XYZ files are marked as potential ransomware

%3CLINGO-SUB%20id%3D%22lingo-sub-2553680%22%20slang%3D%22en-US%22%3EXYZ%20files%20are%20marked%20as%20potential%20ransomware%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2553680%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20get%20a%20steady%20stream%20of%20alerts%20from%20users%20uploading%20files%20with%20.xyz%20extensions%20to%20M365.%20The%20majority%20of%20these%20we%20see%20are%20used%20by%20a%20software%20called%20matlab.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20not%20mark%20these%20files%20as%20potential%20ransomware%3F%20I%20understand%20there%20is%20a%20ransomware%20variant%20that%20uses%20the%20same%20file%20extension%20but%20we've%20never%20seen%20an%20instance%20where%20this%20alert%20is%20a%20true%20positive%20and%20we've%20has%20many%20false%20positives%20related%20to%20this%20specific%20extension%20and%20alert.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2553680%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

We get a steady stream of alerts from users uploading files with .xyz extensions to M365. The majority of these we see are used by a software called matlab.

 

Is there a way to not mark these files as potential ransomware? I understand there is a ransomware variant that uses the same file extension but we've never seen an instance where this alert is a true positive and we've has many false positives related to this specific extension and alert. 

 

Thanks

2 Replies
There is no way to do this in the portal, so I would recommend contacting support about this issue.
If you look into the template for the Ransomware policy you will see that .xyz is going to trigger the alert. If you remove this element from your ransomware policy, you'll get rid of the false positive alerts. The 'issue' is that real ransomware sometimes uses this extension so you lose a bit of functionality (though I can see why you would want to in this case)