Malware Scanning#
Security · Microsoft Defender for Cloud · 2023_06
Enable Malware Scanning in Microsoft Defender for Storage.
Description#
Microsoft Defender for Storage provides additional security for storage accounts.
One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.
Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.
Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.
This can be helpful when:
- To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)
- To comply with compliance standards that require on-upload malware scanning for noncompute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.
When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.
Malware Scanning in Microsoft Defender for Storage can be enabled at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones.
Recommendation#
Consider using Malware Scanning in Microsoft Defender for Storage.
Examples#
Configure with Azure template#
To enable Malware Scanning in Microsoft Defender for Storage:
- Set the
Standard
pricing tier for Microsoft Defender for Storage and set theDefenderForStorageV2
sub plan. - Configure an
OnUploadMalwareScanning
extension.
For example:
{
"type": "Microsoft.Security/pricings",
"apiVersion": "2022-03-01",
"name": "StorageAccounts",
"properties": {
"pricingTier": "Standard",
"subPlan": "DefenderForStorageV2",
"extensions": [
{
"name": "OnUploadMalwareScanning",
"isEnabled": "True",
"additionalExtensionProperties": {
"CapGBPerMonthPerStorageAccount": "5000"
}
}
]
}
}
Configure with Bicep#
To enable Malware Scanning in Microsoft Defender for Storage:
- Set the
Standard
pricing tier for Microsoft Defender for Storage and set theDefenderForStorageV2
sub plan. - Configure an
OnUploadMalwareScanning
extension.
For example:
resource defenderForStorage 'Microsoft.Security/pricings@2022-03-01' = {
name: 'StorageAccounts'
properties: {
pricingTier: 'Standard'
subPlan: 'DefenderForStorageV2'
extensions: [
{
name: 'OnUploadMalwareScanning'
isEnabled: 'True'
additionalExtensionProperties: {
CapGBPerMonthPerStorageAccount: '5000'
}
}
]
}
}
Notes#
This feature is currently in preview.
The DefenderForStorageV2
sub plan represents the new Defender for Storage plan which offers several new benefits that aren't included in the classic plan, such as Malware Scanning.
Malware Scanning is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.
Links#
- Security operations in Azure
- What is Microsoft Defender for Cloud?
- Malware Scanning in Defender for Storage
- Limitations
- Setting up response to Malware Scanning
- Overview of Microsoft Defender for Storage
- Enable and configure Microsoft Defender for Storage
- Quickstart: Enable enhanced security features
- Azure security baseline for Storage
- DP-2: Monitor anomalies and threats targeting sensitive data
- LT-1: Enable threat detection capabilities
- Azure Policy built-in policy definitions
- Azure deployment reference