7.3.1 Ensure Office 365 SharePoint infected files are disallowed for download

Information

By default, SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded.

Rationale:

Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.

Impact:

The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using PowerShell:

Connect to SharePoint Online using Connect-SPOService -Url https://tenant-admin.sharepoint.com, replacing 'tenant' with the appropriate value.

Run the following PowerShell command to set the recommended value:

Set-SPOTenant -DisallowInfectedFileDownload $true

Note: The Global Reader role cannot access SharePoint using PowerShell according to Microsoft. See the reference section for more information.

Default Value:

False

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, CSCv7|7.10, CSCv7|8.1

Plugin: microsoft_azure

Control ID: 865f0230f54232538fb7ee8f03928ea9af398ceb5b5ce65de766a7421c6338ef