cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Validating Microsoft Defender for Storage Detections
By
Yuri Diogenes
Published Dec 16 2019 05:10 AM 27.8K Views
Yuri Diogenes
Microsoft
‎Dec 16 2019 05:10 AM

Validating Microsoft Defender for Storage Detections

‎Dec 16 2019 05:10 AM

Microsoft Defender for Storage provides an additional layer of security intelligence that can be used to detect unusual and potentially harmful attempts to access or exploit storage accounts. This feature can be enabled via Microsoft Defender for Storage or on each individual Azure Storage account. The main difference is that if you enable on Microsoft Defender for Storage, it will apply to all storage accounts in the subscription that Microsoft Defender for Cloud is enabled.

The goal of this post is to explain how to validate the Microsoft Defender for Storage account detection, by uploading a testing malware file (EICAR) to the storage account using Storage Explorer. To follow the steps in this lab, make sure to enable the Microsoft Defender for Storage under Settings – Pricing Tier blade in Microsoft Defender for Cloud:

StorageAccountPricing.jpg

 

 

 

After enabling Microsoft Defender for Storage in Microsoft Defender for Cloud, follow the steps below:

 

1. Create a new Storage Account

2. Open the Storage Account that you created, and under Blob Service, click Containers:

 

newstorage.JPG

 

3. Click the + Container button to create a new container

4. Under name, type storageatpvalidation and leave the public access to private.

5. Click OK to create.

6. Download Storage Explorer on the computer that you will use to upload the test file (EICAR).

7. On this computer, create a text file using Notepad and copy the following string into it:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

 

8. Save the text file as “EICAR.com” (or any other name if you want)

9. Open Storage Explorer and add your Azure account to it.

10. Open the storage account that you just created and under Blob Containers, click on the container that you created as shown below:

Container.JPG

 

11. Click Upload button on the right pane and select Upload files.

12. Under Selected files, click the three dots to open the dialog window and select the EICAR file.

13. Click upload and wait until you see that the file was uploaded.

 

At this point you just need to wait until the detection takes place (which can take a little while). Once the detection takes place, a new alert will be generated in Microsoft Defender for Cloud, similar to the one below:

 

alert_part1.JPG

 

This alert also contains some useful information about potential cause, and threat report towards the end of the blade:

 

alert_part2.JPG

You will also receive an email similar to the one below (read this blog post for more info about email notification):

 

alertemail.JPG

 

The email contains the entire information available in the alert, but for the purpose of this blog, only partial part of the email content was used.

 

Get started today
It is incredibly easy to enable Microsoft Defender for your storage accounts using Azure Portal, Azure Policy , Rest API or PowerShell
We encourage you to try it out for Free for the first 30 days . You can learn more about Microsoft Defender for Storage alerts and how to enable it on the  getting started page.

 

Special thanks to:

Hasan Abo-Shally, Guy Waldman, Yoav Frandzel and Ron Matchoro for contributing and reviewing this post.

23 Comments
Vatan_Joshi
Copper Contributor
‎Dec 16 2019 08:58 PM
‎Dec 16 2019 08:58 PM

Thanks for the update. We don't have granular control on Azure key vault, so is there any alternative. Just wondering.

0 Likes
Like
HasanMSFT
Microsoft
‎Dec 17 2019 04:57 AM
‎Dec 17 2019 04:57 AM

@Vatan_Joshi 

You can grant most of the access permissions by using the Azure portal. To grant granular permissions, you can use Azure PowerShell or the Azure CLI. Please see here for more info: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault

IrynaH
Copper Contributor
‎Jun 02 2020 02:50 AM
‎Jun 02 2020 02:50 AM

is it possible to reduce detection time? we have to wait 3+ hours before we get alert.

0 Likes
Like
Yuri Diogenes
Microsoft
‎Jun 02 2020 11:45 AM
‎Jun 02 2020 11:45 AM

@IrynaH right now there is nothing that you can do on your side to improve this side. However, we are working in our backend to improve this time, 

IrynaH
Copper Contributor
‎Jun 03 2020 04:19 AM
‎Jun 03 2020 04:19 AM

@Yuri Diogenes , is it possible to know how often ATP scan is going (time interval)? so vi can get to know which blobs are malware-free or were scanned, based on creation time ? 

for example:  if blob is like 4 hours old, then we can be sure that it was scanned 

thanks

0 Likes
Like
Yuri Diogenes
Microsoft
‎Jun 03 2020 12:15 PM
‎Jun 03 2020 12:15 PM

Hello @IrynaH - unfortunately we can't make this assumption due the way that this threat detection works. The current solution is based on Storage’s telemetry stream. The stream contains logs of operations that were performed on ATP enabled storage accounts. Some, but not all, of these operation logs contain hashes of the related blob or file, and we can then compare this to our threat intelligence data. However there are many cases where no such hash is present in the telemetry. As I mentioned, we have a working in progress to reduce this time to minutes. Thanks for checking! 

IrynaH
Copper Contributor
‎Jun 03 2020 12:36 PM
‎Jun 03 2020 12:36 PM

Many thanks for such detailed answer @Yuri Diogenes 

I'm looking for some more or less real-time anti-malware scan on azure storage. That is how i came to ATP. Can you suggest any other solution some can be used for such purpose? 

0 Likes
Like
Yuri Diogenes
Microsoft
‎Jun 03 2020 12:39 PM
‎Jun 03 2020 12:39 PM

Unfortunately we don't have another solution for that, @IrynaH 

Hari Praghash Kalyanasundaram Subramaniam
Copper Contributor
‎Jul 03 2020 12:36 AM
‎Jul 03 2020 12:36 AM

Is there an event fired when the security scan is complete with may be flags on the result of the event and a pointer to the blob that was scanned? Would be useful for automating. 

0 Likes
Like
Yuri Diogenes
Microsoft
‎Jul 03 2020 04:37 AM
‎Jul 03 2020 04:37 AM

@Hari Praghash Kalyanasundaram Subramaniam no, there is no event, but you can use the sample below to create an automation based on the alert https://techcommunity.microsoft.com/t5/azure-security-center/how-to-respond-to-potential-malware-upl...

0 Likes
Like
dvijlbrief
Copper Contributor
‎Jul 09 2020 06:06 AM
‎Jul 09 2020 06:06 AM

Hi,

 

@Yuri Diogenes  An alert if malware is found is obviously useful, but what we also need is a signal that a file was scanned and that it was found to be clean. Just waiting 3 hours and hope the file has been scanned is not workable.

 

Rgds,

Dennis

0 Likes
Like
Yuri Diogenes
Microsoft
‎Jul 09 2020 07:22 AM
‎Jul 09 2020 07:22 AM

@dvijlbrief thanks for sharing your feedback. We are aware of this and we are working to improve the detection time. 

0 Likes
Like
dvijlbrief
Copper Contributor
‎Jul 09 2020 07:35 AM
‎Jul 09 2020 07:35 AM

Hi @Yuri Diogenes ,

 

Thanks, but please note I'm not actually talking about detection time. My main point is that not only malware detection should be there but also a 'clean' result should be there. I need to be able to see/detect a file was scanned and found to be free of malware.

 

Kind Regards,

Dennis

Yuri Diogenes
Microsoft
‎Jul 09 2020 07:46 AM
‎Jul 09 2020 07:46 AM

@dvijlbrief I understand that too, and we got this feedback on our backlog. 

KimiJ
Copper Contributor
‎Aug 04 2020 11:18 PM
‎Aug 04 2020 11:18 PM

@Yuri Diogenes Is there a way to follow the status of this?

0 Likes
Like
Yuri Diogenes
Microsoft
‎Aug 05 2020 04:25 AM
‎Aug 05 2020 04:25 AM

@KimiJ any update on feature stats are announced in the Azure Updates page. You can use the RSS feed from the page below to get notifications of our monthly updates https://azure.microsoft.com/en-us/updates/

0 Likes
Like
pruchita97
Copper Contributor
‎Mar 17 2021 01:10 AM
‎Mar 17 2021 01:10 AM

Storage Explorer isn't letting me upload the malware file. I tried various other approach to upload using Azure CLI and SAS urls but did not get any alerts in ASC(also the Defender Plan is ON for all my resources).

Any suggestions of how to generate alert?

0 Likes
Like
Yuri Diogenes
Microsoft
‎Mar 17 2021 06:19 AM
‎Mar 17 2021 06:19 AM

@pruchita97 you can use the alert validation feature Alert validation in Azure Security Center | Microsoft Docs

0 Likes
Like
JamesHeathcote
Copper Contributor
‎Nov 08 2021 04:44 AM
‎Nov 08 2021 04:44 AM

This has now stopped worked for us, Microsoft Defender for Cloud is no longer picking up potential malware in storage accounts, nothing has changed from our side.  I checked the logic apps to make sure the API connectors were still authorised, but it appears that MDfC is simply not finding the viruses anymore.

0 Likes
Like
maloym
Copper Contributor
‎Apr 20 2022 08:22 AM
‎Apr 20 2022 08:22 AM

@Yuri Diogenes - does Defender for storage inspect zip files for malware whether executables / other ransomware or even Eicar signatures ? 

In particular, is either of the following alerts triggered when the .exe is hidden in a .zip file or embedded in a file with different extension e.g. .doc(x)/.xls(x) etc. ?

1. "Unusual upload of .exe to a storage account (Storage.Blob_ExeUploadAnomaly Storage.Files_ExeUploadAnomaly)"

2. Potential malware uploaded to a storage account (Storage.Blob_MalwareHashReputation Storage.Files_MalwareHashReputation)

I know hash reputation analysis has its limitations, but having a clear set of exclusions allow clients to build a proper defense solution and improve security posture.

0 Likes
Like
bastion371
Copper Contributor
‎Sep 15 2022 02:59 AM
‎Sep 15 2022 02:59 AM

@Yuri Diogenes any updates on alert reduce time after uploading a malware?
waited more than 3 hours after the upload but still no alert fired for potential malware.

0 Likes
Like
Anand_Sowmithiran
Copper Contributor
‎Sep 26 2023 03:37 AM
‎Sep 26 2023 03:37 AM

Defender for storage seems to detect the malicious file almost immediately after uploaded as blob. But there should be an alert generated and sent via Azure Event Hub or Service Bus, because, currently, we have to depend on creating a Logic App to catch the Defender alert and do some limited action like sending email or deleting the blob. It is better to stream or send this as event via one of your messaging products.

0 Likes
Like
OSuperfly68
Copper Contributor
‎Nov 18 2023 08:19 AM
‎Nov 18 2023 08:19 AM

I've just try to test the EICAR detection on an azure fileshare / container protected by Defender for Cloud / Storage.

 

Here's what I did:

  • created a storage account and a fileshare
  • created a VM, disabled Windows Defender and connect a drive to that fileshare
  • enabled Defender for Storage on the subscription
  • created a TXT-File containing the EICAR signature and saved that to the fileshare

Result:
The file isn't recognized by Defender for Storage / Cloud.
I can open the file, create copies etc.
If I reenable Microsoft Defender and ouch the file I've got an alert immediately and the file gets quarantined!

 

If I upload a similar TXT-file to an container in the same storage account it is identified as malicious.

But to my astonishment that file could be accesses and downloaded again!

 

Questions: 

Azure Files Share:

  • Why isn't the file uploaded to Azure Files detected as malicious?
  • Will a malicious detected file be quarantined / deleted automatically as in Microsoft Defender?

Azure Container

  • How could a file detected as malicious be quarantined / deleted automatically?
  • Isn't that a feature of Defender for Cloud?

 

Thanks for Input.

Oliver

 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Oct 28 2021 12:32 AM
Updated by: