Skip to content

Malware in Cloud Drives

Coro searches for and removes files containing malware code to prevent the spread of malware via cloud drives. The cloud applications that Coro currently monitors are:

  • Microsoft 365
  • Google Workspace
  • Dropbox
  • Box
  • Salesforce
  • Slack

Some of these services include partial malware detection and remediation. Coro complements this to provide comprehensive malware detection and remediation.

When a file containing ransomware or another type of malware is accidentally uploaded by a user, or shared with other users within an organization, the file itself is not harmful. The issue with malware and ransomware is in the processes that these files initiate. These processes can only be created from these files on the customer's endpoint devices or servers. However, when this file is synced with an endpoint or any other device owned by the organization, the risk increases. Furthermore, these devices may not be protected by Coro.

Malware in Cloud Drives

All malicious files detected by Coro are automatically moved to a quarantined folder (Suspected) located offsite from the organization to prevent further damage. All Malware in Cloud Drive tickets are classified as suggested for review, meaning the admin user must review the ticket and take action accordingly.

Coro provides two actions for dealing directly with files infected by suspected malware:

  • Approve file: For false-positive identification, or where the admin user knows for certain that the affected file is safe, you can approve the affected file and return it from quarantine to its original location.

  • Delete file: The affected file is permanently removed.

Approve or delete malware actions

To learn more about malware detection and remediation in each cloud application, see the following articles:

Malware identified by the cloud application

In some cases, malware might have been identified by the cloud application prior to Coro and blocked from being sent to the quarantine folder. This can mean that, while Coro still identifies the malware event and raises a ticket in the Ticket Log, no remediation action on the file is necessary.

When this happens, an admin user can still review tickets raised by Coro to notify about the malware identification, and can still perform actions such as suspend the user or close the ticket. However, as the cloud application has already dealt with the threat, the Approve file and Delete file actions are not presented.