Protect servers with agentless malware scanning
Microsoft Defender for Cloud's Defender for Servers plan 2 supports an agentless malware scanning capability that scans and detects malware and viruses. The scanner is available for Azure virtual machines (VM), AWS EC2 instances and GCP VM instances.
Agentless malware scanning provides:
Up-to-date and comprehensive malware detection capabilities that utilize the Microsoft Defender Antivirus engine and cloud protection signature feed that Microsoft's intelligence feeds support.
Quick and full scans that use heuristic and signature-based threat detection.
Security alerts that are generated when malware is detected. These alerts provide extra details and context for investigations, and are sent to both the Defender for Cloud Alerts page and Defender XDR.
Important
Agentless malware scanning is only available through Defender for Servers plan 2 with agentless scanning enabled.
Agentless malware detection
Agentless malware scanning offers the following benefits to both protected and unprotected machines:
Improved coverage - If a machine doesn't have an antivirus solution enabled, the agentless detector scans that machine to detect malicious activity.
Detect potential threats - The agentless scanner scans all files and folders including any files or folders that are excluded from the agent-based antivirus scans, without having an effect on the performance of the machine.
You can learn more about agentless machine scanning and how to enable agentless scanning for VMs.
Important
Security alerts appear on the portal only in cases where threats are detected on your environment. If you don't have any alerts it might be because there are no threats on your environment. You can test to see if the agentless malware scanning capability has been properly onboarded and is reporting to Defender for Cloud.
Defender for Cloud security alerts
When a malicious file is detected, Microsoft Defender for Cloud generates a Microsoft Defender for Cloud security alert. To see the alert, go to Microsoft Defender for Cloud security alerts. The security alert contains details and context on the file, the malware type, and recommended investigation and remediation steps. To use these alerts for remediation, you can:
- View security alerts in the Azure portal by navigating to Microsoft Defender for Cloud > Security alerts.
- Configure automations based on these alerts.
- Export security alerts to a SIEM. You can continuously export security alerts Microsoft Sentinel (Microsoft’s SIEM) using Microsoft Sentinel connector, or another SIEM of your choice.
Learn more about responding to security alerts.
Handling possible false positives
If you believe a file is being incorrectly detected as malware (false positive), you can submit it for analysis through the sample submission portal. The submitted file will be analyzed by Defender's security analysts. If the analysis report will indicate that the file is in fact clean, then the file will no longer trigger new alerts from now on.
Defender for Cloud allows you to suppress false positive alerts. Make sure to limit the suppression rule by using the malware name or file hash.
Next step
Learn more about how to Enable agentless scanning for VMs.