The Malicious Content detection rule is a feature within Box Shield. It seeks to identify malicious files that are uploaded into Box and protects users from downloading dangerous content.
The Malicious Content detection rule scans files uploaded from managed, external, and anonymous users.
Malware scan types
Box Shield applies a metadata template on every file that is flagged as malicious. An alert is generated in the Box UI, with an additional alert event generated if the admin enabled the Publish alert to Box Event Stream toggle when they enabled the detection rule. We do not give updates for files that were scanned and identified as safe.
| Reputation Scan | Deep Scan | |
| Type of Scan |
Compares file hash with hashes within known malware libraries from 30+ leading malware scan vendors. If the hash is identified within one of the malware libraries, it will trigger a malicious verdict. |
Recursively unpacks files to recognize suspicious indicators and identify more sophisticated malware (a form of static analysis scanning). The scan is extended to all active content, which means the malware scan is triggered for any of the enterprise’s previously unscanned files on the next preview, share, download, or edit. Scans external files that are accessed by managed users to reduce third party risk. |
| When is a Scan Triggered? |
|
|
| What file sizes are supported? | Supports all file sizes | Files up to 200MB |
| What file types are supported? | Supports all file types | See: File types supported by Malware Deep Scan |
File types supported by Malware Deep Scan
Malware Deep Scan analyzes several different file types automatically that can be riskier than everyday file types, and can optionally analyze Microsoft Office files. This section lists some of the file types that can be deep scanned:
| File Category | File Type |
| Compressed/Archive File Types | .7z, .bz2, .gzip,.jar, .rar, .tar, .tar.bz2, .tar.gz, .tar.z, .xar, .zip |
| Executable File Types | .bundle, .dll, .dylib, .elf (ELF 32 & ELF 64 compiled for Intel 80386 & 80360 and AMD x86-64), .exe, Mach-O 32, Mach-O 64, Mach-O ARM, Mach-O FAT, .o, .ocx, PE 32, PE 64, scr, .so, .sys |
| Document File Types | .doc, .docm, .docx, .hwp, .jdt .mht, .pdf .ppt, .pptm, .pptx, .rtf, .sylk, .xls, .xlsm .xlsx |
| Graphic File Types | .tiff |
| Disk Image File Types | .dmg (AppleDisk, KolyDMG, GPTDisk, HFSPlu), ISO9960 |
| Other File Types | EICAR, .lnk, .msg, .otf, .ttf |
Create, edit, and delete the Malicious Content detection rule
To enable this detection rule, you need admin rights (or co-admin rights with the Create, edit, and delete Shield configuration for your company permission enabled) in an account with the Box Shield add-on enabled.
Note: Only one Malicious Content detection rule can be created for each Box account.
See our dedicated page for creating, editing, and deleting threat detection rules for a step-by-step guide. Check below for Malicious Content specific settings:
Malicious Content specific settings
Deep Scan file exclusions
Enable this setting to exclude specific file extensions from Deep Scan. Excluded file types are still scanned by Reputation Scan, so your environment maintains baseline malware protection. The default state is disabled.
- You can exclude any file extension, including custom or proprietary extensions.
- Up to 10,000 file extensions can be added to the exclusion list.
This setting is useful when Deep Scan generates excessive alerts for certain file types in your environment. Rather than disabling Deep Scan entirely, you can exclude the specific extensions that produce false positives while keeping scanning active for all other file types.
Box verifies file types before honoring excluded extensions. If a file does not appear to match its assigned extension (for example, a .exe uploaded as a .pdf), Box will still scan the file with Deep Scan to protect your environment.
Note: The previous Microsoft 365 Deep Scan toggle has been replaced by the Deep Scan file exclusions setting. Your settings from the Microsoft 365 Deep Scan toggle carry over to the new Deep Scan file exclusions toggle:
- If your enterprise had the Microsoft 365 Deep Scan toggle turned on prior to the update, meaning Microsoft Office files were being deep scanned, they will continue to be deep scanned.
-
If your enterprise had the Microsoft 365 Deep Scan toggle turned off, meaning Microsoft Office files were not being deep scanned, Deep Scan file exclusions will be automatically enabled. The following Microsoft Office file extensions are included by default:
`.doc`, `.docm`, `.docx`, `.dotm`, `.dotx`, `.mpp`, `.mpt`, `.msg`, `.ost`, `.potm`, `.potx`,`.ppa`, `.ppam`, `.pps`, `.ppsm`, `.ppsx`, `.ppt`, `.pptm`, `.pptx`, `.pst`, `.sldm`, `.swf`,`.vsdm`, `.vsdx`, `.vssm`, `.vssx`, `.vstm`, `.vstx`, `.xlam`, `.xls`, `.xlsb`, `.xlsm`, `.xlsx`, `.xltm`, `.xltx`, `.xlw`
After the migration, you can modify this list at any time in the Deep Scan file exclusions setting.
Restrict downloads
Enable this to restrict the download of any files identified as containing malicious content. Preview and online editing will still be available. The default state is disabled.
- You can choose if you want the download restriction to be applied based on Deep Scan and/or Reputation Scan results.
- Once enabled, if a file is flagged as malicious by the chosen scan type(s), Box Shield automatically applies a download restriction on the file. This prevents an end user from downloading the file to their device.
Severity filter
Select a minimum severity level required for Deep Scan to flag a file as malicious. Raising the severity threshold reduces alert volume by filtering out lower-confidence detections.
The available severity levels are:
- Low and above: Detections at all severities (Low, Medium, High, Critical) trigger alerts. This option generates the highest alert volume, as it includes low-severity detections.
- Medium and above (Default, Recommended): Detections at Medium, High, and Critical trigger alerts. This option provides a balanced approach, maintaining strong detection coverage while keeping alert volume manageable.
- High and above: Detections at High and Critical trigger alerts. This option reduces alert volume by excluding medium-severity detections. Recommended if you are experiencing a high number of false positives.
- Critical only: Only Critical detections trigger alerts. This generates alerts only for the highest-severity detections and minimizes alert volume.
Malicious Content alerts
An alert will display in the Shield Dashboard when malicious content is detected.
Alerts include the Alert ID, date, the name and email address of the account holder whose activity triggered the alert, the risk score, and the IP address whose access triggered the alert.
To view an alert's details:
- Go to Admin Console > Shield.
- Click the Dashboard tab.
- (Optional) Filter the alerts for Malicious Content.
- In the alert list table, click an alert.
- Box displays the alert detail page.
The alert detail page displays the following:
- Alert Summary: overview of the alert including alert name, alert ID, alert type, risk score, alert created date, any download restrictions imposed, uploader of the malicious file and upload location.
- File Details: information regarding file name, file version, file hash, file size, version uploaded date, file created date and last modified date.
- Threat Details: Deep Scan and Reputation Scan results, when they were scanned, and malware family and description.
- Geographic Activities: location of the account's activity at the time of the alert.
- Uploader Activity: summarizes the account's activities, by activity type, at the time of the alert.
- File Activity: insights on the file after it was uploaded.
- Marking file as safe: allows the admin to mark the flagged file “as safe”; see mark files as safe for more information.
- Revert to malicious: becomes available if the admin has previously marked the file as safe.
- Modifying Files: if the file is marked as safe or reverted to malicious, 2 additional rows are added in file details for commenting and showing last override.
Note: You can view the number of alerts in the past week from the Detection Rules page. For longer timeframes, check the Shield Dashboard.
A feedback box is displayed on the dashboard after an alert. This enables you to provide suggestions and comments to Box which helps to improve functionality.
End user implications
- If a malicious payload is detected when uploading content, a red banner appears above the preview page to warn the end user.
- Shield malware Deep Scan metadata is added to the content flagging it as malicious.
-
When download restrictions are active, end users are blocked from downloading and opening files with a desktop application. They can still preview, share, and edit (using online editors like Microsoft Office Online and Google Workspace):
- If a file is marked safe, file restrictions are removed; enabling downloads and opening the file with a desktop application.
- If a file is reverted to malicious, file restrictions are reinstated; disabling downloads and opening the file with a desktop application.
Alert actions and remediation
This detection rule can perform the following actions once a malicious file has been identified:
Restrict download
An automatic download restriction can be applied via the detection rule configuration page.
This restriction allows the end user to preview, share, and edit (using online editors like Microsoft Office Online and Google Workspace), but prevents the file from being downloaded where it can harm the user/organization.
Handling false positive verdicts
Any malware scan solution can have false positives and Shield’s Malicious Content detection rule is no exception. The Shield team is constantly evaluating the detection’s performance across our customer base, making updates and improving efficacy when possible. When reviewing a Malicious Content alert, it’s helpful to review the following questions:
- Is the threat reported from Reputation Scan, Deep Scan, or both?
- What is the reported priority?
- What type of file?
- Where did the file come from?
- Was the user expecting the file?
- Do you know the file sender?
Verdicts from each type of detection should be considered differently:
- Any malicious verdict from our Reputation Scan should be investigated, as false positives are very uncommon. Reputation scan is comparing the file’s hash from those within known malware libraries. If it finds a match, the likelihood of the verdict being a false positive is low. These verdicts should be treated as a higher priority.
- A malicious verdict from our Deep Scan should still be investigated, but there is a higher potential for false positives compared to the Reputation Scan. Deep Scan will unpack files and analyze a host of different elements within the file - a combination of certain indicators could indicate malicious intent; however, only the file’s creator/owner can fully validate the intent of the file.
If deeper analysis is needed for a particular file, you can click the Preview button on the alert page to open the file in Content Manager. Here you can download the file into a sandbox environment for further analysis.
If you identify patterns in false positive alerts, such as a specific file type consistently triggering Deep Scan, you can take action using detection rule configuration settings.
- Deep Scan file exclusions: Exclude specific file extensions from Deep Scan to prevent repeated false positives from known safe file types.
- Severity filter: Increase the minimum severity threshold required to trigger alerts.
These controls help reduce noise from low-risk detections while ensuring higher-risk threats are still surfaced.
Mark files as safe
If a file is flagged as malicious but is believed to be clean, a Shield admin can mark the file as safe within the Malicious Content alert page.
This action will lift any active download restrictions on the file and remove the malware banner that appears in the file preview page for end users.
Before marking a file as malicious, a comment is required to document a decision for the verdict override. An option is available to revert a file back to its original malicious verdict if required.