Agentless machine scanning

Microsoft Defender for Cloud improves compute posture for Azure, AWS and GCP environments with machine scanning. For requirements and support, see the compute support matrix in Defender for Cloud.

Agentless scanning for virtual machines (VM) provides:

Agentless scanning assists you in the identification process of actionable posture issues without the need for installed agents, network connectivity, or any effect on machine performance. Agentless scanning is available through both the Defender Cloud Security Posture Management (CSPM) plan and Defender for Servers P2 plan.

Availability

Aspect Details
Release state: GA
Pricing: Requires either Defender Cloud Security Posture Management (CSPM) or Microsoft Defender for Servers Plan 2
Supported use cases: Vulnerability assessment (powered by Defender Vulnerability Management)
Software inventory (powered by Defender Vulnerability Management)
Secret scanning
Malware scanning (Preview) Only available with Defender for Servers plan 2
Clouds: Azure Commercial clouds
Azure Government
Microsoft Azure operated by 21Vianet
Connected AWS accounts
Connected GCP projects
Operating systems: Windows
Linux
Instance and disk types: Azure
Standard VMs
Unmanaged disks
Maximum total disk size allowed: 4TB (the sum of all disks)
Maximum number of disks allowed: 6
Virtual machine scale set - Flex
Virtual machine scale set - Uniform

AWS
EC2
Auto Scale instances
Instances with a ProductCode (Paid AMIs)

GCP
Compute instances
Instance groups (managed and unmanaged)
Encryption: Azure
Unencrypted
Encrypted – managed disks using Azure Storage encryption with platform-managed keys (PMK)
Encrypted – other scenarios using platform-managed keys (PMK)
Encrypted – customer-managed keys (CMK) (preview)

AWS
Unencrypted
Encrypted - PMK
Encrypted - CMK

GCP
Google-managed encryption key
Customer-managed encryption key (CMEK)
Customer-supplied encryption key (CSEK)

How agentless scanning works

Agentless scanning for VMs uses cloud APIs to collect data. Whereas agent-based methods use operating system APIs in runtime to continuously collect security related data. Defender for Cloud takes snapshots of VM disks and performs an out-of-band, deep analysis of the operating system configuration and file system stored in the snapshot. The copied snapshot remains in the same region as the VM. The VM isn't affected by the scan.

After acquiring the necessary metadata is acquired from the copied disk, Defender for Cloud immediately deletes the copied snapshot of the disk and sends the metadata to Microsoft engines to detect configuration gaps and potential threats. For example, in vulnerability assessment, the analysis is done by Defender Vulnerability Management. The results are displayed in Defender for Cloud, which consolidates both the agent-based and agentless results on the Security alerts page.

The scanning environment where disks are analyzed is regional, volatile, isolated, and highly secure. Disk snapshots and data unrelated to the scan aren't stored longer than is necessary to collect the metadata, typically a few minutes.

Diagram of the process for collecting operating system data through agentless scanning.

This article explains how agentless scanning works and how it helps you collect data from your machines.