Malicious Content Detection Rule

The Malicious Content detection rule is a feature within Box Shield. It seeks to identify malicious files that are uploaded into Box and protects users from downloading dangerous content.

The Malicious Content detection rule scans files uploaded from managed, external, and anonymous users.

Malware scan types

Box Shield applies a metadata template on every file that is flagged as malicious. An alert is generated in the Box UI, with an additional alert event generated if the admin enabled the Publish alert to Box Event Stream toggle when they enabled the detection rule. We do not give updates for files that were scanned and identified as safe.

Create, edit, and delete the Malicious Content detection rule

To enable this detection rule, you need admin rights (or co-admin rights with the Create, edit, and delete Shield configuration for your company permission enabled) in an account with the Box Shield add-on enabled.

See our dedicated page for creating, editing, and deleting threat detection rules for a step-by-step guide. Check below for Malicious Content specific settings:

Malicious Content specific settings

• Microsoft Office files filter for deep scan
• Restrict downloads

Microsoft Office files filter for deep scan

Enable this to allow Box Shield to run Deep Scan on Microsoft Office file types such as .docx., .xlsx, and .pptx files, to detect malicious payloads. The default state is disabled.

Restrict downloads

Enable this to restrict the download of any files identified as containing malicious content. Preview and online editing will still be available. The default state is disabled.

• You can choose if you want the download restriction to be applied based on Deep Scan and/or Reputation Scan results.
• Once enabled, if a file is flagged as malicious by the chosen scan type(s), Box Shield automatically applies a download restriction on the file. This prevents an end user from downloading the file to their device.

Malicious Content alerts

An alert will display in the Shield Dashboard when malicious content is detected. 

Alerts include the Alert ID, date, the name and email address of the account holder whose activity triggered the alert, the risk score, and the IP address whose access triggered the alert. 

To view an alert's details:

1. Go to Admin Console > Shield.
2. Click the Dashboard tab.
3. (Optional) Filter the alerts for Malicious Content.
4. In the alert list table, click an alert.
5. Box displays the alert detail page.

The alert detail page displays the following:

• Alert Summary: overview of the alert including alert name, alert ID, alert type, risk score, alert created date, any download restrictions imposed, uploader of the malicious file and upload location.
• File Details: information regarding file name, file version, file hash, file size, version uploaded date, file created date and last modified date.
• Threat Details: Deep Scan and Reputation Scan results, when they were scanned, and malware family and description.
• Geographic Activities: location of the account's activity at the time of the alert.
• Uploader Activity: summarizes the account's activities, by activity type, at the time of the alert.
• File Activity: insights on the file after it was uploaded.
• Marking file as safe: allows the admin to mark the flagged file “as safe”; see mark files as safe for more information.
• Revert to malicious: becomes available if the admin has previously marked the file as safe.
• Modifying Files: if the file is marked as safe or reverted to malicious, 2 additional rows are added in file details for commenting and showing last override.

A feedback box is displayed on the dashboard after an alert. This enables you to provide suggestions and comments to Box which helps to improve functionality.

End user implications

• If a malicious payload is detected when uploading content, a red banner appears above the preview page to warn the end user. 
• Shield malware Deep Scan metadata is added to the content flagging it as malicious.
• When download restrictions are active, end users are blocked from downloading and opening files with a desktop application. They can still preview, share, and edit (using online editors like Microsoft Office Online and Google Workspace): 
  • If a file is marked safe, file restrictions are removed; enabling downloads and opening the file with a desktop application.
  • If a file is reverted to malicious, file restrictions are reinstated; disabling downloads and opening the file with a desktop application.

Alert actions and remediation

This detection rule can perform the following actions once a malicious file has been identified:

Restrict download

An automatic download restriction can be applied via the detection rule configuration page.

This restriction allows the end user to preview, share, and edit (using online editors like Microsoft Office Online and Google Workspace), but prevents the file from being downloaded where it can harm the user/organization.

Handling false positive verdicts

Any malware scan solution can have false positives and Shield’s Malicious Content detection rule is no exception. The Shield team is constantly evaluating the detection’s performance across our customer base, making updates and improving efficacy when possible. When reviewing a Malicious Content alert, it’s helpful to review the following questions:

• Is the threat reported from Reputation Scan, Deep Scan, or both?
• What is the reported priority?
• What type of file?
• Where did the file come from?
• Was the user expecting the file?
• Do you know the file sender?

Verdicts from each type of detection should be considered differently: 

• Any malicious verdict from our Reputation Scan should be investigated, as false positives are very uncommon. Reputation scan is comparing the file’s hash from those within known malware libraries. If it finds a match, the likelihood of the verdict being a false positive is low. These verdicts should be treated as a higher priority.
• A malicious verdict from our Deep Scan should still be investigated, but there is a higher potential for false positives compared to the Reputation Scan. Deep Scan will unpack files and analyze a host of different elements within the file - a combination of certain indicators could indicate malicious intent; however, only the file’s creator/owner can fully validate the intent of the file.

If deeper analysis is needed for a particular file, you can click the Preview button on the alert page to open the file in Content Manager. Here you can download the file into a sandbox environment for further analysis.

Mark files as safe

If a file is flagged as malicious but is believed to be clean, a Shield admin can mark the file as safe within the Malicious Content alert page. 

This action will lift any active download restrictions on the file and remove the malware banner that appears in the file preview page for end users.

Before marking a file as malicious, a comment is required to document a decision for the verdict override. An option is available to revert a file back to its original malicious verdict if required. 

File types supported by Malware Deep Scan

Malware Deep Scan analyzes several different file types automatically that can be riskier than everyday file types, and can optionally analyze Microsoft Office files. This section lists some of the file types that can be deep scanned: