Defender for Storage – Antimalware Scanning

Table of Contents

What is Antimalware scanning for storage accounts?

Microsoft Defender for Storage Antimalware Scanning does built-in, near real-time, full antimalware scanning of content uploaded to a protected storage account.

Storage accounts can be a malware entry point into the organization and a malware distribution point. To protect storage accounts from this threat, content must be scanned for malware before it is accessed from the storage account. 

There is no easy way of doing that today, and therefore many accounts remain vulnerable. As a result, the threat of malware in storage accounts is considered a top threat by customers, security analysts, and regulators.

The Malware Scanning capability is an agentless SaaS solution that allows simple setup at scale, with zero maintenance, and supports automating response at scale.

Defender for Storage antimalware scanning

Common use-scenarios

  • To protect storage accounts from malicious content, especially when content in the storage account is uploaded from untrusted sources (customers and partners, anonymous users, etc.)

  • To comply with compliance standards that require on-upload malware scanning for noncompute resources (NIST, SWIFT, UK GOV, and more), and collecting the necessary evidence for compliance audits.

Limitations in Public Preview

  • Legacy v1 storage accounts aren’t supported
  • Azure Files isn’t supported for Malware Scanning
  • Client-side encrypted blobs aren’t supported (they can’t be decrypted before scan by the service). [data encrypted at rest by CMK is supported].
  • File size limit is 2 GB
  • The “capping” mechanism is currently not functional. You can set your limitations now, and they’ll set in when “capping” starts working.
  • Malware Scanning scan throughput rate limit per-storage-account – 2GB/min
  • Uploading in a higher rate results in a slow-down scan – files are scanned later
  • Index tag scan result isn’t supported in storage account with Hierarchical namespace enabled (Azure Data Lake Storage Gen2)
  • Append and Page blobs aren’t supported for Malware Scanning.

Setup for Malware protection

Networking configuration

Malware Scanning supports storage accounts with “Networking” > “Public network access” enabled, either from all networks or from selected virtual networks. Malware Scanning is not supported for storage accounts with “Public network access” set to disabled.

Permissions

To enable and configure Malware Scanning, you must have Owner roles like Subscription Owner or Storage Account Owner or your own spesific roles for storage accounts.

Event Grid resource provider

Event Grid resource provider must be registered to be able to create the Event Grid System Topic used for detect upload triggers. Follow these steps to verify Event Grid is registered on your subscription.

You must have permission to the /register/action operation for the resource provider. This permission is included in the Contributor and Owner roles.

Setup Microsoft Defender for Storage

I recommend that you enable Defender for Storage on the subscription level. Doing so ensures all storage accounts in the subscription will be protected, including future ones.

First, navigate to Defender for Cloud and select “Environment Settings” under Management section and click the wanted subcsription.

Now enable Defender for Storage plan

Microsoft Defender for Storage is now enabled for this subscription, and is fully protected, including on-upload malware scanning and sensitive data threat detection.

If you want to turn off the On-upload malware scanning or Sensitive data threat detection, you can select Settings and change the status of the relevant feature to Off.

There’s no Settings in my photo below but it will be displayed under Full-word.

You can see all addiotional settings from Settings & monitoring blade.

Enter to this blade is done by clicking the Settings & monitoring link from the Defender for Cloud plan page:

It is also possible to enable and configure Defender for Storage

with Azure Policy

with IaC templates

with ARM template

and with REST API

Malware scan results

Blob scan

I tried malware scan by uploading EICAR test file to the storage account’s blob container.

Blob index tags are metadata fields on a blob. They categorize data in your storage account using key-value tag attributes. These tags are automatically indexed and exposed as a searchable multi-dimensional index to easily find data. The scan results are concise, displaying Malware Scanning scan result and Malware Scanning scan time UTC in the blob metadata. Other result types (alerts, events, logs) provide more information on the malware type and file upload operation.

More info of Malware  Scanning  Index Tag Keys.

Defender for Cloud security alerts

When a malicious file is detected, Microsoft Defender for Cloud generates a Microsoft Defender for Cloud security alert. To see the alert, go to Microsoft Defender for Cloud security alerts. The security alert contains details and context on the file, the malware type, and recommended investigation and remediation steps.

Security alert details 1
Security alert details 2
Security alert potential actions

Event Grid event

Event Grid is useful for event-driven automation. It’s the fastest method to get results with minimum latency in a form of events that you can use for automating response.

Events from Event Grid custom topics can be consumed with multiple endpoint types. The most useful for Malware Scanning scenarios are:

  • Function App (previously called Azure Function) – use a serverless function to run code for automated response like move, delete or quarantine.
  • Web Hook – to connect an application.
  • Event Hubs & Service Bus Queue – to notify downstream consumers.

For each scan result, an event is sent using the below schema where the <scanResultType> field contains the scan result of the uploaded blob <blobUri> and are used as part of your response automation logic.

Learn more about setting up Event Grid.

Logs Analytics

It is also possible to log your scan results for compliance evidence or investigating scan results.

By setting up a Log Analytics Workspace destination, you can store every scan result in a centralized log repository that is easy to query.

You can view the results by navigating to the Log Analytics destination workspace and looking for the StorageAntimalwareScanResults table.

Learn more about setting up Log Analytics results.

What does it cost?

Malware Scanning is billed per GB scanned. To provide cost predictability, Malware Scanning supports setting a cap on the amount of GB scanned in a single month per storage account. This setting can be set at the subscription level to apply to each storage account in the subscription, or you can set it for a specific storage account.

The default value for each storage account is 5000GB per month, and after crossing this limit, blobs won’t be scanned (with up to a 20-GB confidence interval).

Learn about how to configure scan limits.

Conclusion

When I tested this feature couple of months ago via Microsoft CCP program I was amazed how this malware scan functionality has been able to enable first to Azure storage accounts. I’m sure that customer IT / security department would like to know are there any malwares stored in storage accounts. 

My role as a Cloud Security Advisor is to advise and help customers to help with their security issues. I will definitely encourage at least test this feature. 

This Antimalware scan from storage accounts is the first step. There’s more to come but you need to wait.

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

CSPM

Related Posts

Discover more from Jussi Metso

Subscribe now to keep reading and get access to the full archive.

Continue reading