XYZ files are marked as potential ransomware

Michael_Perrin · ‎Jul 15 2021

We get a steady stream of alerts from users uploading files with .xyz extensions to M365. The majority of these we see are used by a software called matlab.

Is there a way to not mark these files as potential ransomware? I understand there is a ransomware variant that uses the same file extension but we've never seen an instance where this alert is a true positive and we've has many false positives related to this specific extension and alert.

Thanks

JaredPoeppelman · ‎Dec 06 2021

There is no way to do this in the portal, so I would recommend contacting support about this issue.

carpa4 · ‎Jan 12 2022

If you look into the template for the Ransomware policy you will see that .xyz is going to trigger the alert. If you remove this element from your ransomware policy, you'll get rid of the false positive alerts. The 'issue' is that real ransomware sometimes uses this extension so you lose a bit of functionality (though I can see why you would want to in this case)

XYZ files are marked as potential ransomware

XYZ files are marked as potential ransomware

Re: XYZ files are marked as potential ransomware

Re: XYZ files are marked as potential ransomware

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

XYZ files are marked as potential ransomware

XYZ files are marked as potential ransomware

Re: XYZ files are marked as potential ransomware

Re: XYZ files are marked as potential ransomware