365

If your Microsoft 365 backup job report or job log shows a warning like this: a file in your OneDrive, SharePoint Online, or Microsoft Teams data has been flagged by Microsoft’s malware scanning. When our backup service attempts to read the file through Microsoft 365 APIs, that download is blocked by SharePoint Online’s malware protection. The file cannot be backed up until the Microsoft-side malware status is resolved. Every other item in that location processes normally. The supported workflow comes directly from Microsoft. The full Microsoft article is here: Resolve false positive malware detections. The summary below covers the practical steps. Step 1: Investigate before assuming it’s a false positive Look at the file path in the warning before doing anything else. Many of these detections are accurate. Categories that are commonly legitimate detections: If the file looks suspicious based on path, owner, or filename, the right action is to delete it from the tenant. If you want to verify, scan a copy with your endpoint antivirus or submit it to VirusTotal for a multi-engine check before deciding. Only proceed to submission if you are confident the file is clean. Step 2: Identify the engine that flagged the file Microsoft documents four methods. Pick the one that fits your access and what you need to find. Step 3: Submit the file to Microsoft Download the file from the Quarantine Files tab if available, or use Get-SPOMalwareFileContent from SharePoint Online PowerShell. Treat the file as malicious until you have confirmed otherwise. Both submission paths below live under Email & collaboration > Submissions in the Defender portal, but use different tabs depending on which engine flagged the file: Note that both the Quarantine page (Step 2) and the Submissions page (Step 3) have a tab named “Files.” They are different pages with different purposes: Quarantine shows files already flagged in your tenant; Submissions is where you send files to Microsoft for review. Step 4: Wait for Microsoft to verify Submission is the realistic path for most cases. Once Microsoft processes the submission and either updates their definitions or adds an allow entry on the Tenant Allow/Block List, the file becomes accessible again. The next backup run picks it up automatically and the warning clears. Turnaround time is at Microsoft’s discretion. If the file appears in the Defender Quarantine Files tab, an admin may also be able to release it from quarantine within 30 days using the Release file action. Note that the Defender Quarantine for files primarily holds files quarantined by Safe Attachments in tenants with Defender for Office 365 Plan 1 or Plan 2. Files flagged by Microsoft 365’s built-in signature scanning are typically blocked in place rather than placed in the Defender Quarantine, so the Release action often does not apply. Where it does apply, releasing is a separate action from submitting; releasing unblocks the current file but does not by itself correct the detection for future scans. Submit the file as in Step 3 if you want the detection reviewed and corrected. For files that remain blocked longer than 30 days, contact Microsoft Support with the file path, the Get-SPOMalwareFile output, and your evidence that the file is safe. What is not possible The base Microsoft 365 virus scanning that flags files in SharePoint, OneDrive, and Teams is not something a backup service can bypass. Defender for Office 365 Safe Attachments is an additional layer that may be configurable by the tenant, but disabling or changing that setting is a tenant security decision and does not give a backup application permission to ignore a Microsoft malware block. The base engine cannot be disabled at the tenant level, cannot be excluded by file, library, site, user, or extension, and cannot be bypassed by any application permission. We confirmed this directly with Microsoft Support. Per-file submission and review through the Defender portal is the only supported path.