Skip to content

Malware Scanning#

Security · Microsoft Defender for Cloud · Rule · 2024_03 · Critical

Enable Malware Scanning in Microsoft Defender for Storage.

Description#

Microsoft Defender for Storage provides additional security for storage accounts. One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.

Content uploaded to cloud storage could be malware. Storage accounts can be an entry point and distribution point for malware in the organization. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.

Malware scanning in Defender for Storage helps protect storage accounts from malicious content by, performing a malware scan on uploaded content in near real time. When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.

Malware Scanning in Microsoft Defender for Storage can be enabled at the subscription level. This ensures all storage accounts in the subscription will be protected, including future ones.

This can be helpful:

  • To protect storage accounts from malicious content. Especially when content in the storage account is uploaded from untrusted sources.
  • To meet compliance standard controls that require on-upload malware scanning for non-compute resources. Including standards such as NIST, SWIFT, and UK GOV.

Recommendation#

Consider using malware scanning in Microsoft Defender for Storage for all storage accounts in the subscription.

Examples#

Configure with Azure template#

To enable malware scanning in Microsoft Defender for Storage:

  • Set the properties.pricingTier property to Standard.
  • Set the properties.subPlan property to DefenderForStorageV2.
  • Configure settings for the OnUploadMalwareScanning extension.

For example:

Azure Template snippet
{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2024-01-01",
  "name": "StorageAccounts",
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "DefenderForStorageV2",
    "extensions": [
      {
        "name": "OnUploadMalwareScanning",
        "isEnabled": "True",
        "additionalExtensionProperties": {
          "CapGBPerMonthPerStorageAccount": "5000"
        }
      },
      {
        "name": "SensitiveDataDiscovery",
        "isEnabled": "True"
      }
    ]
  }
}

Configure with Bicep#

To enable malware scanning in Microsoft Defender for Storage:

  • Set the properties.pricingTier property to Standard.
  • Set the properties.subPlan property to DefenderForStorageV2.
  • Configure settings for the OnUploadMalwareScanning extension.

For example:

Azure Bicep snippet
resource defenderForStorage 'Microsoft.Security/pricings@2024-01-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'DefenderForStorageV2'
    extensions: [
      {
        name: 'OnUploadMalwareScanning'
        isEnabled: 'True'
        additionalExtensionProperties: {
          CapGBPerMonthPerStorageAccount: '5000'
        }
      }
      {
        name: 'SensitiveDataDiscovery'
        isEnabled: 'True'
      }
    ]
  }
}

Configure with Azure Policy#

To address this issue at runtime use the following policies:

Notes#

Malware scanning is only available in the DefenderForStorageV2 sub plan for Defender for Storage, which offers new features that aren't included in the classic plan.

Not all services and blob types within storage accounts are currently supported. See limitations for more information.

Comments