Ensure Office 365 SharePoint infected files are disallowed for download.

Background

By default, SharePoint Online allows files that Defender for Office 365 has detected as infected to be downloaded.

What is the rationale for implementing CIS Control 7.3.1 (L2) of the Microsoft 365 Foundations Benchmark?

Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until the organization’s security team takes further action.

What is the impact of deploying this security control?

This control is part of the CIS Level 2 Security profile, which is considered to be a “defence in depth” where security is parament. Implementing this control can potentially inconvenience users when a small percentage of false positive detection occurs.

What happens when a user tries to download an infected file by using the browser?

By default, users can download infected files from SharePoint Online. Here’s what happens:

• In a web browser, a user tries to download a file from SharePoint Online that happens to be infected.
• The user is shown a warning that a virus was detected in the file. The user is given the option to proceed with the download and attempt to clean it using anti-virus software on their device.

After this security control is applied, users can’t download infected files, even from the anti-virus warning window.

Is there a cost to enabling this capability?

It is included at no charge in M365 Security and Compliance Plan 1 and 2 customers.

What do I need to do to implement this security control?

Because this is a Level 2 security control, we require your approval to enable it. In our testing, we have had very few false positives.

We recommend that all customers enable this security control.

Please send a support request to support@globalmicro.co.za.