How to Scan a SharePoint Online Site Drive for Hidden Threats using Node.js

Team file storage locations like SharePoint Online Site Drive see a lot of file traffic, and that makes these locations a worthwhile target for threat actors. Since it’s possible to bypass just about any antivirus software with carefully obfuscated malware, it’s important to actively scan files in storage for hidden threats.

Rather than simply perform redundant virus and malware scans, we should also aim to weed out file types that are inherently threatening and unnecessary for our team’s purposes. If, for example, we notice an executable file or a script file sitting in our Site Drive, we should certainly flag it and (at minimum) quarantine it so one of our team members doesn’t accidentally execute its contents. It may be harmless, but it almost certainly doesn’t belong there, even if an earlier virus scan failed to identify malicious code.

Using the ready-to-run code examples provided below, we can take advantage of a free API that scans files in Site Drive storage for viruses & malware (using a combination of zero-day threat detection and signature-based scanning methods) AND identifies threatening file types through in-depth content verification. The latter looks past the file extension and identifies content types at the file encoding level.

We can use this scan to set custom rules against threatening file types in storage, blocking executables, invalid file types, password protected files, scripts, and more. In addition, we can submit a comma-separated file extension whitelist in our request to block all file types outside of a select few. We could, for example, submit ‘.pdf,.docx,.xlsx’ if we know we don’t need any file types outside of those three common formats. We can authorize our requests with a free-tier API key, which will allow us to make up to 800 scans per month (with no additional commitments upon reaching our limit).

To structure our API call, we can start by installing the SDK. We can either do so by running this command:

npm install cloudmersive-virus-api-client --save

Or by adding this snippet to our package.json:

  "dependencies": {
    "cloudmersive-virus-api-client": "^1.1.9"
  }

Next, we’ll need to retrieve some information to target specific files in our SharePoint Site Drive location:

1. Client ID — our Client ID access credentials
2. Client Secret — our Client Secred access credentials
3. SharePoint Domain Name — our SharePoint Online domain name, such as mydomain.sharepoint.com
4. Site ID — the Site ID (GUID) of the SharePoint site we want to retrieve our file from
5. (Optional) Tenant ID — the Tenant ID of our Azure Active Directory
6. File Path — the path to the file we want to scan within our Site Drive (if the file path contains Unicode characters, we’ll need to base64 encode our file and prepend with ‘base64’)
7. Item ID — our SharePoint item ID, such as DriveItem ID

When we have all that information ready, we can copy the below code into our file and configure our request parameters. We can set booleans to customize our threat rules, and we can submit our comma-separated whitelist into the restrictFileTypes parameter:

var CloudmersiveVirusApiClient = require('cloudmersive-virus-api-client');
var defaultClient = CloudmersiveVirusApiClient.ApiClient.instance;

// Configure API key authorization: Apikey
var Apikey = defaultClient.authentications['Apikey'];
Apikey.apiKey = 'YOUR API KEY';



var apiInstance = new CloudmersiveVirusApiClient.ScanCloudStorageApi();

var clientID = "clientID_example"; // String | Client ID access credentials; see description above for instructions on how to get the Client ID from the Azure Active Directory portal.

var clientSecret = "clientSecret_example"; // String | Client Secret access credentials; see description above for instructions on how to get the Client Secret from the Azure Active Directory portal

var sharepointDomainName = "sharepointDomainName_example"; // String | SharePoint Online domain name, such as mydomain.sharepoint.com

var siteID = "siteID_example"; // String | Site ID (GUID) of the SharePoint site you wish to retrieve the file from

var opts = { 
  'tenantID': "tenantID_example", // String | Optional; Tenant ID of your Azure Active Directory
  'filePath': "filePath_example", // String | Path to the file within the drive, such as 'hello.pdf' or '/folder/subfolder/world.pdf'.  If the file path contains Unicode characters, you must base64 encode the file path and prepend it with 'base64:', such as: 'base64:6ZWV6ZWV6ZWV6ZWV6ZWV6ZWV'.
  'itemID': "itemID_example", // String | SharePoint itemID, such as a DriveItem Id
  'allowExecutables': true, // Boolean | Set to false to block executable files (program code) from being allowed in the input file.  Default is false (recommended).
  'allowInvalidFiles': true, // Boolean | Set to false to block invalid files, such as a PDF file that is not really a valid PDF file, or a Word Document that is not a valid Word Document.  Default is false (recommended).
  'allowScripts': true, // Boolean | Set to false to block script files, such as a PHP files, Python scripts, and other malicious content or security threats that can be embedded in the file.  Set to true to allow these file types.  Default is false (recommended).
  'allowPasswordProtectedFiles': true, // Boolean | Set to false to block password protected and encrypted files, such as encrypted zip and rar files, and other files that seek to circumvent scanning through passwords.  Set to true to allow these file types.  Default is false (recommended).
  'allowMacros': true, // Boolean | Set to false to block macros and other threats embedded in document files, such as Word, Excel and PowerPoint embedded Macros, and other files that contain embedded content threats.  Set to true to allow these file types.  Default is false (recommended).
  'allowXmlExternalEntities': true, // Boolean | Set to false to block XML External Entities and other threats embedded in XML files, and other files that contain embedded content threats. Set to true to allow these file types. Default is false (recommended).
  'restrictFileTypes': "restrictFileTypes_example" // String | Specify a restricted set of file formats to allow as clean as a comma-separated list of file formats, such as .pdf,.docx,.png would allow only PDF, PNG and Word document files.  All files must pass content verification against this list of file formats, if they do not, then the result will be returned as CleanResult=false.  Set restrictFileTypes parameter to null or empty string to disable; default is disabled.
};

var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
apiInstance.scanCloudStorageScanSharePointOnlineFileAdvanced(clientID, clientSecret, sharepointDomainName, siteID, opts, callback);

Just like that, we can develop a process to quickly check our Site Drive storage locations for hidden threats and incorporate some helpful redundancy into our security architecture.