MicrosoftDocs
diff --git a/‎SharePoint/SharePointOnline/security/media/sharepoint-malware-false-positives-blocked-file-sharepoint.png‎
67.3 KB b/‎SharePoint/SharePointOnline/security/media/sharepoint-malware-false-positives-blocked-file-sharepoint.png‎
67.3 KB
diff --git a/‎SharePoint/SharePointOnline/security/media/sharepoint-malware-false-positives-copy-path.png‎
71.7 KB b/‎SharePoint/SharePointOnline/security/media/sharepoint-malware-false-positives-copy-path.png‎
71.7 KB
diff --git a/‎SharePoint/SharePointOnline/security/sharepoint-malware-false-positive-guide.md‎
Lines changed: 159 additions & 0 deletions b/‎SharePoint/SharePointOnline/security/sharepoint-malware-false-positive-guide.md‎
Lines changed: 159 additions & 0 deletions
@@ -0,0 +1,159 @@
+---
+title: SharePoint malware false-positive guide
+ms.author: chrisda
+author: chrisda
+manager: orspodek
+ms.date: 08/01/2025
+audience: ITPro
+ms.topic: troubleshooting
+search.appverid: 
+  - SPO160
+  - MET150
+appliesto: 
+  - SharePoint Online
+ms.custom: 
+  - CSSTroubleshoot
+ms.reviewer: mithr
+description: Identify and resolve false positive malware detections in SharePoint.
+---
+
+# SharePoint malware false positive guide
+
+Malware false positive detections in SharePoint occur when a safe file is mistakenly identified as malware by Microsoft scanning engines. This guide explains how to identify which feature flagged the file, report it for analysis, and unblock the file if necessary. This article talks about SharePoint, but the information also applies to files stored in OneDrive and Microsoft Teams.
+
+> [!TIP]
+>
+> - Admins or security operations (SecOps) personnel with [Security Administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) permissions in organizations with cloud mailboxes have access files on the following pages in the Microsoft Defender portal:
+>   - The **Files** tab of the **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>.
+>   - The **Email Attachments** tab of the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>.
+>   - The **Files** tab of the **Tenant Allow/Block Lists** page at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>.
+>
+>   However, the **Files** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission?viewid=fileSubmissions> is available only to organizations with **Microsoft Defender XDR** or **Microsoft Defender for Endpoint Plan 2**.
+> - For permissions and the most current information about the SharePoint Online Management Shell, see [Intro to SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell).
+
+## Malware detections in SharePoint
+
+SharePoint uses two main malware scanning engines:
+
+- **Microsoft Defender for Office 365**: Files are tested in a cloud virtual environment (also known as a **sandbox**). For more information, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/defender-office-365/safe-attachments-for-spo-odfb-teams-about).
+- **Microsoft Defender for Endpoint**: Built-in virus protection using frequently updated **signature-based** detections.
+
+File scanning isn't always immediate. Scanning happens **asynchronously** based on factors like file type and sharing status. If a file is detected as malware, access to the file is blocked, and a warning appears.
+
+:::image type="content" source="media/sharepoint-malware-false-positives-blocked-file-sharepoint.png" alt-text="Screenshot of a blocked file in SharePoint." lightbox="media/sharepoint-malware-false-positives-blocked-file-sharepoint.png":::
+
+## Step-by-step: Handle and prevent false positives
+
+Use the steps in these sections to deal with false positives in SharePoint.
+
+### Step 1: Identify th engine that flagged the file
+
+Use any of the following methods:
+
+- **Simple**: Use either of the following methods in the Defender portal:
+  - **Quarantine**: On the **Files** tab of **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>, the **Detected by** property contains one of the following values in Defender for Office 365:
+    - **AV** for the signature detections.
+    - **MDO** for Safe Attachments detections.
+
+    For more information, see [Use the Microsoft Defender portal to manage quarantined files in Defender for Office 365](/defender-office-365/quarantine-admin-manage-messages-files#use-the-microsoft-defender-portal-to-manage-quarantined-files-in-defender-for-office-365).
+
+  - **Threat Explorer (Explorer) or Real-time detections**: The **Content malware** view on one of the following pages:
+    - **Explorer** (Defender for Office 365 Plan 2): <https://security.microsoft.com/threatexplorerv3>.
+    - **Real-time Detections** (Defender for Office 365 Plan 1): <https://security.microsoft.com/realtimereportsv3>.
+
+    The **Detection technology** field in the filterable properties contains one of the following values:
+    - **Antimalware protection** for signature detections.
+    - **File detonation** or **File reputation** for Safe Attachments detections.
+
+    For more information, see [Content malware view in Threat Explorer and Real-time detections](/defender-office-365/threat-explorer-real-time-detections-about#content-malware-view-in-threat-explorer-and-real-time-detections).
+
+- **Advanced**: Use either of the following methods:
+  - **Microsoft Purview Audit**: Review the audit log for **FileMalwareDetected** operations. By default, the log holds information for 180 days.
+    - The **AuditData** column contains the **VirusVendor** field:
+      - **Default** for signature-based detections.
+      - **Advanced Threat Protection** for Safe Attachments detections.
+    - The **VirusInfo** field contains the full malware variant/name.
+
+    For more information, see [Search the audit log](/purview/audit-search).
+
+- **SharePoint Online PowerShell**: Use the [Get-SPOMalwareFile](/en-us/powershell/module/sharepoint-online/get-spomalwarefile?view=sharepoint-ps) for details about the detection. The **MalwareInfo** field indicates the detection type. For example, `Win32/CryptInject!MSR` or `Trojan_PDF_LinkedUrlCookie_A`.
+  - Signature detection malware variants include forward slashes ('/').
+  - Safe Attachments detection malware variants include underscores ('\_') or the text _Malicious Payload_.
+
+  For example:
+  
+  ```powershell
+  PS C:\WINDOWS\system32\> Get-SPOMalwareFile -FileUri 'https://contoso.sharepoint.com/sites/Everyone/Shared Documents/eic_order.log'
+  
+  File :               Microsoft.SharePoint.Client.File
+  FilePath :           Microsoft.SharePoint.Client.ResourcePath
+  MalwareInfo :        DOS/EICAR_Test_File
+  MalwareStatus :      Infected
+  SiteURL :            <https://contoso.sharepoint.com/sites/Everyone>
+  Context :            Microsoft.Online.SharePoint.PowerShell.CmdLetContext
+  Tag :
+  Path :               Microsoft.SharePoint.Client.ObjectPathMethod
+  ObjectVersion :
+  ServerObjectIsNull : False
+  TypedObject :        Microsoft.Online.SharePoint.TenantAdministration.SPOMalwareFile
+  ```
+
+### Step 2: Submit files to Microsoft for analysis
+
+If multiple files are flagged, submit all affected files by using the following steps.
+
+1. Download the files using one of the following methods:
+
+   > [!CAUTION]
+   > Downloading files with malware poses risks. Always adhere to your organization's security guidelines before proceeding.
+
+   - **Defender portal**: On the **Files** tab of **Quarantine** page at <https://security.microsoft.com/quarantine?viewid=Files>, select the file, and then select **Download**. For more information, see [Download quarantined files from quarantine](/defender-office-365/quarantine-admin-manage-messages-files#download-quarantined-files-from-quarantine).
+
+   - **SharePoint Online PowerShell**: Use the [Get-SPOMalwareFileContent](/powershell/module/microsoft.online.sharepoint.powershell/get-spomalwarefilecontent) cmdlet.
+
+2. Submit the files using one of the following methods based on how the file was detected:
+   - **Safe Attachments detections**: Use the **Email attachments** tab on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment>. For instructions, see [Report good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft).
+
+   - **Defender for Endpoint signature detections** (Microsoft Defender XDR or Microsoft Defender for Endpoint Plan 2): Submit a file for malware analysis using the **Files** tab on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=fileSubmissions>. For instructions, see [Submit files in Microsoft Defender for Endpoint](/defender-endpoint/admin-submissions-mde).
+
+   - Submit the file from the [Microsoft Security Intelligence](https://www.microsoft.com/wdsi/filesubmission) portal at <https://www.microsoft.com/wdsi/filesubmission>.
+
+### Step 3: Verify the outcome
+
+If Microsoft identifies a false positive and updates the definitions, the file shouldn't be flagged again. If the file continues to be flagged, contact Microsoft Support and specify whether the issue involves a single file or multiple files.
+
+## Unblock files
+
+> [!IMPORTANT]
+> Only unblock files you're confident are safe.
+
+Use any of the following methods:
+
+- Admins can release files from [quarantine](https://security.microsoft.com/quarantine) **within 30 days**. For more information, see [Release quarantined files from quarantine](/defender-office-365/quarantine-admin-manage-messages-files#release-quarantined-files-from-quarantine).
+
+- For Safe Attachments malware detections, admins can use the **Email attachments** tab (which also applies to Sharepoint files) on the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission?viewid=emailAttachment> to submit a blocked file. When the admin selects, **I've confirmed it's clean**, they can then choose **Allow this file** to create an allow entry for the file on the **Files** tab of the **Tenant Allow/Block List**. For instructions, see [Submit good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft).
+
+> [!TIP]
+>
+> - Reuploading a file might restore access, but the file might be flagged again unless the definitions are updated.
+> - For files blocked **longer than 30 days**, contact Microsoft Support with the following information:
+>   - Evidence that the file is safe.
+>   - The detection type.
+>   - The file path from the relevant source:
+>     - The SharePoint library details.
+>     - Quarantine.
+>     - Output from the [Get-SPOMalwareFile](/powershell/module/microsoft.online.sharepoint.powershell/get-spomalwarefile) cmdlet.
+>
+>   Here's an example path from the SharePoint library details: <https://contoso.sharepoint.com/sites/Everyone/Shared%20Documents/General/MyDoc1.docx>
+>
+>   :::image type="content" source="media/sharepoint-malware-false-positives-copy-path.png" alt-text="Screenshot of how to copy the path of a file in SharePoint" lightbox="media/sharepoint-malware-false-positives-copy-path.png":::
+
+## More resources
+
+[Manage quarantined messages and files as an admin](/defender-office-365/quarantine-admin-manage-messages-files)
+
+[Built-in virus protection in SharePoint, OneDrive, and Microsoft Teams](/defender-office-365/anti-malware-protection-for-spo-odfb-teams-about)
+
+[Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/defender-office-365/safe-attachments-for-spo-odfb-teams-about)
+
+[Submit good email attachments to Microsoft](/defender-office-365/submissions-admin#report-good-email-attachments-to-microsoft)