Skip to content

Malware Scanning#

Security · Microsoft Defender for Cloud · Rule · 2023_06

Enable Malware Scanning in Microsoft Defender for Storage.

Description#

Microsoft Defender for Storage provides additional security for storage accounts.

One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.

Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.

Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.

This can be helpful when:

  • To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)
  • To comply with compliance standards that require on-upload malware scanning for noncompute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.

When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.

Malware Scanning in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.

Recommendation#

Consider using Malware Scanning in Microsoft Defender for Storage.

Examples#

Configure with Azure template#

To enable Malware Scanning in Microsoft Defender for Storage:

  • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
  • Configure an OnUploadMalwareScanning extension.

For example:

Azure Template snippet
{
  "type": "Microsoft.Security/pricings",
  "apiVersion": "2023-01-01",
  "name": "StorageAccounts",
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "DefenderForStorageV2",
    "extensions": [
      {
        "name": "OnUploadMalwareScanning",
        "isEnabled": "True",
        "additionalExtensionProperties": {
          "CapGBPerMonthPerStorageAccount": "5000"
        }
      },
      {
        "name": "SensitiveDataDiscovery",
        "isEnabled": "True"
      }
    ]
  }
}

Configure with Bicep#

To enable Malware Scanning in Microsoft Defender for Storage:

  • Set the Standard pricing tier for Microsoft Defender for Storage and set the DefenderForStorageV2 sub plan.
  • Configure an OnUploadMalwareScanning extension.

For example:

Azure Bicep snippet
resource defenderForStorage 'Microsoft.Security/pricings@2023-01-01' = {
  name: 'StorageAccounts'
  properties: {
    pricingTier: 'Standard'
    subPlan: 'DefenderForStorageV2'
    extensions: [
      {
        name: 'OnUploadMalwareScanning'
        isEnabled: 'True'
        additionalExtensionProperties: {
          CapGBPerMonthPerStorageAccount: '5000'
        }
      }
      {
        name: 'SensitiveDataDiscovery'
        isEnabled: 'True'
      }
    ]
  }
}

Notes#

This feature is currently in preview.

The DefenderForStorageV2 sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan, such as Malware Scanning.

Malware Scanning is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.

Comments