Skip to content

Malware Scanning#

Security · Storage Account · Rule · 2023_06

Enable Malware Scanning in Microsoft Defender for Storage.

Description#

Microsoft Defender for Storage provides additional security for storage accounts.

One of the features in the Defender for Storage service is malware scanning that is powered by Microsoft Defender Antivirus.

Content uploaded to cloud storage could be malware. Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect organizations from this threat, content in cloud storage must be scanned for malware before it's accessed.

Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time.

This can be helpful when:

  • To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)
  • To comply with compliance standards that require on-upload malware scanning for non-compute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.

When the malware scan identifies a malicious file, detailed Microsoft Defenders for Cloud security alerts are generated.

Malware Scanning in Microsoft Defender for Storage can be enabled at the resource level. However, the general recommendation is to enable it at the subscription level and by doing so ensures all storage accounts in the subscription will be protected, including future ones. Defender for Storage settings on each storage account is inherited by the subscription level settings.

It is also worth to mention that the resource level enablement can be useful when:

  • Override subscription level settings to configure specific storage accounts with custom malware scanning settings that differ from the settings configured at the subscription level.

Recommendation#

Consider enabling Malware Scanning using Microsoft Defender for Storage on the Storage Account. Alternatively, enable Malware Scanning for all Storage Accounts within a subscription.

Examples#

Configure with Azure template#

To deploy Storage Accounts that pass this rule:

  • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
  • Set the properties.malwareScanning.onUpload.isEnabled property to true.

For example:

Azure Template snippet
{
    "type": "Microsoft.Security/DefenderForStorageSettings",
    "apiVersion": "2022-12-01-preview",
    "name": "current",
    "properties": {
        "isEnabled": true,
        "malwareScanning": {
            "onUpload": {
                "isEnabled": true,
                "capGBPerMonth": 5000
            }
        },
        "overrideSubscriptionLevelSettings": false
    },
    "scope": "[resourceId('Microsoft.Storage/storageAccounts', parameters('StorageAccountName'))]"
}

Configure with Bicep#

To deploy Storage Accounts that pass this rule:

  • Deploy a Microsoft.Security/DefenderForStorageSettings sub-resource (extension resource).
  • Set the properties.malwareScanning.onUpload.isEnabled property to true.

For example:

Azure Bicep snippet
resource defenderForStorageSettings 'Microsoft.Security/DefenderForStorageSettings@2022-12-01-preview' = {
  name: 'current'
  scope: storageAccount
  properties: {
    isEnabled: true
    malwareScanning: {
      onUpload: {
        isEnabled: true
        capGBPerMonth: 5000
      }
    }
    overrideSubscriptionLevelSettings: false
  }
}

Notes#

This feature is currently in preview.

Malware Scanning is not supported for storage accounts with public network access set to disabled. Not all services within storage accounts are currently supported.

  • When the plan is already enabled at the subscription level and the resource level override property overrideSubscriptionLevelSettings value is false, the resource level enablement will be ignored and the subscription level (plan) will still be used.
  • If the override property overrideSubscriptionLevelSettings value is true, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.
  • If there is no plan at the subscription level, the resource level enablement will be honored and a dedicated plan will be configured for the storage account.

Comments