Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
security | Detect And Remediate Illicit Consent Grants | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants.md | Title: Detect and Remediate Illicit Consent Grants f1.keywords: - - NOCSH +- NOCSH Last updated audience: ITPro - - o365_security_incident_response - - M365-security-compliance -+- o365_security_incident_response +- M365-security-compliance Last updated : 07/28/2022 ms.localizationpriority: medium search.appverid: - MET150 You need to search the **audit log** to find signs, also called Indicators of Co 3. Click the **Activity** column to sort the results and look for **Consent to application**. -4. Select an entry from the list to see the details of the activity. Check to see if IsAdminContent is set to True. +4. Select an entry from the list to see the details of the activity. Check to see if IsAdminConsent is set to True. > [!NOTE] > |
security | Use Arc Exceptions To Mark Trusted Arc Senders | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-arc-exceptions-to-mark-trusted-arc-senders.md | Here, you see the same organization **after leveraging the ability to create a t ## Next steps: After you set up ARC for Microsoft 365 Defender for Office -After setup, check your ARC Headers with [Message Header Analyzer](/connectivity-analyzer/message-header-analyzer). +After setup, check your ARC Headers with [Message Header Analyzer](https://mha.azurewebsites.net). Review [SPF](set-up-spf-in-office-365-to-help-prevent-spoofing.md), [DKIM](use-dkim-to-validate-outbound-email.md), [DMARC](use-dmarc-to-validate-email.md), configuration steps. |
security | Virus Detection In Spo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/virus-detection-in-spo.md | Here's what happens: 1. A user uploads a file to SharePoint Online. 2. SharePoint Online, as part of its virus scanning processes, later determines if the file meets the criteria for a scan. 3. If the file meets the criteria for a scan, the virus detection engine scans the file.-4. If a virus is found within the scanned file, the virus engine sets a property on the file indicating that it's infected. +4. If a virus is found within the scanned file, the virus engine sets a property on the file that indicates the file is infected. ## What happens when a user tries to download an infected file by using the browser? -If a file is infected, users can't download the file from SharePoint Online by using a browser. +By default, users can download infected files from SharePoint Online. Here's what happens: -Here's what happens: +1. In a web browser, a user tries to download a file from SharePoint Online that happens to be infected. +2. The user is shown a warning that a virus has been detected in the file. The user is given the option to proceed with the download and attempt to clean it using anti-virus software on their device. ++To change this behavior so users can't download infected files, even from the anti-virus warning window, admins can use the *DisallowInfectedFileDownload* parameter on the **[Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant)** cmdlet in SharePoint Online PowerShell. The value $true for the *DisallowInfectedFileDownload* parameter completely blocks access to detected/bocked files for users. ++For instructions, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files). ++## Can admins bypass *DisallowInfectedFileDownload* and extract infected files? -1. A user opens a web browser and tries to download an infected file from SharePoint Online. -2. The user is given a warning that a virus has been detected. By default, the user is given the option to download the file and attempt to clean it using the anti-virus software on their own device. +SharePoint admins and global admins are allowed to do forensic file extractions of malware-infected files in SharePoint Online PowerShell with the [Get-SPOMalwareFileContent](/powershell/module/sharepoint-online/get-spomalwarefilecontent) cmdlet. Admins don't need access to the site that hosts the infected content. As long as the file has been marked as malware, admins can use **Get-SPOMalwareFileContent** to extract the file. -> [!NOTE] -> -> Admins can use the *DisallowInfectedFileDownload* parameter on the [Set-SPOTenant](/powershell/module/sharepoint-online/Set-SPOTenant) cmdlet in SharePoint Online PowerShell to prevent users from downloading infected files, even in the anti-virus warning window. For instructions, see [Use SharePoint Online PowerShell to prevent users from downloading malicious files](turn-on-mdo-for-spo-odb-and-teams.md#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files). -> -> As soon as you enable the *DisallowInfectedFileDownload* parameter, access to the detected/blocked files is completely blocked for users and admins. +For more information about the infected file, admins can use the **[Get-SPOMalwareFile](/powershell/module/sharepoint-online/get-spomalwarefile)** cmdlet to see the type of malware that was detected and the status of the infection. ## What happens when the OneDrive sync client tries to sync an infected file? When a malicious file is uploaded to OneDrive, it will be synced to the local ma Microsoft 365 organizations that have [Microsoft Defender for Office 365](defender-for-office-365.md) included in their subscription or purchased as an add-on can enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams for enhanced reporting and protection. For more information, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md). -## Related Articles +## Related articles [Malware and ransomware protection in Microsoft 365](/compliance/assurance/assurance-malware-and-ransomware-protection) |