Malware Scanning

Security · Storage Account · Rule · 2024_03 · Critical

Enable Malware Scanning in Microsoft Defender for Storage.

Description

Microsoft Defender for Storage provides additional security for storage accounts.

One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.

Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.

Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.

This can be helpful when:

• To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)
• To comply with compliance standards that require on-upload malware scanning for non-compute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.

When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.

Malware Scanning in Microsoft Defender for Storage can be enabled at the resource level. However, the general recommendation is to enable it at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. Defender for Storage settings on each storage account is inherited by the subscription level settings.

It is also worth to mention that the resource level enablement can be useful when:

• Override subscription level settings to configure specific storage accounts with custom malware scanning settings that differ from the settings configured at the subscription level.

Recommendation

Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.

Examples

Configure with Azure template

To deploy Storage Accounts that pass this rule:

• Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
• Set the properties.malwareScanning.onUpload.isEnabled property to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.Security/defenderForStorageSettings",
  "apiVersion": "2022-12-01-preview",
  "scope": "[format('Microsoft.Storage/storageAccounts/{0}', parameters('name'))]",
  "name": "current",
  "properties": {
    "isEnabled": true,
    "malwareScanning": {
      "onUpload": {
        "isEnabled": true,
        "capGBPerMonth": 5000
      }
    },
    "sensitiveDataDiscovery": {
      "isEnabled": true
    },
    "overrideSubscriptionLevelSettings": false
  },
  "dependsOn": [
    "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
  ]
}

Configure with Bicep

To deploy Storage Accounts that pass this rule:

• Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
• Set the properties.malwareScanning.onUpload.isEnabled property to true.

For example:

Azure Bicep snippet

resource defenderForStorageSettings 'Microsoft.Security/defenderForStorageSettings@2022-12-01-preview' = {
  name: 'current'
  scope: storageAccount
  properties: {
    isEnabled: true
    malwareScanning: {
      onUpload: {
        isEnabled: true
        capGBPerMonth: 5000
      }
    }
    sensitiveDataDiscovery: {
      isEnabled: true
    }
    overrideSubscriptionLevelSettings: false
  }
}

Notes

Not all services within storage accounts are currently supported.

• When the plan is already enabled at the subscription level and the resource level override property overrideSubscriptionLevelSettings value is false, the resource level enablement will be ignored and the subscription level (plan) will still be used.
• If the override property overrideSubscriptionLevelSettings value is true, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.
• If there is no plan at the subscription level, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.

Links

• SE:10 Monitoring and threat detection
• What is Microsoft Defender for Cloud?
• Malware Scanning in Defender for Storage
• Limitations
• Setting up response to Malware Scanning
• Overview of Microsoft Defender for Storage
• Enable and configure Microsoft Defender for Storage
• Quickstart: Enable enhanced security features
• Azure security baseline for Storage
• DP-2: Monitor anomalies and threats targeting sensitive data
• LT-1: Enable threat detection capabilities
• Azure Policy built-in policy definitions

Comments