Blog Post

Microsoft Defender for Cloud Blog
2 MIN READ

Validating Microsoft Defender for Storage Detections

YuriDiogenes's avatar
YuriDiogenes
Icon for Microsoft rankMicrosoft
Dec 16, 2019
Microsoft Defender for Storage provides an additional layer of security intelligence that can be used to detect unusual and potentially harmful attempts to access or exploit storage accounts. This fe...
Updated Oct 28, 2021
Version 5.0
OSuperfly68's avatar
OSuperfly68
Copper Contributor
Nov 18, 2023

I've just try to test the EICAR detection on an azure fileshare / container protected by Defender for Cloud / Storage.

 

Here's what I did:

  • created a storage account and a fileshare
  • created a VM, disabled Windows Defender and connect a drive to that fileshare
  • enabled Defender for Storage on the subscription
  • created a TXT-File containing the EICAR signature and saved that to the fileshare

Result:
The file isn't recognized by Defender for Storage / Cloud.
I can open the file, create copies etc.
If I reenable Microsoft Defender and ouch the file I've got an alert immediately and the file gets quarantined!

 

If I upload a similar TXT-file to an container in the same storage account it is identified as malicious.

But to my astonishment that file could be accesses and downloaded again!

 

Questions: 

Azure Files Share:

  • Why isn't the file uploaded to Azure Files detected as malicious?
  • Will a malicious detected file be quarantined / deleted automatically as in Microsoft Defender?

Azure Container

  • How could a file detected as malicious be quarantined / deleted automatically?
  • Isn't that a feature of Defender for Cloud?

 

Thanks for Input.

Oliver