Update sharepoint-malware-false-positive-guide.md

przlplx · web-flow · commit d34d0e54eb94 · 2025-08-12T16:10:54.000-07:00
diff --git a/SharePoint/SharePointOnline/security/sharepoint-malware-false-positive-guide.md b/SharePoint/SharePointOnline/security/sharepoint-malware-false-positive-guide.md
@@ -19,66 +19,66 @@ description: Identify and resolve false positive malware detections in SharePoin
 
 # SharePoint malware false positive guide
 
-Malware false positive detections in SharePoint occur when a safe file is mistakenly identified as malware by Microsoft scanning engines. This guide explains how to identify which feature flagged the file, report it for analysis, and unblock the file if necessary. This article talks about SharePoint, but the information also applies to files stored in OneDrive and Microsoft Teams.
+Malware false positive detections in Microsoft SharePoint occur when a safe file is mistakenly identified as malware by Microsoft scanning engines. This guide explains how to identify which feature flagged the file, how to report it for analysis, and how to unblock the file, if it's necessary. This article discusses SharePoint, but the information applies also to files that are stored on OneDrive and in Microsoft Teams.
 
 > [!TIP]
 >
-> - Admins or security operations (SecOps) personnel with [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) permissions in organizations with cloud mailboxes have access files on the following pages in the Microsoft Defender portal:
->   - The **Files** tab of the **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>.
->   - The **Email Attachments** tab of the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>.
->   - The **Files** tab of the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=FileHash>.
+> - Admins or security operations (SecOps) personnel who have [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) permissions in organizations that use cloud mailboxes have access files on the following pages in the Microsoft Defender portal:
+>   - The **Files** tab of the **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>
+>   - The **Email Attachments** tab of the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>
+>   - The **Files** tab of the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/tenantAllowBlockList?viewid=FileHash>
 >
->   However, the **Files** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=fileSubmissions> is available only to organizations with **Microsoft Defender XDR** or **Microsoft Defender for Endpoint Plan 2**.
+>   However, the **Files** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=fileSubmissions> is available only to organizations that have **Microsoft Defender XDR** or **Microsoft Defender for Endpoint Plan 2**.
 > - For permissions and the most current information about the SharePoint Online Management Shell, see [Intro to SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell).
 
-## Malware detections in SharePoint
+## Malware detection in SharePoint
 
 SharePoint uses two main malware scanning engines:
 
 - **Microsoft Defender for Office 365**: Files are tested in a cloud virtual environment (also known as a **sandbox**). For more information, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/defender-office-365/safe-attachments-for-spo-odfb-teams-about).
-- **Microsoft Defender for Endpoint**: Built-in virus protection using frequently updated **signature-based** detections.
+- **Microsoft Defender for Endpoint**: Built-in virus protection that uses frequently updated **signature-based** detections.
 
-File scanning isn't always immediate. Scanning happens **asynchronously** based on factors like file type and sharing status. If a file is detected as malware, access to the file is blocked, and a warning appears.
+File scanning isn't always immediate. Scanning occurs **asynchronously** based on such factors as file type and sharing status. If a file is detected as malware, access to the file is blocked, and a warning message appears.
 
 :::image type="content" source="media/sharepoint-malware-false-positives-blocked-file-sharepoint.png" alt-text="Screenshot of a blocked file in SharePoint." lightbox="media/sharepoint-malware-false-positives-blocked-file-sharepoint.png":::
 
-## Step-by-step: Handle and prevent false positives
+## Handle and prevent false positives
 
-Use the steps in these sections to deal with false positives in SharePoint.
+Use the steps in this section to resolve false positives in SharePoint.
 
 ### Step 1: Identify the engine that flagged the file
 
 Use any of the following methods:
 
 - **Simple**: Use either of the following methods in the Defender portal:
-  - **Quarantine**: On the **Files** tab of **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>, the **Detected by** property contains one of the following values in Defender for Office 365:
-    - **AV** for the signature detections.
-    - **MDO** for Safe Attachments detections.
+  - **Quarantine**: On the **Files** tab of the **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>, the **Detected by** property contains one of the following values in Defender for Office 365:
+    - **AV** for the signature detection
+    - **MDO** for Safe Attachments detection
 
     For more information, see [Use the Microsoft Defender portal to manage quarantined files in Defender for Office 365](/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-quarantined-files-in-defender-for-office-365).
 
   - **Threat Explorer (Explorer) or Real-time detections**: The **Content malware** view on one of the following pages:
-    - **Explorer** (Defender for Office 365 Plan 2): <https://security.microsoft.com/threatexplorerv3>.
-    - **Real-time Detections** (Defender for Office 365 Plan 1): <https://security.microsoft.com/realtimereportsv3>.
+    - **Explorer** (Defender for Office 365 Plan 2): <https://security.microsoft.com/threatexplorerv3>
+    - **Real-time Detections** (Defender for Office 365 Plan 1): <https://security.microsoft.com/realtimereportsv3>
 
     The **Detection technology** field in the filterable properties contains one of the following values:
-    - **Antimalware protection** for signature detections.
-    - **File detonation** or **File reputation** for Safe Attachments detections.
+    - **Antimalware protection** for signature detection
+    - **File detonation** or **File reputation** for Safe Attachments detection
 
     For more information, see [Content malware view in Threat Explorer and Real-time detections](/defender-office-365/threat-explorer-real-time-detections-about#content-malware-view-in-threat-explorer-and-real-time-detections).
 
 - **Advanced**: Use either of the following methods:
   - **Microsoft Purview Audit**: Review the audit log for **FileMalwareDetected** operations. By default, the log holds information for 180 days.
     - The **AuditData** column contains the **VirusVendor** field:
-      - **Default** for signature-based detections.
-      - **Advanced Threat Protection** for Safe Attachments detections.
-    - The **VirusInfo** field contains the full malware variant/name.
+      - **Default** for signature-based detection
+      - **Advanced Threat Protection** for Safe Attachments detection
+    - The **VirusInfo** field contains the full malware variant or name.
 
     For more information, see [Search the audit log](/purview/audit-search).
 
 - **SharePoint Online PowerShell**: Use the [Get-SPOMalwareFile](/en-us/powershell/module/sharepoint-online/get-spomalwarefile?view=sharepoint-ps) for details about the detection. The **MalwareInfo** field indicates the detection type. For example, `Win32/CryptInject!MSR` or `Trojan_PDF_LinkedUrlCookie_A`.
   - Signature detection malware variants include forward slashes ('/').
-  - Safe Attachments detection malware variants include underscores ('\_') or the text _Malicious Payload_.
+  - Safe Attachments detection malware variants include underscores ('\_') or the text, _Malicious Payload_.
 
   For example:
   
@@ -102,46 +102,47 @@ Use any of the following methods:
 
 If multiple files are flagged, submit all affected files by using the following steps.
 
-1. Download the files using one of the following methods:
+1. Download the files by using one of the following methods:
 
    > [!CAUTION]
-   > Downloading files with malware poses risks. Always adhere to your organization's security guidelines before proceeding.
+   > Downloading files that contain malware poses risks. Always adhere to your organization's security guidelines before you proceed.
 
    - **Defender portal**: On the **Files** tab of **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>, select the file, and then select **Download**. For more information, see [Download quarantined files from quarantine](/defender-office-365/quarantine-admin-manage-messages-files#download-quarantined-files-from-quarantine).
 
    - **SharePoint Online PowerShell**: Use the [Get-SPOMalwareFileContent](/powershell/module/microsoft.online.sharepoint.powershell/get-spomalwarefilecontent) cmdlet.
 
-2. Submit the files using one of the following methods based on how the file was detected:
-   - **Safe Attachments detections**: Use the **Email attachments** tab on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>. For instructions, see [Report good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft).
+2. Submit the files by using one of the following methods, based on how the file was detected:
+   - **Safe Attachments detection**: Use the **Email attachments** tab on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>. For instructions, see [Report good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft).
 
-   - **Defender for Endpoint signature detections** (Microsoft Defender XDR or Microsoft Defender for Endpoint Plan 2): Submit a file for malware analysis using the **Files** tab on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=fileSubmissions>. For instructions, see [Submit files in Microsoft Defender for Endpoint](/defender-endpoint/admin-submissions-mde). Or, submit the file through the **Microsoft Security Intelligence** portal at <https://www.microsoft.com/wdsi/filesubmission>.
+   - **Defender for Endpoint signature detection** (Microsoft Defender XDR or Microsoft Defender for Endpoint Plan 2): Submit a file for malware analysis by using the **Files** tab on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=fileSubmissions>. For instructions, see [Submit files in Microsoft Defender for Endpoint](/defender-endpoint/admin-submissions-mde). Or, submit the file through the **Microsoft Security Intelligence** portal at <https://www.microsoft.com/wdsi/filesubmission>.
 
 ### Step 3: Verify the outcome
 
-If Microsoft identifies a false positive and updates the definitions, the file shouldn't be flagged again. If the file continues to be flagged, contact Microsoft Support and specify whether the issue involves a single file or multiple files.
+If Microsoft identifies a false positive and updates the definitions, the file shouldn't be flagged again. If the file continues to be flagged, contact Microsoft Support, and specify whether the issue involves a single file or multiple files.
 
 ## Unblock files
 
 > [!IMPORTANT]
-> Only unblock files you're confident are safe.
+> Only unblock files that you're confident are safe.
 
 Use any of the following methods:
 
-- Admins can release files from [quarantine](https://security.microsoft.com/quarantine) **within 30 days**. For more information, see [Release quarantined files from quarantine](/defender-office-365/quarantine-admin-manage-messages-files#release-quarantined-files-from-quarantine).
+- Admins can release files from [quarantine](https://security.microsoft.com/quarantine) within 30 days. For more information, see [Release quarantined files from quarantine](/defender-office-365/quarantine-admin-manage-messages-files#release-quarantined-files-from-quarantine).
 
-- For Safe Attachments malware detections, admins can use the **Email attachments** tab (which also applies to Sharepoint files) on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment> to submit a blocked file. When the admin selects, **I've confirmed it's clean**, they can then choose **Allow this file** to create an allow entry for the file on the **Files** tab of the **Tenant Allow/Block List**. For instructions, see [Submit good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft).
+- To submit a blocked file for Safe Attachments malware detection, admins can use the **Email attachments** tab (that also applies to Sharepoint files) on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>. After you select **I've confirmed it's clean**, you can then select **Allow this file** to create an allow entry for the file on the **Files** tab of the **Tenant Allow/Block List**. For instructions, see [Report good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft).
 
 > [!TIP]
 >
-> - Reuploading a file might restore access, but the file might be flagged again unless the definitions are updated.
-> - For files blocked **longer than 30 days**, contact Microsoft Support with the following information:
->   - Evidence that the file is safe.
->   - The detection type.
+> - Uploading a file again might restore access, but the file might also be flagged again unless the definitions are updated.
+> - For files that are blocked for more than 30 days, contact Microsoft Support and provide the following information:
+>   - Evidence that the file is safe
+>   - The detection type
 >   - The file path from the relevant source:
->     - The SharePoint library details.
->     - Output from the [Get-SPOMalwareFile](/powershell/module/microsoft.online.sharepoint.powershell/get-spomalwarefile) cmdlet.
+>     - The SharePoint library details
+>     - Output from the [Get-SPOMalwareFile](/powershell/module/microsoft.online.sharepoint.powershell/get-spomalwarefile) cmdlet
 >
->   Here's an example path from the SharePoint library details: <https://contoso.sharepoint.com/sites/Everyone/Shared%20Documents/General/MyDoc1.docx>
+>   Here's an example path from the SharePoint library details: 
+>      <https://contoso.sharepoint.com/sites/Everyone/Shared%20Documents/General/MyDoc1.docx>
 >
 >   :::image type="content" source="media/sharepoint-malware-false-positives-copy-path.png" alt-text="Screenshot of how to copy the path of a file in SharePoint" lightbox="media/sharepoint-malware-false-positives-copy-path.png":::
 
@@ -153,4 +154,4 @@ Use any of the following methods:
 
 [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/defender-office-365/safe-attachments-for-spo-odfb-teams-about)
 
-[Submit good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft)
+[Report good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft)
