Malware Scanning#
Security · Storage Account · Rule · 2024_03 · Critical
Enable Malware Scanning in Microsoft Defender for Storage.
Description#
Microsoft Defender for Storage provides additional security for storage accounts.
One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.
Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.
Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.
This can be helpful when:
- To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)
- To comply with compliance standards that require on-upload malware scanning for non-compute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.
When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.
Malware Scanning in Microsoft Defender for Storage can be enabled at the resource level. However, the general recommendation is to enable it at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. Defender for Storage settings on each storage account is inherited by the subscription level settings.
It is also worth to mention that the resource level enablement can be useful when:
- Override subscription level settings to configure specific storage accounts with custom malware scanning settings that differ from the settings configured at the subscription level.
Recommendation#
Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.
Examples#
Configure with Azure template#
To deploy Storage Accounts that pass this rule:
- Deploy a
Microsoft.Security/DefenderForStorageSettings
sub-resource (extension resource). - Set the
properties.malwareScanning.onUpload.isEnabled
property totrue
.
For example:
{
"type": "Microsoft.Security/defenderForStorageSettings",
"apiVersion": "2022-12-01-preview",
"scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]",
"name": "current",
"properties": {
"isEnabled": true,
"malwareScanning": {
"onUpload": {
"isEnabled": true,
"capGBPerMonth": 5000
}
},
"sensitiveDataDiscovery": {
"isEnabled": true
},
"overrideSubscriptionLevelSettings": false
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
]
}
Configure with Bicep#
To deploy Storage Accounts that pass this rule:
- Deploy a
Microsoft.Security/DefenderForStorageSettings
sub-resource (extension resource). - Set the
properties.malwareScanning.onUpload.isEnabled
property totrue
.
For example:
resource defenderForStorageSettings 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {
name: 'current'
scope: storageAccount
properties: {
isEnabled: true
malwareScanning: {
onUpload: {
isEnabled: true
capGBPerMonth: 5000
}
}
sensitiveDataDiscovery: {
isEnabled: true
}
overrideSubscriptionLevelSettings: false
}
}
Notes#
Not all services within storage accounts are currently supported.
- When the plan is already enabled at the subscription level and the resource level override property
overrideSubscriptionLevelSettings
value isfalse
, the resource level enablement will be ignored and the subscription level (plan) will still be used. - If the override property
overrideSubscriptionLevelSettings
value istrue
, the resource level enablement will be honored and a dedicated plan will be configured for the storage account. - If there is no plan at the subscription level, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.
Links#
- SE:10 Monitoring and threat detection
- What is Microsoft Defender for Cloud?
- Malware Scanning in Defender for Storage
- Limitations
- Setting up response to Malware Scanning
- Overview of Microsoft Defender for Storage
- Enable and configure Microsoft Defender for Storage
- Quickstart: Enable enhanced security features
- Azure security baseline for Storage
- DP-2: Monitor anomalies and threats targeting sensitive data
- LT-1: Enable threat detection capabilities
- Azure Policy built-in policy definitions