Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Agentless malware scanning for servers with Defender for Cloud
Published Jan 18 2024 06:23 AM 10K Views

In the past year, we have been progressively enhancing our CNAPP solution with additional agentless security capabilities. It started with the capability to review installed software and identify vulnerabilities. We then expanded the platform to secret scanning to mitigate the risk of lateral movement.


Today, we're excited to announce our latest addition: agentless malware scanning for servers. This marks an important step in our trajectory towards hybrid VM security, where we combine agent-based and agentless protection to ensure comprehensive coverage across Azure, AWS, and GCP environments. Agentless malware scanning seamlessly incorporates into our agentless scanning platform, now also leveraging Microsoft Defender Antivirus (MDAV), Microsoft’s powerful anti-malware engine to detect threats and malicious files, generating security alerts for further investigation.


Why agentless malware scanning?

While traditional Endpoint Detection & Response (EDR) agents offer unparalleled depth in threat prevention, detection, and response, achieving (and maintaining) complete coverage can be challenging, and sophisticated attackers can leverage temporary and persistent blind spots to launch a successful attack. Complementing your fundamental agent-based coverage, agentless malware scanning provides a second effective layer of threat detection, particularly in situations like:


  1. VMs unprotected by EDR – In rapidly changing cloud environments, maintaining agent coverage across all VMs is a continuous effort, and it’s not uncommon for servers to be unprotected due to operational challenges or oversight. Agentless malware scanning ensures that these servers don't remain complete blind spots; it is capable of detecting threats lurking on VMs where an EDR agent is absent and provides essential leads for investigations.
  2. EDR posture and configuration issues – VMs with EDR might still be partially vulnerable due to issues like outdated configurations or mismanaged exclusions. Misuse or overuse of file and path exclusions, often aimed at optimizing performance, can inadvertently open security loopholes. This is particularly risky as certain threat actors exploit these blind spots. Agentless malware scanning, as an out-of-band scan of the VM, provides full coverage of the server filesystem and consistently utilizes Microsoft’s latest models, signatures, and feeds.

Ultimately, it provides an additional safety net against those risks, without added complexity or performance impact on your servers.


How does it work?

This latest addition extends Defender for Cloud’s agentless scanning for VMs capability, already assessing your Azure, AWS and GCP VMs for security issues without relying on running agents or network connectivity. We have also recently published a technical deep dive on the technology.


Until today, agentless scanning continuously conducted periodic inspections of your VM filesystems to surface posture issues, and now extending to threat detection as well, it harnesses the power of MDAV engine to detect malicious files on VMs. Onboarded VMs undergo a daily inspection, with MDAV scans combining signature-based with heuristic methods to assess files. Each scan utilizes our latest signatures and threat intelligence feeds to detect threats early on.

Defender for Cloud's agentless scanning platformDefender for Cloud's agentless scanning platform


When malicious files are detected, Defender for Cloud generates detailed alerts with context, enabling you to conduct further investigations into the threat.



Agentless malware scanning is included with Defender for Servers P2 and becomes an integral part for VMs already enabled for agentless scanning. If you are using both – no action is needed, the new capability is already covering your VMs.


As a reminder, agentless scanning for VMs is automatically enabled with new onboardings to Defender for Servers P2. However, if you wish to validate or enable it, you can take these steps. To monitor your coverage, you can also use the built-in coverage workbook which provides insights about the plan enabled on a subscription and whether agentless scanning is active.


Alert investigation

As soon as malware has been detected on a machine, a corresponding security alert will be created.


Alerts will be flagged as “alertname (agentless)” to indicate that agentless malware scanning created the individual security alert. Additionally, there might be several alerts with the same name on a machine. This indicates the same family of malware was detected in various files or file paths.


When selecting an alert, Defender for Cloud will display an alert summary and allow you to view full details, including information about the affected resource, detected malware, file paths, and more.

Security alert created by agentless malware scanning in Microsoft Defender for Cloud portalSecurity alert created by agentless malware scanning in Microsoft Defender for Cloud portal


Lastly, at Microsoft Ignite 2023, we announced the new Defender for Cloud alerts integration with Microsoft Defender XDR. The new integration already includes alerts created by agentless malware scanning.

Security alert created by agentless malware scanning in Microsoft Defender XDR portalSecurity alert created by agentless malware scanning in Microsoft Defender XDR portal


To learn how to create a test alert for agentless malware scanning in your environment, please read this documentation.



By combining agentless and agent-based solutions, Defender for Cloud enhances your threat detection coverage. While agent-based anti-malware provides unmatched detection and prevention capacities and real-time protection, agentless malware scanning serves as a valuable complement, addressing potential blind spots without imposing performance impact or leaving a footprint on the machine.


With this latest addition, we enhance Defender for Cloud's native server protection capabilities within Defender for Servers Plan 2, covering virtual machines across Azure, AWS, and GCP cloud environments.


Version history
Last update:
‎Jan 18 2024 05:42 AM
Updated by: