Blog Post

Microsoft Defender for Cloud Blog
2 MIN READ

🎉Malware scanning add-on is now generally available in Azure Gov Secret and Top-Secret clouds

alsteele's avatar
alsteele
Icon for Microsoft rankMicrosoft
Aug 12, 2025

Microsoft Defender for Storage now includes malware scanning for Azure Government Secret and Top Clouds. This update aligns cloud storage protection features across both commercial and government cloud services.

This feature is available exclusively in the Defender for Storage plan (per storage account). Azure Government customers using the classic Defender for Storage plan (per-transaction) are encouraged to upgrade to the latest version to take advantage of comprehensive sensitive data discovery, and malware scanning and to benefit from ongoing and future enhancements to Defender for Storage.

👩🏽‍💻Use case scenarios for Azure Government Secret and Top-Secret cloud:

Government cloud customers may require malware scanning for their cloud storage accounts due to factors such as the management of sensitive documents, compliance with regulatory standards, and security considerations specific to public sector organizations.

Use case scenarios for malware scanning:

  • Ensure classified documents are not comprised by infected uploads
  • Prevent lateral movement or staging attacks between departments or third-party contractors
  • Adhere to strict compliance standards such as FedRamp, CJIS, and FISMA for continuous monitoring
  • Continuously scanning storage with up-to-date threat intelligence
  • Adhere to Zero Trust principles

 

🐞Malware scanning triggers

Defender for Storage is an agentless solution that does not require additional infrastructure. It enables detection and prevention of malicious content from entering storage accounts and spreading throughout organization’s environments. Malware scanning includes two triggers that can be used to begin protecting the environment immediately.

 

🔼On-upload

 

Automatically scans blobs when they're uploaded or modified, providing near real-time detection of malicious content.

 

🔁On-demand

Conduct manual scans or configure automated scans of stored data to address changing security requirements, compliance obligations, or in response to security incidents, ensuring continuous protection of your data.

 

Note: In the current configuration of malware protection within Defender for Storage, it is required to have on-upload malware scanning enabled to use the on-demand functionality

👟Enable malware scanning in Defender for Storage

Defender for Storage provides customers with multiple configuration options for enabling malware scanning:

  • Azure Built- In Policy (recommended)

 

 

  • Azure Portal
  • Infrastructure as Code
  • REST API
  • PowerShell

🦾Malware Advanced Configurations

Malware scanning provides advanced configurations that allow organizations such as high-security customers like government cloud users to customize, harden, and optimize their environments to meet specific security, performance, and compliance needs. The service provides the following:

  • Logging for malware scan results
    • Event Grid custom topic
    • Log Analytic workspace
  • Override Defender for Storage subscription-level
  • Enable/Disable malware scanning at the resource level
  • Set limit of GB scanned per month

⚙️Additional Resources

Defender for Storage Malware Protection Overview

On-demand malware protection in Defender for Storage

On-upload malware protection in Defender for Storage

Advanced configurations for malware scanning

 

We want to hear from you! Please take a moment to fill out this survey to provide direct feedback to the Defender for Storage engineering team.

Updated Aug 12, 2025
Version 4.0
No CommentsBe the first to comment