Malware automated remediation in Defender for Storage

Updates for Malware scanning

A new feature for malware scanning in Defender for Storage is released (09/17/2025) to public preview.

I’ll try to describe how to configure automated remediation when malware is detected in Azure Blob Storage using Microsoft Defender for Storage.

Defender for Storage supports different ways to handle malicious files. Select the remediation option that fits your scenario:

Built-in remediation capabilities
Automated workflows to move or remove malicious files
Automated workflows to move or ingest clean files to another destination

With malware scanning, build your automated remediation using these scan result options:

Defender for Cloud security alerts
Event Grid events
Blob index tags

Key Features & Remediation Options

Built-in remediation (“soft delete” of malicious blobs)
- When Defender for Storage detects a malicious blob (e.g. through on-upload or on-demand scanning), it can automatically soft-delete it (quarantine stage), meaning blob is removed from normal access but remains recoverable during retention period
- Soft delete must be enabled on the storage account (if not already) when turning on the “Soft delete malicious blobs” setting.
- Default retention is 7 days, configurable between 1–365 days.
Custom/Workflow Automation
For scenarios where built-in soft-delete is not enough or more control is needed, you can use workflow tools to delete, move, or quarantine malicious blobs. Options include:
- Logic Apps triggered by Defender for Cloud security alerts.
- Function Apps triggered by Event Grid events (low latency response).
Access controls & quarantine
- Use Azure RBAC (role-based access control) or Microsoft Entra ABAC to restrict access to blobs, especially those that are malicious or unscanned.
- Move malicious blobs to a dedicated “quarantine” storage container or account with restricted permissions.
Application awareness
- Applications (or downstream data flows) can be made aware of scan results so that they process only clean files. For example, check blob index tags or wait for event-driven signals before consuming files.
- Use a staging (DMZ-like) storage account for untrusted files: only move into production once scanning says “no threat found.”

Malware scan remediation flow

Here’s a very simple remediation flow. Scan can be done automatically via malware scan or with automation.

There are different options available (more than these two):

the automation with Logic apps
the automation with Function

Set up Defender for Storage plan

Settings for Defender for Storage

Microsoft Defender for Storage detects threats on your storage workloads and data, including malicious access, data exfiltration of sensitive data and malware upload.

Pricing:

$10/Storage account/month
$0.15/GB scanned for On-Upload Malware Scanning (configurable)**

Simple, one-click setup; no need to enable logs, agents, or rewiring
Continuously analyzes data plane and control plane logs on Azure Blobs, Azure Data Lake Storage, and Azure Files
Leverages Microsoft Threat Intelligence and behavioral models
Generates context-based security alerts easily integrated with any SIEM
Detects data exposure events with Sensitive Data Discovery (configurable)
Detects malicious files uploaded to Blob Storage with near real-time Malware Scanning (configurable)

** means:

An overage charge will be applied to storage accounts with an exceptionally high
transaction volume.

Storage accounts that exceed 73 million monthly transactions will be charged
$0.1492 for every 1 million transactions that exceed the threshold.

Learn how to calculate your expected spend

I have described the selections I made in the setup.

1. Advanced settings

Use Override Defender for Storage subscription-level settings to set configurations that are different from the subscription. This can also allow you to disable Defender for
Storage on the storage account.

2. Sensitive data threat detection

Sensitive Data Discovery automatically discovers managed cloud data resources containing sensitive data at scale. It is agentless and uses smart sampling scanning, integrated with Microsoft Purview sensitive information types and labels. The feature accesses your data and requires you to have the appropriate permissions to enable it.

3. on-upload malware scanning

Malware Scanning detects malicious files uploaded to Blob Storage using near real-time agentless Malware Scanning. The feature accesses your data and requires you to
have the appropriate permissions to enable it.

4. Set limit of GB scanned per month

Use this setting to set a cap on GB scanned per month by Malware Scanning to control costs. After crossing this limit (with up to 20GB deviation) in a single calendar month,
files will not be scanned for malware.

5. Filter on-upload scans

Up to 24 filter values in total can be used to exclude blobs from malware scanning, covering prefix, suffix, and size filters (size filter counts as one value when used). The
filters use OR logic, so a blob is excluded if it meets any one of the specified criteria.

6. Soft delete malicious blobs (preview)

When enabled, blobs detected as malicious will be soft deleted. Soft deleted blobs are recoverable. If soft delete isn’t already enabled on the storage account, Defender for Storage will attempt to enable it automatically – but only during the initial activation of the automatic response feature. (preview)

7. Send scan results to Log Analytics (preview)

Store every scan result in a centralized log repository which is easy to query by setting up Log Analytics Workspace destination. Additional charges apply.

Testing the automated remediation

I uploaded six files to my just created storage account which I had enabled settings above. The results were:

Security alert was raised as expected and automatically deleted also as expected

Scan results form Log analytics workspace

I selected the “send scan results to Log Analytics” in storage plan settings and the results looks like this:

				
					// Malicious blobs per storage account 
// Blobs with malicious scan results group by storage account name. 
StorageMalwareScanningResults
| where ScanResultType == "Malicious"
| summarize BlobUris = make_list(BlobUri), count() by StorageAccountName

How does this show in DefenderXDR

Here’s how does malware scan and alerts show in DefenderXDR:

Understanding the malware scan results

Tips to understand the results when Azure Storage blobs are scanned for malware:

Where you can get scan results (blob index tags, Event Grid messages, logs in Log Analytics, security alerts in Defender for Cloud)
What success states and error states of scans mean, with common error codes and causes

Success States

No threats found — the blob was scanned and no malware detected.
Malicious — malware or malicious content was discovered in the blob.
Not scanned — the blob could not be scanned due to reasons like unsupported file type or encryption.

Error States

There are the list of different error states.

Things to Keep in Mind

Not all blobs are scanned — large blobs, encrypted blobs, or those in unsupported tiers may be skipped.
Permissions must be correct for scanning to succeed. If scanner can’t read the blob, scan fails.
Some errors are transient (temporary) and retrying later may succeed.

Read the whole article here.

Jussi Metso

Author is a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future.

Share on Social Media

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

SECURITY #cloudsecurity #defenderforstorage #malwarescan

Table of Contents