Information
By default, SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded.
Rationale:
Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.
Impact:
The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To remediate using PowerShell:
Connect to SharePoint Online using Connect-SPOService -Url https://tenant-admin.sharepoint.com, replacing 'tenant' with the appropriate value.
Run the following PowerShell command to set the recommended value:
Set-SPOTenant -DisallowInfectedFileDownload $true
Note: The Global Reader role cannot access SharePoint using PowerShell according to Microsoft. See the reference section for more information.
Default Value:
False