CIS.M365.7.3.1 - Ensure Office 365 SharePoint infected files are disallowed for download
Overviewβ
7.3.1 (L2) Ensure Office 365 SharePoint infected files are disallowed for download
By default, SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded.
Rationaleβ
Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.
Impactβ
The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur.
Remediationβ
PowerShellβ
- Connect to SharePoint Online using
Connect-SPOService -Url https://tenant-admin.sharepoint.com, replacing "tenant" with the appropriate value. - Run the following PowerShell command to set the recommended value:
Set-SPOTenant -DisallowInfectedFileDownload $true
Note: The Global Reader role cannot access SharePoint using PowerShell according to Microsoft. See the reference section for more information.
Default Value: False
Related Linksβ
- Manage sharing settings for SharePoint and OneDrive in Microsoft 365
- Overview of external sharing in SharePoint and OneDrive in Microsoft 365
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 394
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.7.3.1 |
| Severity | Unknown |
| Suite | CIS |
| Category | SharePoint Online |
| PowerShell test | Test-MtCisSpoPreventDownloadMaliciousFile |
| Tags | CIS, CIS E5, CIS E5 Level 2, CIS M365 v6.0.1, CIS.M365.7.3.1, L2, SharePoint Online |
Sourceβ
- Pester test:
tests/cis/Test-MtCisSpoPreventDownloadMaliciousFile.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisSpoPreventDownloadMaliciousFile.ps1