schrolla
commented
4 months ago I think this is related to (but not the same as) #161. At the very least any policy change to enable SafeAttachments more fully would like want to include both.
Open tkol2022 opened 4 months ago
schrolla
commented
4 months ago I think this is related to (but not the same as) #161. At the very least any policy change to enable SafeAttachments more fully would like want to include both.
💡 Summary
Currently ScubaGear (via the Defender baseline) only checks the Safe Attachments policy which prevents users from opening, moving, copying, or sharing files marked as malicious. It does not prevent users from downloading malicious files. The prevention of malicious file downloads is controlled by a separate configuration item from Safe Attachments and it can be checked via Get-SPOTenant which is part of the Sharepoint cmdlets. In the Teams baseline policy 7.2 we state "Users SHOULD be prevented from opening or downloading files detected as malware" so our current implementation is incomplete.
Screenshots and context
Here is our policy in Teams that mentions downloading files.
Here is where the Teams policy points to Defender.
Here is what the Defender baseline currently checks (this is an incomplete implementation of Teams policy 7.2 which also mentions downloading files)
Here is where Microsoft describes the check necessary to determine if the downloading of files is prevented or not. https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-for-spo-odfb-teams-configure#step-2-recommended-use-sharepoint-online-powershell-to-prevent-users-from-downloading-malicious-files
Here is the cmdlet to detect if downloading of malicious files is turned off
Get-SPOTenant | Format-List DisallowInfectedFileDownloadMore info on the setting https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwideImplementation notes