Onenote false positives in Google Drive File Stream files stored locally on machines being detected

Question

I have been having an issue with Onenote files being detected as false positives and to prevent half of the detections from happening, I excluded all onenote files with the file extensions *.onepkg and *.one.backupconsctruction globally regardless of the path. What is happening now is that these files are still getting removed in Google Drive File Stream paths in Windows, these haven't been excluded because these Google backup files don't have file extensions so it is not recognized in my whitelist/exclusion. Here is an example: Manual malware cleanup required: 'Mal/OneBad-A' at 'C:\Users\Jerome_Powell\AppData\Local\Google\DriveFS\118151419556526923308\content_cache\d14\d23\35055' 
 
 How can I solve this issue?

Qoosh · Answer

Hi Marvin , 
 Thanks for reaching out to the Sophos Community Forum. 
 Do you know if the same file is being detected again and again? If so, I'd suggest trying to send in a sample of the file so that Sophos Labs can reclassify it. - Submit a Sample 
 If the detections continue to change, you may want to consider adding a path exclusion for Google Drive File Stream. I'd suggest creating such an exclusion only for the specific devices that require it. 
 Cached items from google drive may be compressed and in different formats than the original content downloaded, opening up the possibility of false positives due to the malformed data. Sending a sample submission would be the best way to verify if files are malicious or FPs.

Onenote false positives in Google Drive File Stream files stored locally on machines being detected

Top Replies