2.6 Ensure Office 365 SharePoint infected files are disallowed for download

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


By default SharePoint online allows files that Defender for Office 365 has detected as infected to be downloaded.


Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. When an infected file is detected, that file is blocked so that no one can open, copy, move, or share it until further actions are taken by the organization's security team.


The only potential impact associated with implementation of this setting is potential inconvenience associated with the small percentage of false positive detections that may occur.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


To set O365 SharePoint to disallow download of infected files using PowerShell:

Connect using SharePoint Online Connect-SPOService, you will need to enter the URL for your Sharepoint Online admin page https://*-admin.sharepoint.com

Run the following PowerShell command to set the value to True.

Set-SPOTenant -DisallowInfectedFileDownload $true

After several minutes run the following to verify the value for DisallowInfectedFileDownload has been set to True.

Get-SPOTenant | Select-Object DisallowInfectedFileDownload

NOTE: The Global Reader role cannot access SharePoint using PowerShell according to Microsoft. See the reference section for more information.

See Also