browse
Overview
The content of the Eicar test file is an industry recognised text string that can be used to confirm Antivirus software is functioning across many vendors.
Customers using this file to confirm that the Umbrella Cloud Malware feature is functioning on their O365 platform may notice that the Eicar test files are not shown in their Cloud Malware reports or in the Scanned Files section.
Explanation
Microsoft include a layer of anti malware protection in their O365 subscriptions, more information on this and it's configuration can be found in the following locations:
Microsoft's anti-malware layer will detect Eicar and as a result set the malware flag against the file. This, amongst other things, prevents the file being shared and also prevents access to it via the API that Cloud Malware uses to integrate with the O365 platform.
Note:
By default, even though the file is flagged by O365 as malware, it will still allow the owner to download the file. If this download takes place via Umbrella SWG (with HTTPS inspection enabled) this download will be blocked during transfer and appear in the Activity Search report
How can I confirm Cloud Malware on O365 is working?
Cisco provide an "AMP test file" which is a file that is detected by the Cloud Malware feature but not by the malware protection built into O365. This file can be used to verify correct functionality of Cloud Malware on the O365 platform
The AMP test files (and Eicar files) can be found at the following location:
https://docs.umbrella.com/umbrella-user-guide/docs/test-file-analysis
Alternatively, saving a password protected file to O365 will be detected as 'Suspicious' within the Cloud Malware reporting. Display of suspicious files can be toggled via the 'Suspect Files' tick box on the bottom left of the Cloud Malware reporting.