Forum Discussion

Michael_Perrin's avatar
Michael_Perrin
Copper Contributor
Jul 15, 2021

XYZ files are marked as potential ransomware

We get a steady stream of alerts from users uploading files with .xyz extensions to M365. The majority of these we see are used by a software called matlab.

 

Is there a way to not mark these files as potential ransomware? I understand there is a ransomware variant that uses the same file extension but we've never seen an instance where this alert is a true positive and we've has many false positives related to this specific extension and alert. 

 

Thanks

Cloud App Security

2 Replies

Sort By
  • carpa4's avatar
    carpa4
    Copper Contributor
    Jan 12, 2022
    If you look into the template for the Ransomware policy you will see that .xyz is going to trigger the alert. If you remove this element from your ransomware policy, you'll get rid of the false positive alerts. The 'issue' is that real ransomware sometimes uses this extension so you lose a bit of functionality (though I can see why you would want to in this case)
  • JaredPoeppelman's avatar
    JaredPoeppelman
    Former Employee
    Dec 06, 2021
    There is no way to do this in the portal, so I would recommend contacting support about this issue.

Resources