Microsoft Defender for Storage now includes malware scanning for Azure Government Secret and Top Clouds. This update aligns cloud storage protection features across both commercial and government cloud services.
This feature is available exclusively in the Defender for Storage plan (per storage account). Azure Government customers using the classic Defender for Storage plan (per-transaction) are encouraged to upgrade to the latest version to take advantage of comprehensive sensitive data discovery, and malware scanning and to benefit from ongoing and future enhancements to Defender for Storage.
👩🏽💻Use case scenarios for Azure Government Secret and Top-Secret cloud:
Government cloud customers may require malware scanning for their cloud storage accounts due to factors such as the management of sensitive documents, compliance with regulatory standards, and security considerations specific to public sector organizations.
Use case scenarios for malware scanning:
- Ensure classified documents are not comprised by infected uploads
- Prevent lateral movement or staging attacks between departments or third-party contractors
- Adhere to strict compliance standards such as FedRamp, CJIS, and FISMA for continuous monitoring
- Continuously scanning storage with up-to-date threat intelligence
- Adhere to Zero Trust principles
🐞Malware scanning triggers
Defender for Storage is an agentless solution that does not require additional infrastructure. It enables detection and prevention of malicious content from entering storage accounts and spreading throughout organization’s environments. Malware scanning includes two triggers that can be used to begin protecting the environment immediately.
| 🔼On-upload |
Automatically scans blobs when they're uploaded or modified, providing near real-time detection of malicious content.
|
|
🔁On-demand |
Conduct manual scans or configure automated scans of stored data to address changing security requirements, compliance obligations, or in response to security incidents, ensuring continuous protection of your data. |
Note: In the current configuration of malware protection within Defender for Storage, it is required to have on-upload malware scanning enabled to use the on-demand functionality
👟Enable malware scanning in Defender for Storage
Defender for Storage provides customers with multiple configuration options for enabling malware scanning:
- Azure Built- In Policy (recommended)
- Azure Portal
- Infrastructure as Code
- REST API
- PowerShell
🦾Malware Advanced Configurations
Malware scanning provides advanced configurations that allow organizations such as high-security customers like government cloud users to customize, harden, and optimize their environments to meet specific security, performance, and compliance needs. The service provides the following:
- Logging for malware scan results
- Event Grid custom topic
- Log Analytic workspace
- Override Defender for Storage subscription-level
- Enable/Disable malware scanning at the resource level
- Set limit of GB scanned per month
⚙️Additional Resources
Defender for Storage Malware Protection Overview
On-demand malware protection in Defender for Storage
On-upload malware protection in Defender for Storage
Advanced configurations for malware scanning
We want to hear from you! Please take a moment to fill out this survey to provide direct feedback to the Defender for Storage engineering team.
Microsoft