In cloud-native environments, malware protection is no longer traditional antivirus — it is runtime workload security, ensuring containerized applications remain safe throughout their lifecycle.
Many organizations focus on scanning container images before deployment. While image scanning is important, this does not stop runtime attacks. Image scanning protects before deployment, but malware detection protects during execution.
Malware can enter cloud environments through container images, compromised CI/CD pipelines, exposed services, or misuse of legitimate administrative tools, making runtime malware detection an essential security control rather than an optional enhancement. Runtime Malware detection and Prevention acts as the last line of defence when preventive controls fail.
If malware executes successfully inside a container, it may attempt Privilege escalation, Container escape and Host compromise.
Antimalware in Defender for Containers
Defender for Containers antimalware, powered by Microsoft Defender Antivirus cloud protection, near-real-time malware detection directly into container environments. The antimalware feature is available via Helm with sensor version 0.10.2 for AKS, GKE, and EKS. Defender for Containers Sensor
Defender for Containers Antimalware provides:
- Runtime monitoring of container activity
- Malware detection on Container Workloads
- Malware detection for Kubernetes nodes
- Alerts integrated into Defender XDR
Anti-malware detection and blocking - Microsoft Defender for Cloud | Microsoft Learn
Container antimalware protection in Defender for Containers is powered by three main components:
1) Defender Sensor - version 0.10.2 installed via Helm or arc-extension
The Defender sensor runs inside the Kubernetes cluster and monitors workload activity in real time.
It provides:
- Runtime visibility into container processes
- Binary execution monitoring
- Behavioral inspection
- Alert and Block Malware execution
- Multicloud Support (Azure Kubernetes Service, AWS EKS, GCP GKE)
Prerequisites: Ensure the following components of the Defender for containers plan are enabled:
- Defender sensor
- Security findings
- Registry access
- Kubernetes API access
To Install Defender Sensor for Antimalware, ensure there are sufficient resources on your Kubernetes Cluster and outbound connectivity. In addition to the core sensor memory and CPU requirements, you need:
|
Component |
Request |
Limit |
|
CPU |
50m |
300m |
|
Memory |
128Mi |
500Mi |
All sensor components use outbound-only connectivity (no inbound access required).
To install Defender for Containers sensor follow the guidance here
To Verify the sensor deployed successfully on all nodes, use the commands as screenshot below:
You should see the collectors pods in Running state with 3/3 containers.
2) Antimalware Policy Engine
Policies define what happens when malware is detected:
- Alert only
- Block execution
- Ignore (allowlisted cases)
Policies can be scoped to Azure subscriptions, AWS Accounts and GCP Projects and also to Specific clusters, Namespaces, Pods, Images, Labels or workloads. This allows organizations to reduce false positives while enforcing strict security where needed.
Host vs Workload Protection — How Sensor Covers Both
Antimalware Rules can be applied to Resource scopes:
|
Scope |
What Is Protected |
|
Workload (Container) |
Processes inside containers |
|
Host (Node) |
Kubernetes node OS and runtime |
Default rules include:
- Default antimalware workload rule
- Default antimalware host rule
This matters because attackers often escape containers and target kubelet, container runtime, and node filesystem. Blocking malware at both workload and host layers prevents cluster takeover.
To configure the Antimalware policy follow the guidance here
To verify the antimalware policy is deployed to the cluster, login to your K8s cluster and use the commands as screenshot below:
3) Cloud Protection (Microsoft Defender Antivirus Cloud)
Defender for Containers Sensor integrates with Microsoft Defender Antivirus cloud protection, which provides Global threat intelligence, Machine learning classification, Reputation scoring, Zero-day detection. When suspicious binaries appear, cloud analysis determines whether they should be allowed or blocked.
To test Malware detection and blocking, upload an EICAR file to a running Container on your cluster.
If policy action = Block Malware, the sensor performs enforcement. Blocking actions include, Killing malicious process and Generates Defender for Cloud alert as below:
The malware is detected and execution is blocked.
Defender for Cloud Alerts are also available in Defender XDR portal.
Security Operations teams can further investigate the infected file by navigating to the Incidents and Alerts section in the Defender portal.
When a container or pod is determined to be compromised, Defender XDR enables Security Operations Team to take response actions. For more details : Investigate and respond to container threats in the Microsoft Defender portal
Binary Drift Detection and Prevention :
Containers are expected to be immutable. Running containers should only execute binaries that came from the original container image. This is extremely important because most container attacks involve Curl/wget downloading malware, Crypto miners dropped post-compromise, Attack tools installed dynamically. For more details refer Binary drift detection and blocking
Defender detects runtime drift, such as
- New binaries downloaded after deployment
- Files written into container filesystem
- Tools installed via reverse shell
- Payloads dropped by attackers
To Configure drift detection and prevention policy follow the guidance here . When a drift is detected on a container workload, Defender for Container sensor detects drift and prevents it from being drifted.
To test drift prevention, deploy a container and introduce a drift in the running container. The drift will be detected by the sensor and prevents drift, and alert is generated as shown in the screenshot below:
References:
Anti-malware detection and blocking
Install Defender for Containers sensor using Helm
Binary drift detection and blocking
Investigate and respond to container threats in the Microsoft Defender portal
Reviewed by:
Eyal Gur, Principal Product Manager, Microsoft Defender for Cloud
Microsoft