Malware scanning for Cloud Storage going GA

Malware scanning for Cloud Storage going GA
Photo by Ed Hardie / Unsplash

On September 1, 2023 the Malware Scanning add-on for Defender for Storage will be going generally available instead of preview.

This is a great add-on which lets you protect your storage accounts and prevent malicious content from being uploaded and stored in your cloud storage.

This is an agentless malware scanning system which protects your blob storage in Azure. In this article I will provide you with some basic setup steps to test this feature out on a storage account. We will:

  • Create an Azure Storage Account
  • Enable the add-on feature for Defender for Storage
  • Upload a test blob which will trigger the malware scan alerts

The goal is to get you going with this feature quickly. Under references in this article you will find the official Microsoft blog post regarding this feature as well as a link to yet another lab which they provide where you can test this feature further.

Create a storage account

First we need to create a storage account. We will do so using the Azure CLI. I want you to authenticate to your subscription using the following commands:

az login
az account set -s <subscription-id>
az account show

Make sure az account show displays the correct subscription.

  1. Create a storage account by running az group create -n <rg-name> -l <location>
  2. Create the storage account by running az storage account create -n <storageAccountName> -g <the name of the rg you created> -l <location> --sku Standard_LRS --kind StorageV2 , my command looked like this:

3. Make sure that your storage account has Defender for Storage enabled and with the current settings (Note, it takes some time before the plan is enabled, patience is needed here):

4. Select Save

Upload malicious blob

Create a test malicious file on your computer. Note that you may need to exclude the directory where you are saving it from in your antivirus settings.

In C:\Temp we will create a new text-file with this content:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

When saving it save it as eicar.com and you should have a file with the extension MS-DOS Application

You may need to enable how filetype extensions in File Explorer:

Now we need to upload this file to the storage account to trigger an alert.

  1. Head to your storage account and under Containers select + Container
  2. Give it a name and select Create
  3. Select your new container and select Upload
  4. Drag the file to the upload area and select Upload

Once successfully uploaded the file will be scanned and should trigger a Defender for Cloud alert:

5. Head to Defender for Cloud Overview and you should see an alert:

And there you have it. If you have as I have configured high severity alerts to trigger email you will also receive an alert by mail.

This is an example of what the email could look like:

Reference

Malware Scanning for cloud storage GA pre-announcement | prevent malicious content distribution
How to prevent malicious content distribution from your cloud storage a scalable, built-in, and agentless solution
Microsoft-Defender-for-Cloud/Labs/Modules/Module 19 - Defender for Storage.md at main · Azure/Microsoft-Defender-for-Cloud
Welcome to the Microsoft Defender for Cloud community repository - Azure/Microsoft-Defender-for-Cloud

About me

About me
If you have landed on my page you will have already understood my passion for tech, but obviously there is more to life than that. Here I will try and outline a few of my other hobbies. Strength training I am a person who loves to move around and challenge