onedrive download malware AVOverride=1 parameter isn't working.

[ncw]

Category

• Question
• Documentation issue
• Bug

Expected or Desired Behavior

Supplying the URL parameters AVOverride=1 should allow download of a file detected as malware.

As far as I am aware this behaviour isn't actually documented anywhere, but it has worked since May 2023

Observed Behavior

The file is still reported as malware

Initial request with ?AVOverride=1 parameter

2024/07/10 09:23:58 DEBUG : HTTP REQUEST (req 0xc0006e0ea0)
2024/07/10 09:23:58 DEBUG : GET /v1.0/drives/b!zNBKeuB-bkOYScCXzXYAWC-N7Uq4WqyRSc5hmcZN3-NELmnKfitZRI4UWrJpHeeh/items/01TBBT7JR3PUS7DZMMMVG3Q7NODGII3IFH/content?AVOverride=1 HTTP/1.1
Host: graph.microsoft.com
User-Agent: rclone/v1.67.0
Authorization: XXXX
Accept-Encoding: gzip

Response with redirect

2024/07/10 09:23:58 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2024/07/10 09:23:58 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2024/07/10 09:23:58 DEBUG : HTTP RESPONSE (req 0xc0006e0ea0)
2024/07/10 09:23:58 DEBUG : HTTP/2.0 302 Found
Cache-Control: no-store, no-cache
Client-Request-Id: 70c8e553-79bb-4aba-9ff4-73569f3fa8cf
Content-Type: application/octet-stream
Date: Wed, 10 Jul 2024 01:23:58 GMT
Location: https://3zgon9-my.sharepoint.com/personal/bxh7oj7w_3zgon9_onmicrosoft_com/_layouts/15/download.aspx?UniqueId=f1257d3b-8ce5-4d65-b87d-ae19908da0a7&Translate=false&tempauth=v1.eyJzaXRlaWQiOiI3YTRhZDBjYy03ZWUwLTQzNmUtOTg0OS1jMDk3Y2Q3NjAwNTgiLCJhcHBfZGlzcGxheW5hbWUiOiJSY2xvbmUiLCJhcHBpZCI6IjUwNDUxMmE0LWMxZjEtNDU2OS1hZmIxLTVhNzc5Y2MxZTQ2YiIsImF1ZCI6IjAwMDAwMDAzLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMC82MDhwbXItbXkuc2hhcmVwb2ludC5jb21AYzU1MWE1YjYtZWYyNS00YTkzLTkyZGQtZDM4OTMzMjJiOTJhIiwiZXhwIjoiMTcyMDU3ODIzOCJ9.CgoKBHNuaWQSAjY4EgsI2J3alKCikD0QBRoOMjAuMTkwLjEzMi4xMDYqLHV4YUE1c0FjSXNKL0hMWnRDT2dXTStXRHlTNlc3MFdpK2hIb3ZySTRMVlU9MKIBOAFCEKE6xqUKEABQ4fihYHf-gOdKEGhhc2hlZHByb29mdG9rZW5yKTBoLmZ8bWVtYmVyc2hpcHwxMDAzMjAwMmQ2OGU3YWI3QGxpdmUuY29tegEyggESCbalUcUl75NKEZLd04kzIrkqogEgcnV0aHBvdW5kQDYwOHBtci5vbm1pY3Jvc29mdC5jb22qARAxMDAzMjAwMkQ2OEU3QUI3sgFWbXlmaWxlcy5yZWFkIGFsbGZpbGVzLnJlYWQgbXlmaWxlcy53cml0ZSBhbGxmaWxlcy53cml0ZSBhbGxzaXRlcy5yZWFkIGFsbHByb2ZpbGVzLnJlYWTIAQE.ssYgYRQ6mkiIw9bTNqQ4wd-F_-iTL5RerjUWgOSqcXE&ApiVersion=2.0
Request-Id: 70c8e553-79bb-4aba-9ff4-73569f3fa8cf
Strict-Transport-Security: max-age=31536000
X-Ms-Ags-Diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"SJ1PEPF00001C54"}}
Content-Length: 0

New request of redirect

2024/07/10 09:23:58 DEBUG : HTTP REQUEST (req 0xc00084c240)
2024/07/10 09:23:58 DEBUG : GET /personal/bxh7oj7w_3zgon9_onmicrosoft_com/_layouts/15/download.aspx?UniqueId=f1257d3b-8ce5-4d65-b87d-ae19908da0a7&Translate=false&tempauth=v1.eyJzaXRlaWQiOiI3YTRhZDBjYy03ZWUwLTQzNmUtOTg0OS1jMDk3Y2Q3NjAwNTgiLCJhcHBfZGlzcGxheW5hbWUiOiJSY2xvbmUiLCJhcHBpZCI6IjUwNDUxMmE0LWMxZjEtNDU2OS1hZmIxLTVhNzc5Y2MxZTQ2YiIsImF1ZCI6IjAwMDAwMDAzLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMC82MDhwbXItbXkuc2hhcmVwb2ludC5jb21AYzU1MWE1YjYtZWYyNS00YTkzLTkyZGQtZDM4OTMzMjJiOTJhIiwiZXhwIjoiMTcyMDU3ODIzOCJ9.CgoKBHNuaWQSAjY4EgsI2J3alKCikD0QBRoOMjAuMTkwLjEzMi4xMDYqLHV4YUE1c0FjSXNKL0hMWnRDT2dXTStXRHlTNlc3MFdpK2hIb3ZySTRMVlU9MKIBOAFCEKE6xqUKEABQ4fihYHf-gOdKEGhhc2hlZHByb29mdG9rZW5yKTBoLmZ8bWVtYmVyc2hpcHwxMDAzMjAwMmQ2OGU3YWI3QGxpdmUuY29tegEyggESCbalUcUl75NKEZLd04kzIrkqogEgcnV0aHBvdW5kQDYwOHBtci5vbm1pY3Jvc29mdC5jb22qARAxMDAzMjAwMkQ2OEU3QUI3sgFWbXlmaWxlcy5yZWFkIGFsbGZpbGVzLnJlYWQgbXlmaWxlcy53cml0ZSBhbGxmaWxlcy53cml0ZSBhbGxzaXRlcy5yZWFkIGFsbHByb2ZpbGVzLnJlYWTIAQE.ssYgYRQ6mkiIw9bTNqQ4wd-F_-iTL5RerjUWgOSqcXE&ApiVersion=2.0 HTTP/1.1
Host: 3zgon9-my.sharepoint.com
User-Agent: rclone/v1.67.0
Referer: https://graph.microsoft.com/v1.0/drives/b!zNBKeuB-bkOYScCXzXYAWC-N7Uq4WqyRSc5hmcZN3-NELmnKfitZRI4UWrJpHeeh/items/01TBBT7JR3PUS7DZMMMVG3Q7NODGII3IFH/content?AVOverride=1
Accept-Encoding: gzip

Response is another redirect!

2024/07/10 09:23:58 DEBUG : HTTP RESPONSE (req 0xc00084c240)
2024/07/10 09:23:58 DEBUG : HTTP/2.0 302 Found
Cache-Control: private
Content-Type: text/plain
Date: Wed, 10 Jul 2024 01:23:58 GMT
Location: https://193491-ipv4v6.gr.global.aa-rt.sharepoint.com/personal/bxh7oj7w_3zgon9_onmicrosoft_com/_layouts/15/download.aspx?UniqueId=f1257d3b-8ce5-4d65-b87d-ae19908da0a7&Translate=false&siteHost=3zgon9-my.sharepoint.com&tempauth=v1.eyJzaXRlaWQiOiI3YTRhZDBjYy03ZWUwLTQzNmUtOTg0OS1jMDk3Y2Q3NjAwNTgiLCJhcHBfZGlzcGxheW5hbWUiOiJSY2xvbmUiLCJhcHBpZCI6IjUwNDUxMmE0LWMxZjEtNDU2OS1hZmIxLTVhNzc5Y2MxZTQ2YiIsImF1ZCI6IjAwMDAwMDAzLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMC82MDhwbXItbXkuc2hhcmVwb2ludC5jb21AYzU1MWE1YjYtZWYyNS00YTkzLTkyZGQtZDM4OTMzMjJiOTJhIiwiZXhwIjoiMTcyMDU3ODIzOCJ9.CgoKBHNuaWQSAjY4EgsI2J3alKCikD0QBRoOMjAuMTkwLjEzMi4xMDYqLHV4YUE1c0FjSXNKL0hMWnRDT2dXTStXRHlTNlc3MFdpK2hIb3ZySTRMVlU9MKIBOAFCEKE6xqUKEABQ4fihYHf-gOdKEGhhc2hlZHByb29mdG9rZW5yKTBoLmZ8bWVtYmVyc2hpcHwxMDAzMjAwMmQ2OGU3YWI3QGxpdmUuY29tegEyggESCbalUcUl75NKEZLd04kzIrkqogEgcnV0aHBvdW5kQDYwOHBtci5vbm1pY3Jvc29mdC5jb22qARAxMDAzMjAwMkQ2OEU3QUI3sgFWbXlmaWxlcy5yZWFkIGFsbGZpbGVzLnJlYWQgbXlmaWxlcy53cml0ZSBhbGxmaWxlcy53cml0ZSBhbGxzaXRlcy5yZWFkIGFsbHByb2ZpbGVzLnJlYWTIAQE.ssYgYRQ6mkiIw9bTNqQ4wd-F_-iTL5RerjUWgOSqcXE&ApiVersion=2.0
Microsoftsharepointteamservices: 16.0.0.25019
Ms-Cv: oTrGpSAwAFD+T+Rbn/I97w.0
P3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Request-Id: a5c63aa1-3020-5000-fe4f-e45b9ff23def
Spiislatency: 2
Sprequestduration: 65
Sprequestguid: a5c63aa1-3020-5000-fe4f-e45b9ff23def
Strict-Transport-Security: max-age=31536000
X-Aspnet-Version: 4.0.30319
X-Cache: CONFIG_NOCACHE
X-Content-Type-Options: nosniff
X-Ms-Invokeapp: 1; RequireReadOnly
X-Msedge-Ref: Ref A: B312799D5A614298AA95922B5C04BF4B Ref B: SJC211051205027 Ref C: 2024-07-10T01:23:58Z
X-Networkstatistics: 0,8409600,64,503,9056621,0,4649143,63
X-Powered-By: ASP.NET
X-Sharepointhealthscore: 3
Content-Length: 0

The new request

2024/07/10 09:23:58 DEBUG : HTTP REQUEST (req 0xc0006e18c0)
2024/07/10 09:23:58 DEBUG : GET /personal/bxh7oj7w_3zgon9_onmicrosoft_com/_layouts/15/download.aspx?UniqueId=f1257d3b-8ce5-4d65-b87d-ae19908da0a7&Translate=false&siteHost=3zgon9-my.sharepoint.com&tempauth=v1.eyJzaXRlaWQiOiI3YTRhZDBjYy03ZWUwLTQzNmUtOTg0OS1jMDk3Y2Q3NjAwNTgiLCJhcHBfZGlzcGxheW5hbWUiOiJSY2xvbmUiLCJhcHBpZCI6IjUwNDUxMmE0LWMxZjEtNDU2OS1hZmIxLTVhNzc5Y2MxZTQ2YiIsImF1ZCI6IjAwMDAwMDAzLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMC82MDhwbXItbXkuc2hhcmVwb2ludC5jb21AYzU1MWE1YjYtZWYyNS00YTkzLTkyZGQtZDM4OTMzMjJiOTJhIiwiZXhwIjoiMTcyMDU3ODIzOCJ9.CgoKBHNuaWQSAjY4EgsI2J3alKCikD0QBRoOMjAuMTkwLjEzMi4xMDYqLHV4YUE1c0FjSXNKL0hMWnRDT2dXTStXRHlTNlc3MFdpK2hIb3ZySTRMVlU9MKIBOAFCEKE6xqUKEABQ4fihYHf-gOdKEGhhc2hlZHByb29mdG9rZW5yKTBoLmZ8bWVtYmVyc2hpcHwxMDAzMjAwMmQ2OGU3YWI3QGxpdmUuY29tegEyggESCbalUcUl75NKEZLd04kzIrkqogEgcnV0aHBvdW5kQDYwOHBtci5vbm1pY3Jvc29mdC5jb22qARAxMDAzMjAwMkQ2OEU3QUI3sgFWbXlmaWxlcy5yZWFkIGFsbGZpbGVzLnJlYWQgbXlmaWxlcy53cml0ZSBhbGxmaWxlcy53cml0ZSBhbGxzaXRlcy5yZWFkIGFsbHByb2ZpbGVzLnJlYWTIAQE.ssYgYRQ6mkiIw9bTNqQ4wd-F_-iTL5RerjUWgOSqcXE&ApiVersion=2.0 HTTP/1.1
Host: 193491-ipv4v6.gr.global.aa-rt.sharepoint.com
User-Agent: rclone/v1.67.0
Referer: https://graph.microsoft.com/v1.0/drives/b!zNBKeuB-bkOYScCXzXYAWC-N7Uq4WqyRSc5hmcZN3-NELmnKfitZRI4UWrJpHeeh/items/01TBBT7JR3PUS7DZMMMVG3Q7NODGII3IFH/content?AVOverride=1
Accept-Encoding: gzip

And the response is 403 forbidden malware detected despite the AVOverride=1 in the initial response.

2024/07/10 09:23:59 DEBUG : HTTP RESPONSE (req 0xc0006e18c0)
2024/07/10 09:23:59 DEBUG : HTTP/2.0 403 Forbidden
Content-Length: 65
Cache-Control: private
Content-Security-Policy: frame-ancestors 'self' teams.microsoft.com *.teams.microsoft.com *.skype.com *.teams.microsoft.us local.teams.office.com teams.cloud.microsoft *.office365.com goals.cloud.microsoft *.powerapps.com *.powerbi.com *.yammer.com engage.cloud.microsoft word.cloud.microsoft excel.cloud.microsoft powerpoint.cloud.microsoft *.officeapps.live.com *.office.com *.microsoft365.com *.stream.azure-test.net *.microsoftstream.com *.dynamics.com *.microsoft.com onedrive.live.com *.onedrive.live.com securebroker.sharepointonline.com;
Content-Type: application/json
Date: Wed, 10 Jul 2024 01:23:58 GMT
Docid: 3zgon9-my.sharepoint.com_7a4ad0cc-7ee0-436e-9849-c097cd760058_f1257d3b-8ce5-4d65-b87d-ae19908da0a7
Microsoftsharepointteamservices: 16.0.0.25019
Ms-Cv: oTrGpTfgAFDh+Kpzt+bRHQ.0
P3p: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
Request-Id: a5c63aa1-e037-5000-e1f8-aa73b7e6d11d
Server: Microsoft-IIS/10.0
Spiislatency: 1
Sprequestduration: 91
Sprequestguid: a5c63aa1-e037-5000-e1f8-aa73b7e6d11d
Strict-Transport-Security: max-age=31536000
X-1dscollectorurl: https://mobile.events.data.microsoft.com/OneCollector/1.0/
X-Ariacollectorurl: https://browser.pipe.aria.microsoft.com/Collector/3.0/
X-Aspnet-Version: 4.0.30319
X-Content-Type-Options: nosniff
X-Databoundary: NONE
X-Frame-Options: SAMEORIGIN
X-Ms-Invokeapp: 1; RequireReadOnly
X-Networkstatistics: 0,64256,0,0,218,0,26653,66
X-Powered-By: ASP.NET
X-Sharepointhealthscore: 1

{"error":{"code":"malwareDetected","message":"Malware detected"}}

Steps to Reproduce

Request a download with AVOverride=1 parameter on a file detected as malware. See above for details.

[ ]: http://aka.ms/onedrive-api-issues
[x]: http://aka.ms/onedrive-api-issues

See also: rclone/rclone#7934 which was reported by @QPYIDRWIMG who provided the HTTP traces above and where we try some things to work around this but nothing works.

[oddMLan]

cc @kashiftahir
Last time (2 years ago!) you mentioned this was being tracked internally, any updates?
This is a very bad issue, I can't download my own personal files for years now because Onedrive thinks it has a virus!