Virus detection in SharePoint Online

  • 7/2/2020

Microsoft 365 can help protect your environment from malware by detecting viruses in files that users upload to SharePoint Online. Files may be scanned for viruses after they are uploaded. If a file is found to be infected, a property is set so that users can’t download or sync the file.


These antivirus capabilities in SharePoint Online are a way to contain viruses. They aren’t intended as a single point of defense against malware for your environment. We encourage all customers to assess and implement antimalware protection at various layers and apply best practices for securing your enterprise infrastructure. For more information about strategies and best practices, see Security roadmap.

Microsoft 365 uses a common virus detection engine. The engine runs asynchronously within SharePoint Online, and scans some files after they’re uploaded. Heuristics are used to determine which files are scanned. When a file is found to contain a virus, it’s flagged so that it can’t be downloaded again. In April 2018, we removed the 25 MB limit for scanned files.

Here’s what happens:

  1. A user uploads a file to SharePoint Online.

  2. SharePoint Online determines whether the file meets the criteria for a scan.

  3. The virus detection engine scans the file.

  4. If a virus is found, the virus engine sets a property on the file indicating that it’s infected.

If a file is infected, users can’t download the file from SharePoint Online by using the browser.

Here’s what happens:

  1. A user opens a web browser and tries to download an infected file from SharePoint Online.

  2. The user is given a warning that a virus has been detected. The user is given the option to download the file and attempt to clean it using their own antivirus software.


You can use the DisallowInfectedFileDownload parameter on the Set-SPOTenant cmdlet in SharePoint Online PowerShell to prevent users from downloading an infected file, even in the anti-virus warning window.

What happens when the OneDrive sync client tries to sync an infected file?

Whether users sync files with the new OneDrive sync client (OneDrive.exe) or the previous OneDrive for Business sync client (Groove.exe), if a file contains a virus, the sync client won’t download it. The sync client will display a notification that the file can’t be synced.

See Protect against threats and Turn on ATP for SharePoint, OneDrive, and Microsoft Teams for more information on how to configure SharePoint Online antivirus.


Leave a Reply