browse
Issue
The content of the eicar test file is an industry-recognized text string that can be used to confirm antivirus software is functioning across many vendors.
If you are using this file to confirm that the Cisco Umbrella Cloud Malware feature is functioning on your Microsoft 365 platform, you may notice that the eicar test files are not shown in your Cloud Malware reports or the Scanned Files section.
Resolution
Cisco provides an Advanced Malware Protection (AMP) test file, which is a file that is detected by the Cloud Malware feature but not by the malware protection built into Microsoft 365. This file can be used to verify the correct functionality of Cloud Malware on the Microsoft platform
You can find the AMP test files (and eicar files) in the Cisco Umbrella documentation.
Alternatively, saving a password-protected file to Microsoft will be detected as "Suspicious" within the Cloud Malware reporting. Display of suspicious files can be toggled via the "Suspect Files" option on the bottom left of the Cloud Malware reporting.
Cause
Microsoft includes a layer of anti-malware protection in their Microsoft subscriptions. You can find more information on this and its configuration in the following Microsoft documentation:
Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
Microsoft's anti-malware layer will detect eicar and as a result, set the malware flag against the file. This, among other things, prevents the file from being shared and also prevents access to it via the API that Cloud Malware uses to integrate with the Microsoft 365 platform.
Note: By default, even though the file is flagged by Microsoft 365 as malware, it will still allow the owner to download the file. If this download takes place via Cisco Umbrella Secure Web Gateway (SWG) (with HTTPS inspection enabled), this download will be blocked during transfer and appear in the Activity Search report.