![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 53%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,183 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 64%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Hello Solanki, Rajdipsinh,
Greetings! Welcome to Microsoft Q&A Platform.
Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption.
Please note that for Malware Scanning and sensitive data threat detection at subscription and storage account levels, you need Owner roles (subscription owner/storage account owner) or specific roles with corresponding data actions.
The following table summarizes the permissions you need for each scenario. The permissions are either built-in Azure roles or action sets that you can assign to custom roles.
Details on unsupported features and services in Malware Scanning: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations.
- Once enabled Malware scanning will it have any performance penalty?
Enabling malware scanning in Azure Storage accounts can have a slight performance impact, primarily due to the additional processing required to scan files. However, this impact is generally minimal and should not significantly affect overall performance. refer - https://learn.microsoft.com/en-us/azure/storage/blobs/storage-performance-checklist. - Once enabled can it be disabled in Defender for cloud?
Yes, once enabled, you can disable malware scanning in Microsoft Defender for Cloud. You can do this by navigating to the settings and changing the status of the relevant feature to "Off". - How much time is required to initiate a scan, once file is added into storage account? The malware scanning process is designed to operate in near real-time. This means that scans are initiated almost immediately after a file is uploaded to the storage account.
- If any file found to be infected what action will be performed by the Malware scanning, we have a doubt that we might loose the file? If a file is found to be infected, several actions can be taken. The file can be quarantined, deleted, or access to it can be blocked. Additionally, a security alert will be generated in Defender for Cloud, providing full context on the malicious findings. To avoid losing files, it’s recommended to enable soft delete on the storage account, which allows you to recover files if needed. refer section - https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-configure-malware-scan.
reference docs: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-introduction, https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-azure-portal-enablement?tabs=enable-subscription, https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/malware-scanning-for-cloud-storage-ga-announcement-prevent/ba-p/3884470
Hope the answer helps! Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.