Veeam for Microsoft 365 “Item may have a virus reported by the virus scanner plug-in” warning

If your Microsoft 365 backup job report or job log shows a warning like this:

Failed to backup item: <file path>, Item may have a virus reported by the virus scanner plug-in

a file in your OneDrive, SharePoint Online, or Microsoft Teams data has been flagged by Microsoft’s malware scanning. When our backup service attempts to read the file through Microsoft 365 APIs, that download is blocked by SharePoint Online’s malware protection. The file cannot be backed up until the Microsoft-side malware status is resolved. Every other item in that location processes normally.

The supported workflow comes directly from Microsoft. The full Microsoft article is here: Resolve false positive malware detections. The summary below covers the practical steps.

Step 1: Investigate before assuming it’s a false positive

Look at the file path in the warning before doing anything else. Many of these detections are accurate. Categories that are commonly legitimate detections:

• Software activation tools, keygens, and license cracks
• Installers for pirated or unlicensed software
• Older freeware now classified as PUA or bundled adware
• Macros in legacy Office documents

If the file looks suspicious based on path, owner, or filename, the right action is to delete it from the tenant. If you want to verify, scan a copy with your endpoint antivirus or submit it to VirusTotal for a multi-engine check before deciding. Only proceed to submission if you are confident the file is clean.

Step 2: Identify the engine that flagged the file

Microsoft documents four methods. Pick the one that fits your access and what you need to find.

• Quarantine Files tab (UI, simple). Best for browsing what is currently flagged in your tenant. Go to Email & collaboration > Review > Quarantine, then click the Files tab (the page opens on the Email tab by default). Direct link: https://security.microsoft.com/quarantine?viewid=Files. The “Detected by” column shows “AV” for signature detection or “MDO” for Safe Attachments. Requires Defender for Office 365 Plan 1 or Plan 2 licensing.
• Threat Explorer or Real-time Detections (UI, broader). Best for investigating detection events tenant-wide, not just currently-quarantined files. Use Threat Explorer (Defender for Office 365 Plan 2) or Real-time Detections (Defender for Office 365 Plan 1). In the Content malware view, the “Detection technology” field shows “Antimalware protection” for signature detection or “File detonation” / “File reputation” for Safe Attachments.
• Microsoft Purview Audit log (advanced). Best for historical detections, including files that are no longer in quarantine or have been deleted. Search the audit log for FileMalwareDetectedoperations. The VirusVendor field shows Default for signature-based detection or Advanced Threat Protection for Safe Attachments. The VirusInfo field contains the full malware variant name. Default retention is 180 days. See Search the audit log.
• SharePoint Online PowerShell (advanced, no Defender licensing required). Best for looking up a specific file by URI, which is the most direct match for a file referenced in a backup job log. Run:Get-SPOMalwareFile -FileUri '<full SharePoint URL to the file>'Check the MalwareInfo field. A forward slash in the value (e.g. Win32/CryptInject!MSR) means signature-based detection (Microsoft 365’s built-in virus protection). Underscores or the text “Malicious Payload” (e.g. Trojan_PDF_LinkedUrlCookie_A) means Safe Attachments detonation (Defender for Office 365).

Step 3: Submit the file to Microsoft

Download the file from the Quarantine Files tab if available, or use Get-SPOMalwareFileContent from SharePoint Online PowerShell. Treat the file as malicious until you have confirmed otherwise. Both submission paths below live under Email & collaboration > Submissions in the Defender portal, but use different tabs depending on which engine flagged the file:

• Safe Attachments detection (MDO): Click the Email attachments tab. Despite the tab name, this is also where SharePoint, OneDrive, and Teams files are submitted. Select I’ve confirmed it’s clean, then Allow this file to create an allow entry on the Tenant Allow/Block List. Direct link: https://security.microsoft.com/reportsubmission?viewid=emailAttachment.
• Signature detection (AV): Click the Files tab. This tab requires Defender XDR or Defender for Endpoint Plan 2 licensing. If it isn’t available in your tenant, submit through the Microsoft Security Intelligence portal instead. Direct link: https://security.microsoft.com/reportsubmission?viewid=fileSubmissions.

Note that both the Quarantine page (Step 2) and the Submissions page (Step 3) have a tab named “Files.” They are different pages with different purposes: Quarantine shows files already flagged in your tenant; Submissions is where you send files to Microsoft for review.

Step 4: Wait for Microsoft to verify

Submission is the realistic path for most cases. Once Microsoft processes the submission and either updates their definitions or adds an allow entry on the Tenant Allow/Block List, the file becomes accessible again. The next backup run picks it up automatically and the warning clears. Turnaround time is at Microsoft’s discretion.

If the file appears in the Defender Quarantine Files tab, an admin may also be able to release it from quarantine within 30 days using the Release file action. Note that the Defender Quarantine for files primarily holds files quarantined by Safe Attachments in tenants with Defender for Office 365 Plan 1 or Plan 2. Files flagged by Microsoft 365’s built-in signature scanning are typically blocked in place rather than placed in the Defender Quarantine, so the Release action often does not apply. Where it does apply, releasing is a separate action from submitting; releasing unblocks the current file but does not by itself correct the detection for future scans. Submit the file as in Step 3 if you want the detection reviewed and corrected.

For files that remain blocked longer than 30 days, contact Microsoft Support with the file path, the Get-SPOMalwareFile output, and your evidence that the file is safe.

What is not possible

The base Microsoft 365 virus scanning that flags files in SharePoint, OneDrive, and Teams is not something a backup service can bypass. Defender for Office 365 Safe Attachments is an additional layer that may be configurable by the tenant, but disabling or changing that setting is a tenant security decision and does not give a backup application permission to ignore a Microsoft malware block. The base engine cannot be disabled at the tenant level, cannot be excluded by file, library, site, user, or extension, and cannot be bypassed by any application permission. We confirmed this directly with Microsoft Support. Per-file submission and review through the Defender portal is the only supported path.