2.5 Ensure Office 365 SharePoint infected files are disallowed for download

Information

By default SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded.

Rationale:

Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.

Impact:

The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To set O365 SharePoint to disallow download of infected files, use Powershell:

Connect using Connect-SPOService, you will need to enter the URL for your Sharepoint Online admin page https://*-admin.sharepoint.com as well as a Global Admin account.

Run the following Powershell command to set the value to True.

Set-SPOTenant -DisallowInfectedFileDownload $true

After several minutes run the following to verify the value for DisallowInfectedFileDownload has been set to True.

Get-SPOTenant | Select-Object DisallowInfectedFileDownload

See Also

https://workbench.cisecurity.org/files/3729