Strengthen protection for your Atlassian files with malware scanning

Is this feature supported in both cloud and datacenter platforms?

Is this feature supported in all (Free, Standard, Premium, Enterprise) plans?

@David Cross Sounds like a great feature to enhance security. Can we get more insight on how this feature works under the surface and whether it can be optional? Are there data/logs being sent back to Atlassian in-house or third-party environments for analysis?

Is there an option to automatically remove attachments that have been flagged by your logic? 

Hi @David Cross , does 

announce a new addition to our security today

mean this feature is also released "today"? Or is it just the announcement and it will be distributed via the usual release tracks? I'm a bit at war with Atlassian release management lately...

And as @Tevi Lawson asked:

1. What data is shared with external parties?
2. Who are these external parties?
3. Do admins have control over this feature?

Thanks for the clarification!

Thanks @David Cross this is really great! Happy to see posts about progressive security updates too.

I am with @Tevi Lawson @Jared Schmitt and @Shawn Stevens comments above

Please advise? Thank you

Yatish

Thank you, @David Cross , it's a great update! 

Which file types are scanned? Are there any limitations or exclusions when it comes to file formats?

Thanks,

Hello @David Cross 

We have been waiting for this feature for a long time. We are really excited to try it out. I have a few questions about the functionality.

1. Can we restrict uploading the malicious files it self?
2. Can we integrate our own 3rd party scanning tool?
3. Can we define our own criteria for which files we want to allow?

Thanks,

Tushar

Hi Atlassian Community,

I'm Kim H, Product Manager within David B's team and wanted to spend some time answering some of your questions!

Please see the responses below:

Thank you all for keeping the questions coming!

Second set of answers to the following questions:

Which file types are scanned? Are there any limitations or exclusions when it comes to file formats?

• @Daria Kulikova_GitProtect_io - All file types are scanned and there are no limitations or exclusions when it comes to file formats

@Kim Howitt I'm reading this correctly, file is scanned on upload, but warning only appears on the download?

Only option to review 'upload' is w/Guard (presuming in the audit log) any information on exactly what we would see specifically.   Also am I correct to presume, it will only scan files on claimed domain users who are billable? 

If there are any malware scanning features available in Guard Premium but not in Guard Standard, please list all the differences in a table. Thank you.

Has this been rolled out to all sites already or will it be a staggered rollout? If the latter, is there an easy way of seeing if it's on your site?

This is Great news @Kim Howitt  Am I correct in assuming this isn't available for JSM, specifically the portal?

Hi @Kim Howitt 

In your forth round of answers, could you please let us know:

1. What data is shared with external parties?
2. Who are these external parties?
3. Do admins have control over the feature (turn off/on)?
4. How to retrieve an attachment marked as malware?

Imagine someone uploads an important document, let's say an invoice, and the system (mistakenly) thinks it's malware. How can I as admin still retrieve the document?

Hi @Kim Howitt , Hi @David Cross ,

Thank you for this, that's an amazing feature to add!

Like @Jared Schmitt I am wondering about the third parties you mentioned. We, and I believe others, too, are pretty particular about GDPR and InfoSec in general, so my first stop was Atlassian's list of sub-processors: https://www.atlassian.com/legal/sub-processors#third-party-sub-processors

I couldn't find any entries that seem to fit with malware scanning, so now we have to weigh the risk of potentially having our attachments scanned by unknown third parties or having to disable attachment uploads altogether. Neither of which sounds good, tbh.

Can you shed any light on how this works, which third parties are involved, and what kind of data they actually get access to? 

Thank you,
 Oliver from Polymetis Apps

Hi @Kim Howitt 

Had a few questions as well:

• Is there a way to setup a notification when an attachment is flagged as malware both in Jira and/or Confluence? Can we use Atlassian Guard as trigger for this purpose?
• Also, will the audit log show whether the attachment flagged as malware show if it was identified by Atlassian internal tools or the third party?
• Will files upload into Jira/Confluence prior to July 1, 2025, be scanned for malware? Or only new files uploaded after July 1 be scanned?

Hi All,

Thank you for your questions! I'm back to answer the fourth round below:

In your forth round of answers, could you please let us know:

1. What data is shared with external parties?

2. Who are these external parties?

3. Do admins have control over the feature (turn off/on)?

4. How to retrieve an attachment marked as malware?

Imagine someone uploads an important document, let's say an invoice, and the system (mistakenly) thinks it's malware. How can I as admin still retrieve the document?

• @Jared Schmitt 
• No customer data ever leaves Atlassian's systems, we only receive our vendor's malware hashes inbound only
• At this stage, admins do not, we will however look into this and review opportunities to put in onto our roadmap as an optimisation, we hear you on this one and will take note of this as a feature request as it has been mentioned a few times on the comments section.
• To retrieve an attachment marked as malware, as an administrator you can navigate to our Audit log to view the location, file name and actor/uploader. In order to access the Audit log, you will need a Atlassian Guard Standard, Premium or Enterprise subscription. For your safety, we recommend you tread carefully and do not download the file.

I am wondering about the third parties you mentioned. We, and I believe others, too, are pretty particular about GDPR and InfoSec in general, so my first stop was Atlassian's list of sub-processors: https://www.atlassian.com/legal/sub-processors#third-party-sub-processors
I couldn't find any entries that seem to fit with malware scanning, so now we have to weigh the risk of potentially having our attachments scanned by unknown third parties or having to disable attachment uploads altogether. Neither of which sounds good, tbh.
Can you shed any light on how this works, which third parties are involved, and what kind of data they actually get access to?

• @Oliver Siebenmarck _Polymetis Apps_ - No customer data ever leaves Atlassian's systems, we only receive our vendor's malware hashes inbound only
• Our scans are GDPR compliant as files hosted in GDPR regions are all scanned in the source region

Is there a way to setup a notification when an attachment is flagged as malware both in Jira and/or Confluence? Can we use Atlassian Guard as trigger for this purpose?
Also, will the audit log show whether the attachment flagged as malware show if it was identified by Atlassian internal tools or the third party?

• @Gus_Vega - Yes, if you have an Enterprise plan for Jira or Confluence, or Atlassian Guard Premium, you will be able to set up Audit log activities to another tool using a webhook that connects to our Audit log. For more details, please visit this page for more information.
• The Audit log will not show if it was identified via internal tools or third parties

Hi @Kim Howitt 

I appreciate the time you take to answer our comments. However not all questions have been addressed in a way that let's an Org admin rest well at night.

I understand admins cannot control this behavior. Really not cool, but that seems to be a common practice at Atlassian.

What is still unclear to me:

• Who are the external parties? They need to be explicitly named as this might influence the decision of our Security+Legal department in contract reviews. These names need to appear in officials docs somewhere. 
• Do I understand correctly that admins can still download an attachments flagged as malware from the audit log? So we can access a file even if it is compromised? 

Hi @Kim Howitt 2 additional questions that came up:

•  What is defined as the GDPR scanned source region? Is that specific to the geo-location of the person who uploaded / or is attempting to download the attachment? 

• If we do not have a pinned data residency for all apps, does that play any factor in the source region as well?