Understanding malware scanning results
When a blob is scanned for malware, the scan result can be assessed in several ways:
- A blob index tag - an index tag with the key “Malware Scanning scan result” (index tags aren't supported in storage accounts with hierarchical namespaces enabled).
- An Event Grid message - allows you to automate responses to scan results. It requires more configuration. Learn more about setting up Event Grid for malware scanning.
- A Log Analytics Workspace log entry - by utilizing this method, you can store all scan results in a centralized log repository. This repository is designed for easy querying, making it a powerful tool for tracking and analyzing scan results. Learn more about setting up logging for malware scanning and the Event Grid message structure.
- A security alert in Defender for Cloud (if malware was detected) - you can read more about Microsoft Defender for Cloud security alerts.
Whether you're looking to automate responses to specific scan outcomes or to keep a detailed record of all scans, these options can be tailored to meet your needs.
Scan results fall into two categories: successful states and error states. Understanding these states is important for interpreting the results of malware scanning and taking appropriate action.
Note
For storage accounts that exceed the throughput capacity and blob size limits for Defender for Storage malware scanning, some blobs will not be scanned and will not have a scan result.
Success states
When a blob is successfully scanned, the scan result indicates either:
No threats found - the scan found no malicious content.
Malicious - malicious content was found in the uploaded blob.
Error states
Malware scanning might fail to scan a blob. When this happens, the scan result indicates what the error was.
Error Message | Cause of Error | Guidance | Does this failed scanning attempt incur a charge? |
---|---|---|---|
SAM259201: "Scan failed - internal service error." | An unexpected internal system error occurred during the scan. | This is a transient error and subsequent upload of blobs that failed to be scanned with this error should succeed. | No |
SAM259203: "Scan failed - couldn't access the requested blob." | The blob couldn't be accessed due to permission restrictions. This can happen if someone has accidentally removed the malware scanner’s permission to read blobs. Permissions can also be removed by an Azure Policy. | Look at the storage account’s Activity Log to determine who or what removed the scanner’s permissions. Re-enable Malware scanning. | No |
SAM259204: "Scan failed - the requested blob wasn't found." | The blob wasn't found. This might be due to deletion, relocation, or renaming after uploading. | N/A | No |
SAM259205: "Scan failed due to ETag mismatch - blob was possibly overwritten." | During the process of scanning a blob, Malware Scanning ensures that the ETag value of the blob remains consistent with what it was when first uploaded. If the ETag doesn't match the expected value, it could indicate that the blob has been altered by another process or user after the upload. | N/A | No |
SAM259206: "Scan aborted - the requested blob exceeded the maximum allowed size of 2 GB." | The blob size exceeded the existing size limit, preventing the scan. For more information, see the malware scanning limitations documentation. | N/A | No |
SAM259207: "Scan timed out - the requested scan exceeded time limitation." | The scan timed out before completion. This error might also occur if a preceding step, such as downloading the blob for scanning, takes too long. | This is a transient error and subsequent upload of blobs that failed to be scanned with this error should succeed. | No |
SAM259208: "Scan failed - archive access tier isn't supported." | Blobs in Azure's archive storage tier can't be scanned. For more information, see the malware scanning limitations documentation. | N/A | No |
SAM259209: "Scan failed - blobs encrypted with customer provided keys aren't supported." | Client-side encrypted blobs can't be decrypted for scanning. For more information, see the malware scanning limitations documentation. | N/A | No |
SAM259210: "Scan aborted - the requested blob is protected by password." | The blob is password-protected and can't be scanned. For more information, see the malware scanning limitations documentation. | N/A | Yes |
SAM259211: "Scan aborted - maximum archive nesting depth exceeded." | The maximum archive nesting depth was exceeded. | Archive nesting is a known method for evading malware detection. Handle this blob with care. | Yes |
SAM259212: "Scan aborted - the requested blob data is corrupt." | The blob is corrupted, and Malware Scanning was unable to scan it. | N/A | Yes |
SAM259213: “Scan was throttled by the service." | The scan request has temporarily exceeded the service’s rate limit. This is a measure we take to manage server load and ensure optimal performance for all users. For more information, see the malware scanning limitations documentation. | To avoid this issue in the future, please ensure your scan requests stay within the service’s rate limit. If your needs exceed the current rate limit, consider distributing your scan requests more evenly over time. | No |
Next steps
- Learn about advanced configurations for malware scanning.