Malware scanning not being triggered when uploading from the web app

Question

Malware scanning not being triggered when uploading from the web app

Kamal Sivalingam 21

We have enabled Malware scanning for uploaded files on storage accounts.

Uploading a file on Azure File Explorer seems to trigger malware scanning and the results are being set as blob index tags on file properties.

However uploading the file using our web app (on app service) does not seem to trigger the malware scanning even after hours.

Are we missing any configuration or settings?

Thanks

Ben S 0 Reputation points

2023-07-31T13:57:05.29+00:00

We had this exact same problem when uploading a file from an Angular app, the malware scan was not triggering.

We noticed that the Content-MD5 property was not being set against the file once it landed in Data Lake storage, however, when we were uploading a file through the portal or from the Azure Storage Explorer, Content-MD5 was being set correctly and the file was being scanned.

The fix for us was that we swapped from using the DataLakeServiceClient to the BlobServiceClient and this fixed the problem. Files uploaded with the BlobServiceClient correctly got their Content-MD5 property set and the malware scan triggered correctly.

Hypothesis: The Azure Defender for Cloud states that it includes hash reputation analysis. I believe that when this hash was missing, this part of the scan was failing internally and the scan did not happen.

2 answers

Your answer

Ben S 0 Reputation points

2023-07-31T13:57:05.29+00:00

We had this exact same problem when uploading a file from an Angular app, the malware scan was not triggering.

We noticed that the Content-MD5 property was not being set against the file once it landed in Data Lake storage, however, when we were uploading a file through the portal or from the Azure Storage Explorer, Content-MD5 was being set correctly and the file was being scanned.

The fix for us was that we swapped from using the DataLakeServiceClient to the BlobServiceClient and this fixed the problem. Files uploaded with the BlobServiceClient correctly got their Content-MD5 property set and the malware scan triggered correctly.

Hypothesis: The Azure Defender for Cloud states that it includes hash reputation analysis. I believe that when this hash was missing, this part of the scan was failing internally and the scan did not happen.

Answer 1

I have three ref documents for you

https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan

https://stackoverflow.com/questions/60836786/scanning-for-malware-in-files-uploaded-to-azure

https://stackoverflow.com/questions/63966945/virus-scanning-on-uploaded-file-to-azure-block-storage-via-azure-web-app-as-of-2

Microsoft Defender for Cloud's Malware Scanning feature performs scans when a blob is uploaded to a protected storage account. The scan is triggered regardless of the upload method, which means that modifying a blob (an upload operation) causes the modified content to be scanned after the update

If the scan is still not being triggered even after waiting for a considerable amount of time, it could be due to the configuration of your web app or the storage account. Malware Scanning depends on certain resources, identities, and networking settings to function properly. If you modify or delete any of these, Malware Scanning will stop working

As an alternative, you could consider implementing a custom solution using open source tools to scan each blob uploaded and download blobs only from a "clean" container

I couldn't find any additional specific configuration or settings you might be missing. If the problem persists, I would recommend reaching out to Azure Support for further assistance.

Answer 2

Pavel Pochobut 0

For us it was AppendBlob unsupported scenario - see https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations

Content-MD5 seems to be unrelated.

Share via

Malware scanning not being triggered when uploading from the web app

2 answers

Your answer