Merge pull request #9472 from chrisda/chrisda

Chrisda to Main

Author: Cloud-Writer

SharePoint/SharePointOnline/onlinetoc/toc.yml

@@ -207,6 +207,8 @@
       href: ../search/search-results-dont-appear-for-group-owners.md
   - name: Security
     items:
+    - name: Resolve false positive malware detections
+      href: ../security/false-positive-malware-detections.md
     - name: Handling ransomware in SharePoint Online
       href: ../security/handling-ransomware-in-sharepoint-online.md
     - name: Migrated accounts aren't resolved

SharePoint/SharePointOnline/security/false-positive-malware-detections.md

@@ -0,0 +1,159 @@
+---
+title: Resolve False Positive Malware Detections
+ms.author: meerak
+author: cloud-writer
+manager: dcscontentpm
+ms.date: 08/13/2025
+audience: ITPro
+ms.topic: troubleshooting
+search.appverid: 
+  - SPO160
+  - MET150
+appliesto: 
+  - SharePoint Online
+ms.custom: 
+  - CSSTroubleshoot
+  - CI 7100
+  - sap: Items and Files
+ms.reviewer: mithr, prbalusu, alehud, chrisda
+description: Provides guidance to identify and resolve false positive malware detections in SharePoint.
+---
+
+# Resolve false positive malware detections
+
+False positive detections of malware in Microsoft SharePoint occur when a safe file is mistakenly identified as malware by Microsoft scanning engines. This article explains how to identify which feature flagged the file, how to report it for analysis, and how to unblock the file, if it's necessary. Although the information in this article focuses on files in SharePoint, it applies also to files that are stored on OneDrive and in Microsoft Teams.
+
+> [!TIP]
+>
+> - Admins or security operations (SecOps) personnel who have [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) permissions in organizations that use cloud mailboxes have access files on the following pages in the Microsoft Defender portal:
+>   - The **Files** tab of the **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>
+>   - The **Email Attachments** tab of the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>
+>   - The **Files** tab of the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=FileHash>
+>
+>   However, the **Files** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=fileSubmissions> is available only to organizations that have **Microsoft Defender XDR** or **Microsoft Defender for Endpoint Plan 2**.
+> - For permissions and the most current information about the SharePoint Online Management Shell, see [Intro to SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell).
+
+## Malware detection in SharePoint
+
+SharePoint uses two main malware scanning engines:
+
+- **Microsoft Defender for Office 365**: Files are tested in a cloud virtual environment (also known as a **sandbox**). For more information, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/defender-office-365/safe-attachments-for-spo-odfb-teams-about).
+- **Microsoft Defender for Endpoint**: Built-in virus protection that uses frequently updated **signature-based** detections.
+
+File scanning isn't always immediate. Scanning occurs **asynchronously** based on such factors as file type and sharing status. If a file is detected as malware, access to the file is blocked, and a warning message appears.
+
+:::image type="content" source="media/sharepoint-malware-false-positives-blocked-file-sharepoint.png" alt-text="Screenshot of a blocked file in SharePoint." lightbox="media/sharepoint-malware-false-positives-blocked-file-sharepoint.png":::
+
+## Handle and prevent false positives
+
+Use the steps in this section to resolve false positives in SharePoint.
+
+### Step 1: Identify the engine that flagged the file
+
+Use any of the following methods:
+
+- **Simple**: Use either of the following methods in the Defender portal:
+  - **Quarantine**: On the **Files** tab of the **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>, the **Detected by** property contains one of the following values in Defender for Office 365:
+    - **AV** for the signature detection
+    - **MDO** for Safe Attachments detection
+
+    For more information, see [Use the Microsoft Defender portal to manage quarantined files in Defender for Office 365](/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-quarantined-files-in-defender-for-office-365).
+
+  - **Threat Explorer (Explorer) or Real-time detections**: The **Content malware** view on one of the following pages:
+    - **Explorer** (Defender for Office 365 Plan 2): <https://security.microsoft.com/threatexplorerv3>
+    - **Real-time Detections** (Defender for Office 365 Plan 1): <https://security.microsoft.com/realtimereportsv3>
+
+    The **Detection technology** field in the filterable properties contains one of the following values:
+    - **Antimalware protection** for signature detection
+    - **File detonation** or **File reputation** for Safe Attachments detection
+
+    For more information, see [Content malware view in Threat Explorer and Real-time detections](/defender-office-365/threat-explorer-real-time-detections-about#content-malware-view-in-threat-explorer-and-real-time-detections).
+
+- **Advanced**: Use either of the following methods:
+  - **Microsoft Purview Audit**: Review the audit log for **FileMalwareDetected** operations. By default, the log holds information for 180 days.
+    - The **AuditData** column contains the **VirusVendor** field:
+      - **Default** for signature-based detection
+      - **Advanced Threat Protection** for Safe Attachments detection
+    - The **VirusInfo** field contains the full name of the malware variant.
+
+    For more information, see [Search the audit log](/purview/audit-search).
+
+- **SharePoint Online PowerShell**: Use the [Get-SPOMalwareFile](/powershell/module/sharepoint-online/get-spomalwarefile) for details about the detection. The **MalwareInfo** field indicates the detection type. For example, `Win32/CryptInject!MSR` or `Trojan_PDF_LinkedUrlCookie_A`.
+  - Signature detection malware variants include forward slashes ('/').
+  - Safe Attachments detection malware variants include underscores ('\_') or the text, _Malicious Payload_.
+
+  For example:
+  
+  ```powershell
+  PS C:\WINDOWS\system32\> Get-SPOMalwareFile -FileUri 'https://contoso.sharepoint.com/sites/Everyone/Shared Documents/eic_order.log'
+  
+  File :               Microsoft.SharePoint.Client.File
+  FilePath :           Microsoft.SharePoint.Client.ResourcePath
+  MalwareInfo :        DOS/EICAR_Test_File
+  MalwareStatus :      Infected
+  SiteURL :            <https://contoso.sharepoint.com/sites/Everyone>
+  Context :            Microsoft.Online.SharePoint.PowerShell.CmdLetContext
+  Tag :
+  Path :               Microsoft.SharePoint.Client.ObjectPathMethod
+  ObjectVersion :
+  ServerObjectIsNull : False
+  TypedObject :        Microsoft.Online.SharePoint.TenantAdministration.SPOMalwareFile
+  ```
+
+### Step 2: Submit files to Microsoft for analysis
+
+If multiple files are flagged, submit all affected files by using the following steps.
+
+1. Download the files by using one of the following methods:
+
+   > [!CAUTION]
+   > Downloading files that contain malware poses risks. Always adhere to your organization's security guidelines before you proceed.
+
+   - **Defender portal**: On the **Files** tab of **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>, select the file, and then select **Download**. For more information, see [Download quarantined files from quarantine](/defender-office-365/quarantine-admin-manage-messages-files#download-quarantined-files-from-quarantine).
+
+   - **SharePoint Online PowerShell**: Use the [Get-SPOMalwareFileContent](/powershell/module/microsoft.online.sharepoint.powershell/get-spomalwarefilecontent) cmdlet.
+
+2. Submit the files by using one of the following methods, based on how the file was detected:
+   - **Safe Attachments detection**: Use the **Email attachments** tab on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>. For instructions, see [Report good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft).
+
+   - **Defender for Endpoint signature detection** (Microsoft Defender XDR or Microsoft Defender for Endpoint Plan 2): Submit a file for malware analysis by using the **Files** tab on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=fileSubmissions>. For instructions, see [Submit files in Microsoft Defender for Endpoint](/defender-endpoint/admin-submissions-mde). Or, submit the file through the **Microsoft Security Intelligence** portal at <https://www.microsoft.com/wdsi/filesubmission>.
+
+### Step 3: Verify the outcome
+
+If Microsoft identifies a false positive and updates the definitions, the file shouldn't be flagged again. If the file continues to be flagged, contact Microsoft Support, and specify whether the issue involves a single file or multiple files.
+
+## Unblock files
+
+> [!IMPORTANT]
+> Only unblock files that you're confident are safe.
+
+Use any of the following methods:
+
+- Admins can release files from [quarantine](https://security.microsoft.com/quarantine) within 30 days. For more information, see [Release quarantined files from quarantine](/defender-office-365/quarantine-admin-manage-messages-files#release-quarantined-files-from-quarantine).
+
+- To submit a blocked file for Safe Attachments malware detection, admins can use the **Email attachments** tab (that also applies to Sharepoint files) on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>. After you select **I've confirmed it's clean**, you can then select **Allow this file** to create an allow entry for the file on the **Files** tab of the **Tenant Allow/Block List**. For instructions, see [Report good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft).
+
+> [!TIP]
+>
+> - Uploading a file again might restore access, but the file might also be flagged again unless the definitions are updated.
+> - For files that are blocked for more than 30 days, contact Microsoft Support and provide the following information:
+>   - Evidence that the file is safe
+>   - The detection type
+>   - The file path from the relevant source:
+>     - The SharePoint library details
+>     - Output from the [Get-SPOMalwareFile](/powershell/module/microsoft.online.sharepoint.powershell/get-spomalwarefile) cmdlet
+>
+>   Here's an example path from the SharePoint library details: 
+>      <https://contoso.sharepoint.com/sites/Everyone/Shared%20Documents/General/MyDoc1.docx>
+>
+>   :::image type="content" source="media/sharepoint-malware-false-positives-copy-path.png" alt-text="Screenshot of how to copy the path of a file in SharePoint" lightbox="media/sharepoint-malware-false-positives-copy-path.png":::
+
+## More information
+
+[Manage quarantined messages and files as an admin](/defender-office-365/quarantine-admin-manage-messages-files)
+
+[Built-in virus protection in SharePoint, OneDrive, and Microsoft Teams](/defender-office-365/anti-malware-protection-for-spo-odfb-teams-about)
+
+[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/defender-office-365/safe-attachments-for-spo-odfb-teams-about)
+
+[Report good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft)