|Category||Microsoft Docs article||Related commit history on GitHub||Change details|
|security||Detect And Remediate Illicit Consent Grants||https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md|| Title: Detect and Remediate Illicit Consent Grants f1.keywords:
- - NOCSH
Last updatedaudience: ITPro
- - o365_security_incident_response
- - M365-security-compliance-
+- M365-security-complianceLast updated : 07/28/2022 ms.localizationpriority: medium search.appverid: - MET150
You need to search the **audit log** to find signs, also called Indicators of Co3. Click the **Activity** column to sort the results and look for **Consent to application**.
-4. Select an entry from the list to see the details of the activity. Check to see if IsAdminContent is set to True.
+4. Select an entry from the list to see the details of the activity. Check to see if IsAdminConsent is set to True.> [!NOTE] >
|security||Use Arc Exceptions To Mark Trusted Arc Senders||https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders.md||
Here, you see the same organization **after leveraging the ability to create a t## Next steps: After you set up ARC for Microsoft 365 Defender for Office
-After setup, check your ARC Headers with [Message Header Analyzer](/connectivity-analyzer/message-header-analyzer).
+After setup, check your ARC Headers with [Message Header Analyzer](https://mha.azurewebsites.net).Review [SPF](set-up-spf-in-office-365-to-help-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), [DMARC](use-dmarc-to-validate-email.md), configuration steps.
|security||Virus Detection In Spo||https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/virus-detection-in-spo.md||
Here's what happens:1. A user uploads a file to SharePoint Online. 2. SharePoint Online, as part of its virus scanning processes, later determines if the file meets the criteria for a scan. 3. If the file meets the criteria for a scan, the virus detection engine scans the file.
-4. If a virus is found within the scanned file, the virus engine sets a property on the file indicating that it's infected.
+4. If a virus is found within the scanned file, the virus engine sets a property on the file that indicates the file is infected.## What happens when a user tries to download an infected file by using the browser?
-If a file is infected, users can't download the file from SharePoint Online by using a browser.
+By default, users can download infected files from SharePoint Online. Here's what happens:
-Here's what happens:
+1. In a web browser, a user tries to download a file from SharePoint Online that happens to be infected.
+2. The user is shown a warning that a virus has been detected in the file. The user is given the option to proceed with the download and attempt to clean it using anti-virus software on their device.+
+To change this behavior so users can't download infected files, even from the anti-virus warning window, admins can use the *DisallowInfectedFileDownload* parameter on the **[Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant)** cmdlet in SharePoint Online PowerShell. The value $true for the *DisallowInfectedFileDownload* parameter completely blocks access to detected/bocked files for users.+
+For instructions, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).+
+## Can admins bypass *DisallowInfectedFileDownload* and extract infected files?
-1. A user opens a web browser and tries to download an infected file from SharePoint Online.
-2. The user is given a warning that a virus has been detected. By default, the user is given the option to download the file and attempt to clean it using the anti-virus software on their own device.
+SharePoint admins and global admins are allowed to do forensic file extractions of malware-infected files in SharePoint Online PowerShell with the [Get-SPOMalwareFileContent](/powershell/module/sharepoint-online/get-spomalwarefilecontent) cmdlet. Admins don't need access to the site that hosts the infected content. As long as the file has been marked as malware, admins can use **Get-SPOMalwareFileContent** to extract the file.
-> Admins can use the *DisallowInfectedFileDownload* parameter on the [Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant) cmdlet in SharePoint Online PowerShell to prevent users from downloading infected files, even in the anti-virus warning window. For instructions, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files).
-> As soon as you enable the *DisallowInfectedFileDownload* parameter, access to the detected/blocked files is completely blocked for users and admins.
+For more information about the infected file, admins can use the **[Get-SPOMalwareFile](/powershell/module/sharepoint-online/get-spomalwarefile)** cmdlet to see the type of malware that was detected and the status of the infection.## What happens when the OneDrive sync client tries to sync an infected file?
When a malicious file is uploaded to OneDrive, it will be synced to the local maMicrosoft 365 organizations that have [Microsoft Defender for Office 365](defender-for-office-365.md) included in their subscription or purchased as an add-on can enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams for enhanced reporting and protection. For more information, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md).
-## Related Articles
+## Related articles[Malware and ransomware protection in Microsoft 365](/compliance/assurance/assurance-malware-and-ransomware-protection)