It looks like Microsoft SharePoint can now scan password-protected ZIP files according to Andrew Brandt L, a Principal Security Researcher at Sophos. Brandt discovered the new change recently when their malware-containing password-encrypted files were scanned by Microsoft 365 virus detection engine.
On their Mastodon profile, Brandt wrote:
Well, apparently #microsoft #Sharepoint now has the ability to scan inside of password-protected zip archives.
How do I know? Because I have a lot of Zips (encrypted with a password) that contain malware, and my typical method of sharing those is to upload those passworded Zips into a Sharepoint directory.
This morning, I discovered that a couple of password-protected Zips are flagged as “Malware detected” which limits what I can do with those files – they are basically dead space now.
While Brandt acknowledges that this move is not at all a bad thing as it is targeted at threat actors who are looking to get away using this bypass, they appear to be a bit annoyed at the change as sharing malware samples with other threat researchers can be, at least, somewhat slightly hampered by this.
While I totally understand doing this for anyone other than a malware analyst, this kind of nosy, get-inside-your-business way of handling this is going to become a big problem for people like me who need to send their colleagues malware samples. The available space to do this just keeps shrinking and it will impact the ability of malware researchers to do their jobs.
The official Microsoft documentation for Built-in virus protection in SharePoint Online explains:
The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed. All file types are not automatically scanned. Heuristics determine the files to scan.
Meanwhile, Microsoft also has the option to enable Safe Attachments in SharePoint. The support article says:
When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is enabled and identifies a file as malicious, the file is locked using direct integration with the file stores.
Although the blocked file is still listed in the document library and in web, mobile, or desktop applications, people can’t open, copy, move, or share the file. But, they can delete the blocked file.
However, neither of the articles seem to mention anything related to scanning encrypted or password-protected files. This means it could be something Microsoft quietly rolled out recently.