is given the option to proceed with the download and attempt to clean
it using anti-virus software on their device.
To change this behavior so users can't download infected files, even from the
anti-virus warning window, admins can use the DisallowInfectedFileDownload
parameter on the Set-SPOTenant cmdlet in SharePoint Online PowerShell. The value
$true for the DisallowInfectedFileDownload parameter completely blocks access to
detected/blocked files for users.
For instructions, see Use SharePoint Online PowerShell to prevent users from
downloading malicious files.
CAN ADMINS BYPASS DISALLOWINFECTEDFILEDOWNLOAD AND EXTRACT INFECTED FILES?
SharePoint admins and global admins are allowed to do forensic file extractions
of malware-infected files in SharePoint Online PowerShell with the
Get-SPOMalwareFileContent cmdlet. Admins don't need access to the site that
hosts the infected content. As long as the file has been marked as malware,
admins can use Get-SPOMalwareFileContent to extract the file.
For more information about the infected file, admins can use the
Get-SPOMalwareFile cmdlet to see the type of malware that was detected and the
status of the infection.
WHAT HAPPENS WHEN THE ONEDRIVE SYNC CLIENT TRIES TO SYNC AN INFECTED FILE?
When a malicious file is uploaded to OneDrive, it will be synced to the local
machine before it's marked as malware. After it's marked as malware, the user
can't open the synced file anymore from their local machine.
EXTENDED CAPABILITIES WITH MICROSOFT DEFENDER FOR OFFICE 365
Microsoft 365 organizations that have Microsoft Defender for Office 365 included
in their subscription or purchased as an add-on can enable Safe Attachments for
SharePoint, OneDrive, and Microsoft Teams for enhanced reporting and protection.
For more information, see Safe Attachments for SharePoint, OneDrive, and
Microsoft Teams.
RELATED ARTICLES
Malware and ransomware protection in Microsoft 365
For more information about anti-virus in SharePoint Online, OneDrive, and
Microsoft Teams, see Protect against threats and Turn on Safe Attachments for
SharePoint, OneDrive, and Microsoft Teams.
FEEDBACK
Submit and view feedback for
This product This page
View all page feedback
--------------------------------------------------------------------------------
ADDITIONAL RESOURCES
Theme
* Light
* Dark
* High contrast
*
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2023
ADDITIONAL RESOURCES
IN THIS ARTICLE
Theme
* Light
* Dark
* High contrast
*
* Previous Versions
* Blog
* Contribute
* Privacy
* Terms of Use
* Trademarks
* © Microsoft 2023