Malware Scanning for cloud storage GA announcement | prevent malicious content distribution
Published Jul 26 2023 05:44 AM 15.6K Views

Malware Scanning in Defender for Storage is generally available (GA) for Azure Blob Storage (since September 1, 2023). This add-on to Defender for Storage is priced at $0.15 (USD) per GB of data scanned.


Malware Scanning in Defender for Storage helps protect your Blob storage accounts from malicious content by performing a full, built-in, agentless malware scan on uploaded content in near real time, using Microsoft Defender Antivirus capabilities. It scans all file types and allows you to detect and prevent malware distribution events.


Defender for Storage helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. Malware Scanning is its latest feature. Defender for Storage is part of Microsoft Defender for Cloud, a CNAPP solution.


Malware Scanning in Defender for StorageMalware Scanning in Defender for Storage



Enabling Malware Scanning at scale is easy and simple, requires zero maintenance, and supports automated responses at scale. You can enable it with an Azure built-in policy (recommended), IaC templates such as Bicep and ARMREST API, or the Azure portal UI to enable at scale.




Malware protection is old news, but protecting your non-compute resources from malware still proves to be difficult


Compute vs. non-compute malware protection:

  • The malware distribution challenge is not new. Traditionally, endpoint detection and response (EDR) solutions solve this problem for compute resources such as VMs and containers. However, non-compute resources such as storage are much harder to protect against malware - they do not have a compute layer to run antimalware tools, installing an EDR on them is impossible.
  • While non-compute resources cannot be infected by malware (because it cannot be executed in a non-compute environment), cloud storage resources are central hubs of data that downstream consumers tend to trust.
  • This means that storage can be a gateway and distribution point to malware into your org or to 3rd parties and consumers.


Untrusted content uploaded to cloud storage could be malware. Without verifying that incoming files are free of malicious content before they’re uploaded, storage accounts can become a malware entry point into the organization and serve as a point of distribution to the environment.
This is because your storage accounts are data hubs and are typically a convenient place to upload content to, and have many downstream consumers pull the data and transform it.


The malware could be distributed downstream to consumers in multiple copies. If the malware finds a host to run on – the impact could be game over.

It could lead to data loss or corruption, steal sensitive data and authentication tokens, and present opportunities for potential ransomware attacks. It’s common for these attacks to damage the reputation of organizations and cause significant harm, regulatory fines, and compliance issues, making the protection of non-compute resources a challenging yet crucial aspect of cybersecurity.


That’s why top compliance standards, such as NIST, SWIFT, and UK Government protocols, as well as security best practices, require scanning files in cloud storage before human users or applications access them.


Traditional approaches to addressing the cloud storage malware protection challenge have scalability and privacy issues. Some popular approaches are sending files to a VM that runs antivirus, like open source ClamAV or by EDR providers, or running SaaS solutions that are not tailored to PaaS and IaaS.


The main issue with these systems is they don't scale well, require too many resources, rely heavily on multiple copy jobs and complex networking, and keep you waiting a bit too long before they start scanning, creating hiccups in your apps and workflows.
In most cases, they'll have you tangled up in intricate networking and juggling data management tasks, adding to your IT team's workload. The enablement friction and resource scaling maintenance is cumbersome, creates overhead, and leaves too much room for error.

Unfortunately, these solutions fail to scale up as needed, and instead of protecting, they might increase the attack surface because of the data flow and resources. So, we end up needing even stronger security measures.

An alternative approach to address these challenges involves sending files, or their signatures, to external third-party services for malware detection.

The key drawback of such solutions is their inherent requirement to move your potentially sensitive data outside your existing environment, crossing regional and cloud boundaries. This is a compliance and privacy issue that exposes your data to potential leaks and breaches and places it beyond your control.



A modern, private, and scalable approach that helps protect your cloud storage from malware, built for high-compliance industries


Malware Scanning in Defender for Storage offers built-in and agentless detection with zero maintenance.


As soon as a file is uploaded to a storage account, Malware Scanning will immediately read the uploaded content, scan it out of band, and detect polymorphic and metamorphic malware in near real-time.


If a file is determined as malicious by the Microsoft Defender Antivirus engine, access to the file can be blocked, the file can be quarantined or deleted, and the scan result will automatically trigger a security alert in Defender for Cloud or other workflows, so your SOC analysts have full context on the malicious findings.


To maintain maximum privacy, the regional malware scanning engine never retains the content of the files, and the data is never centralized. Files are scanned "in-memory" and are never stored in the Malware Scanning engine.


Malware Scanning occurs within the same region of the storage account. In some cases, when a file is suspicious, and more data is required, the Malware Scanning engine may share metadata outside the scanning region, including metadata classified as customer data (e.g., SHA-256 hash), with Microsoft Defender for Endpoint, leveraging its powerful Cloud Protection features.



Supporting fully-fledged features with granular cost control at the feature level


The Malware Scanning capability within Defender for Storage was built with flexibility and cost management in mind.
It allows enablement either at the subscription level or at the resource level while offering the ability to exclude individual storage accounts from protection.


You can control and cap your costs. The pricing of Malware Scanning is based on the number of gigabytes (GB) of data scanned. For granular cost control, there's an option to set a monthly limit on the volume of data scanned per storage account per month. This limit can be set for the entire subscription or for each individual storage account. Once the set limit is reached in a month, the scanning process halts to prevent additional costs. You will be alerted when nearing the cap, and when crossing it. The default cap for the recommended enablement methods is 5TB per storage account per month.


You can also choose to enable logging for every scan result (including clean files) for compliance needs.



A hands-on lab to try out Malware Scanning in Defender for Storage


We recommend you try the Ninja training instructions for detailed step-by-step instructions on how to test Malware Scanning end-to-end with setting up responses to scanning results. This is part of the 'labs' project that helps customers get ramped up with Microsoft Defender for Cloud and provide hands-on practical experience with its capabilities.



Common use cases


In the last two years, we’ve worked with customers who’ve used the beta version of Malware Scanning and helped design it. During that process, we’ve learned the common use cases and scenarios that require and typically utilize malware scanning in cloud storage services to maintain data and system integrity. The following list is an example of some of these:


  1. Web applications: many cloud web applications allow users to upload content to storage. This allows low maintenance and scalable storage for applications like tax apps, CV upload HR sites, and receipts upload.
  2. Content protection: assets like videos and photos are commonly shared and distributed at scale both internally and to external parties. CDN and content hubs are a classic malware distribution opportunity.

  3. Compliance requirements: resources that adhere to compliance standards like NIST, SWIFT, GDPR, and others require robust security practices, which include malware scanning. It is critical for organizations operating in regulated industries or regions.

  4. Third-party integration: third-party data can come from a wide variety of sources, and not all of them may have robust security practices, such as business partners, developers, and contractors. Scanning for malware helps to ensure that this data doesn't introduce security risks to your system.  

  5. Collaborative platforms: similar to file sharing, teams leverage cloud storage for continuously sharing content and collaborating across teams and organizations. Scanning for malware ensures safe collaboration.

  6. Data pipelines: data moving through ETL processes can come from multiple sources and may include malware. Scanning for malware can help to ensure the integrity of these pipelines.

  7. ML training data: the quality and security of the training data are critical for effective machine learning models. It's why it's important to ensure these data sets are clean and safe, especially if they include user-generated content or data from external sources.



See it at work


Here’s a short demo showcasing Malware Scanning capabilities to scan and provide quick, reliable results so you can easily make your applications secure:

Malware Scanning - Tax App demoMalware Scanning - Tax App demo

In this example, tax files are uploaded to a storage blob container that stores all the uploaded untrusted content. Once a file is uploaded, Malware Scanning scans the files and sends the scanning results to a serverless function that moves clean files to a ‘clean’ blob container and malicious files to a ‘suspicious’ files blob container (for quarantine/deletion).



Consuming scan results and setting up response


Scan results are returned for every file scanned. There are several supported methods to consume the scan results, fitting different use cases. Read more about consuming scan results and using them for an automated response.


View and consume malware scanning resultsView and consume malware scanning results



Getting started


A common way to start is to deploy Malware Scanning protection with this built-in Azure Policy. You can also use IaC templates such as Bicep and ARMREST API, or the Azure portal UI to enable at scale.

If you’re using the old (“classic”) Defender for Storage plan, migrate to the new plan to enable Malware Scanning.
You can also read about how to run an effective POC.



Additional resources



Have questions or comments? Write them below.


1 Comment
Version history
Last update:
‎Sep 18 2023 07:36 AM
Updated by: