Malware scan types
Box Shield applies a metadata template on every file that is flagged as malicious. An alert is generated in the Box UI, with an additional alert event generated if the admin enabled the Publish alert to Box Event Stream toggle when they enabled the detection rule. We do not give updates for files that were scanned and identified as safe.| Reputation Scan | Deep Scan | |
| Type of Scan | Compares file hash with hashes within known malware libraries from 30+ leading malware scan vendors. If the hash is identified within one of the malware libraries, it will trigger a malicious verdict. | Recursively unpacks files to recognize suspicious indicators and identify more sophisticated malware (a form of static analysis scanning). The scan is extended to all active content, which means the malware scan is triggered for any of the enterpriseâs previously unscanned files on the next preview, share, download, or edit. Scans external files that are accessed by managed users to reduce third party risk. |
| When is a Scan Triggered? |
|
|
| What file sizes are supported? | Supports all file sizes | Files up to 200MB |
| What file types are supported? | Supports all file types | See: File types supported by Malware Deep Scan |
File types supported by Malware Deep Scan
Malware Deep Scan analyzes several different file types automatically that can be riskier than everyday file types, and can optionally analyze Microsoft Office files. This section lists some of the file types that can be deep scanned:| File Category | File Type |
| Compressed/Archive File Types | .7z, .bz2, .gzip,.jar, .rar, .tar, .tar.bz2, .tar.gz, .tar.z, .xar, .zip |
| Executable File Types | .bundle, .dll, .dylib, .elf (ELF 32 & ELF 64 compiled for Intel 80386 & 80360 and AMD x86-64), .exe, Mach-O 32, Mach-O 64, Mach-O ARM, Mach-O FAT, .o, .ocx, PE 32, PE 64, scr, .so, .sys |
| Document File Types | .doc, .docm, .docx, .hwp, .jdt .mht, .pdf .ppt, .pptm, .pptx, .rtf, .sylk, .xls, .xlsm .xlsx |
| Graphic File Types | .tiff |
| Disk Image File Types | .dmg (AppleDisk, KolyDMG, GPTDisk, HFSPlu), ISO9960 |
| Other File Types | EICAR, .lnk, .msg, .otf, .ttf |
Create, edit, and delete the Malicious Content detection rule
To enable this detection rule, you need admin rights (or co-admin rights with the Create, edit, and delete Shield configuration for your company permission enabled) in an account with the Box Shield add-on enabled.Note: Only one Malicious Content detection rule can be created for each Box account.
Malicious Content specific settings
Deep Scan file exclusions
Enable this setting to exclude specific file extensions from Deep Scan. Excluded file types are still scanned by Reputation Scan, so your environment maintains baseline malware protection. The default state is disabled.- You can exclude any file extension, including custom or proprietary extensions.
- Up to 10,000 file extensions can be added to the exclusion list.
Note: The previous Microsoft 365 Deep Scan toggle has been replaced by the Deep Scan file exclusions setting. Your settings from the Microsoft 365 Deep Scan toggle carry over to the new Deep Scan file exclusions toggle:If your enterprise had the Microsoft 365 Deep Scan toggle turned off, meaning Microsoft Office files were not being deep scanned, Deep Scan file exclusions will be automatically enabled. The following Microsoft Office file extensions are included by default:
.doc, .docm, .docx, .dotm, .dotx, .mpp, .mpt, .msg, .ost, .potm, .potx,.ppa, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .pst, .sldm, .swf,.vsdm, .vsdx, .vssm, .vssx, .vstm, .vstx, .xlam, .xls, .xlsb, .xlsm, .xlsx, .xltm, .xltx, .xlw- If your enterprise had the Microsoft 365 Deep Scan toggle turned on prior to the update, meaning Microsoft Office files were being deep scanned, they will continue to be deep scanned.
Restrict downloads
Enable this to restrict the download of any files identified as containing malicious content. Preview and online editing will still be available. The default state is disabled.- You can choose if you want the download restriction to be applied based on Deep Scan and/or Reputation Scan results.
- Once enabled, if a file is flagged as malicious by the chosen scan type(s), Box Shield automatically applies a download restriction on the file. This prevents an end user from downloading the file to their device.
Severity filter
Select a minimum severity level required for Deep Scan to flag a file as malicious. Raising the severity threshold reduces alert volume by filtering out lower-confidence detections. The available severity levels are:- Low and above: Detections at all severities (Low, Medium, High, Critical) trigger alerts. This option generates the highest alert volume, as it includes low-severity detections.
- Medium and above (Default, Recommended): Detections at Medium, High, and Critical trigger alerts. This option provides a balanced approach, maintaining strong detection coverage while keeping alert volume manageable.
- High and above: Detections at High and Critical trigger alerts. This option reduces alert volume by excluding medium-severity detections. Recommended if you are experiencing a high number of false positives.
- Critical only: Only Critical detections trigger alerts. This generates alerts only for the highest-severity detections and minimizes alert volume.
Malicious Content alerts
An alert will display in the Shield Dashboard when malicious content is detected. Alerts include the Alert ID, date, the name and email address of the account holder whose activity triggered the alert, the risk score, and the IP address whose access triggered the alert. To view an alertâs details:- Go to Admin Console > Shield.
- Click the Dashboard tab.
- (Optional) Filter the alerts for Malicious Content.
- In the alert list table, click an alert.
- Box displays the alert detail page.
- Alert Summary: overview of the alert including alert name, alert ID, alert type, risk score, alert created date, any download restrictions imposed, uploader of the malicious file and upload location.
- File Details: information regarding file name, file version, file hash, file size, version uploaded date, file created date and last modified date.
- Threat Details: Deep Scan and Reputation Scan results, when they were scanned, and malware family and description.
- Geographic Activities: location of the accountâs activity at the time of the alert.
- Uploader Activity: summarizes the accountâs activities, by activity type, at the time of the alert.
- File Activity: insights on the file after it was uploaded.
- Marking file as safe: allows the admin to mark the flagged file âas safeâ; see mark files as safe for more information.
- Revert to malicious: becomes available if the admin has previously marked the file as safe.
- Modifying Files: if the file is marked as safe or reverted to malicious, 2 additional rows are added in file details for commenting and showing last override.
Note: You can view the number of alerts in the past week from the Detection Rules page. For longer timeframes, check the Shield Dashboard.
End user implications
When download restrictions are active, end users are blocked from downloading and opening files with a desktop application. They can still preview, share, and edit (using online editors like Microsoft Office Online and Google Workspace):- If a file is marked safe, file restrictions are removed; enabling downloads and opening the file with a desktop application.
- If a file is reverted to malicious, file restrictions are reinstated; disabling downloads and opening the file with a desktop application.
Alert actions and remediation
This detection rule can perform the following actions once a malicious file has been identified:Restrict download
An automatic download restriction can be applied via the detection rule configuration page. This restriction allows the end user to preview, share, and edit (using online editors like Microsoft Office Online and Google Workspace), but prevents the file from being downloaded where it can harm the user/organization.Handling false positive verdicts
Any malware scan solution can have false positives and Shieldâs Malicious Content detection rule is no exception. The Shield team is constantly evaluating the detectionâs performance across our customer base, making updates and improving efficacy when possible. When reviewing a Malicious Content alert, itâs helpful to review the following questions:- Is the threat reported from Reputation Scan, Deep Scan, or both?
- What is the reported priority?
- What type of file?
- Where did the file come from?
- Was the user expecting the file?
- Do you know the file sender?
- Any malicious verdict from our Reputation Scan should be investigated, as false positives are very uncommon. Reputation scan is comparing the fileâs hash from those within known malware libraries. If it finds a match, the likelihood of the verdict being a false positive is low. These verdicts should be treated as a higher priority.
- A malicious verdict from our Deep Scan should still be investigated, but there is a higher potential for false positives compared to the Reputation Scan. Deep Scan will unpack files and analyze a host of different elements within the file - a combination of certain indicators could indicate malicious intent; however, only the fileâs creator/owner can fully validate the intent of the file.
- Deep Scan file exclusions: Exclude specific file extensions from Deep Scan to prevent repeated false positives from known safe file types.
- Severity filter: Increase the minimum severity threshold required to trigger alerts.