Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
Microsoft 365 uses a common virus detection engine for scanning files that users upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is included with all subscriptions that include SharePoint Online, OneDrive, and Microsoft Teams.
The built-in anti-virus capabilities are a way to help contain viruses. They aren't intended as a single point of defense against malware for your environment. We encourage all customers to investigate and implement anti-malware protection at various layers and apply best practices for securing their enterprise infrastructure. For more information about strategies and best practices, see Security roadmap.
What happens if an infected file is uploaded to SharePoint Online?
The Microsoft 365 virus detection engine runs asynchronously (independent from file uploads) within SharePoint Online. All files are not automatically scanned. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged. In April 2018, we removed the 25 MB limit for scanned files.
Here's what happens:
- A user uploads a file to SharePoint Online.
- SharePoint Online, as part of its virus scanning processes, later determines if the file meets the criteria for a scan.
- If the file meets the criteria for a scan, the virus detection engine scans the file.
- If a virus is found within the scanned file, the virus engine sets a property on the file indicating that it's infected.
What happens when a user tries to download an infected file by using the browser?
If a file is infected, users can't download the file from SharePoint Online by using a browser.
Here's what happens:
- A user opens a web browser and tries to download an infected file from SharePoint Online.
- The user is given a warning that a virus has been detected. By default, the user is given the option to download the file and attempt to clean it using the anti-virus software on their own device.
Admins can use the DisallowInfectedFileDownload parameter on the Set-SPOTenant cmdlet in SharePoint Online PowerShell to prevent users from downloading infected files, even in the anti-virus warning window. For instructions, see Use SharePoint Online PowerShell to prevent users from downloading malicious files.
As soon as you enable the DisallowInfectedFileDownload parameter, access to the detected/blocked files is completely blocked for users and admins.
What happens when the OneDrive sync client tries to sync an infected file?
When a malicious file is uploaded to OneDrive, it will be synced to the local machine before it's marked as malware. After it's marked as malware, the user can't open the synced file anymore from their local machine.
Extended capabilities with Microsoft Defender for Office 365
Microsoft 365 organizations that have Microsoft Defender for Office 365 included in their subscription or purchased as an add-on can enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams for enhanced reporting and protection. For more information, see Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
For more information about anti-virus in SharePoint Online, OneDrive, and Microsoft Teams, see Protect against threats and Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.