Microsoft Defender is blocking all files

Question

Microsoft Defender is blocking all files

Ahmad Ido 0

Hello.

We’re developing a FastAPI solution hosted on Azure App Services, with an endpoint that uploads PDF files to Azure Blob Storage. To ensure file safety, we enabled Microsoft Defender’s file-scanning feature on upload and set up a Logic App to send alerts if any files are flagged as malicious.

However, every PDF file we upload is being detected as malicious, even though we believe these files are safe. We’ve reviewed our configuration and haven’t identified any settings that might explain these false positives.

Could you please assist us in diagnosing and resolving this issue? You can reach me via email at Your help is greatly appreciated.

Halim Sherbiny 96 Reputation points

2025-03-20T22:59:41.01+00:00

Hi Ahmed,

Are you certain PDF files that get uploaded are properly formatted? Are these files generated automatically? If that’s the case, you can ensure their integrity using tools like PDF/A validator. Please also make sure they don’t contain malicious scripts (or any scripts for that matter).

Let me know and we’ll walk through some other steps if that didn’t work for you…

Regards,

Haleem Sherbiny
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-03-20T23:02:19.53+00:00

Hello @Ahmad Ido
For better understanding can you please help me with the steps and documents you followed for this approach.

1 answer

Your answer

Halim Sherbiny 96 Reputation points

2025-03-20T22:59:41.01+00:00

Hi Ahmed,

Are you certain PDF files that get uploaded are properly formatted? Are these files generated automatically? If that’s the case, you can ensure their integrity using tools like PDF/A validator. Please also make sure they don’t contain malicious scripts (or any scripts for that matter).

Let me know and we’ll walk through some other steps if that didn’t work for you…

Regards,

Haleem Sherbiny
Akhilesh Vallamkonda 15,320 Reputation points Microsoft External Staff Moderator

2025-03-20T23:02:19.53+00:00

Hello @Ahmad Ido
For better understanding can you please help me with the steps and documents you followed for this approach.

Answer 1

Givary-MSFT 35,626 Microsoft Employee Moderator

@Ahmad Ido Thank you for reaching out to us, As I understand your concern is with respect to pdf file being marked as malicious by defender for cloud (with an endpoint that uploads PDF files to Azure Blob Storage).

As per my understanding below are the few reasons:

Intentional upload of malware by a malicious actor (true positive)
Unintentional upload of malware by a legitimate user (true positive)
A false positive detection by Microsoft storage malware scanning.

Assuming your ask is related to 3rd point, false positive detection.

If you suspect that the file is not malicious and that the detection is a false positive, you can submit the file for analysis here - https://learn.microsoft.com/en-us/unified-secops-platform/submission-guide In the form, make sure to enter the provider's name "Defender for Storage".

Also review this section Handle possible false positives for more insights on how to handle false positives.

Defender for Cloud allows you to suppress false positive alerts. Make sure to limit the suppression rule by using the malware name or file hash.

Let me know if you have any further questions, feel free to post back, if needed we can connect offline to discuss further on the same.

Ahmad Ido 0 Reputation points

2025-03-21T13:41:18.45+00:00
Hello,

Here’s a breakdown of the situation:

Test File Details:

File Name: sample-job-description-2.pdf

Validation Tool Used: PDF/A Validator

Result: The file passed validation and is compliant with PDF/A-1B standards.

Solution Summary:

I'm working in Python, using asynchronous calls to:

Upload the file to a Blob container.

Check metadata for malware scan results using Microsoft Defender.

If flagged as malicious, the file is deleted.

Code Snippets:

Upload Function:

await blob_client.upload_blob( file_content, blob_type="BlockBlob", metadata=metadata, content_type=content_type, overwrite=True )

Malware Scan Check:

if "msft_defender_scan_verdict" in metadata: verdict = metadata.get("msft_defender_scan_verdict", "").lower() if verdict == "malicious": return False, "Malware detected" elif verdict in ["clean", "no threats found"]: return True, None elif verdict == "scan failed": return False, "Security scan failed"

Auto-delete Malicious Files:

if not is_safe: await self.delete_file(container_name, file_name) return False, error

Issue:

Regardless of the file being valid and clean, the scan always returns a "malicious" verdict. I’ve tested with multiple safe files, and I still get flagged results.

Questions:

Are there specific metadata keys we should wait for from Microsoft Defender?

Is there a recommended way to verify that malware scanning is enabled and configured correctly on the storage account?

Could this be a false positive or a timing issue with Defender metadata updates?

Any guidance you can provide would be greatly appreciated. Please let me know if you need logs, additional file samples, or access to the environment to assist further.

Thank you
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2025-03-21T15:59:32.1466667+00:00

@Ahmad Ido Let me review your above-mentioned queries, however, would like to know the outcome when you submit the file for analysis here - https://learn.microsoft.com/en-us/unified-secops-platform/submission-guide
Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2025-03-24T12:32:18.9966667+00:00

Please provide more details on specific service and the logic app detection method. We assume you are referring to the blob storage malware scan in Defender for Storage. Is it possible that your logic app is the cause? The storage scan is supposed to generate alerts in Defender for Cloud on its own.
Andrew Blumhardt 10,051 Reputation points Microsoft Employee

2025-03-25T12:23:53.53+00:00

Asking around internally. Might take a few days. I agree, this could be a timing issue. Maybe files default to bad until scanned.

Alternatively, have you considered that Defender for Storage should generate an alert if malware is detected. I am not clear on why you are trying to add API-based alerting.

Share via

Microsoft Defender is blocking all files

1 answer

Your answer