Azure SFTP - Malware Scanning & File Format Scanning

Marc Hedgley 20 Reputation points
2023-09-18T09:49:02.7266667+00:00

I am looking to create a solution that will allow external clients to post large capacity to Azure Blob storage via SFTP. I need to ensure that the data feed is automatically scanned for security threats such as Malware. Can someone please confirm that Microsoft Defender would cover this?

I also have a need to scan/filter the data feed for specific file format and automatically reject any that fall outside of the list Is this possible within Azure?

Many thanks

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,420 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,186 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sumarigo-MSFT 43,406 Reputation points Microsoft Employee
    2023-09-20T13:17:36.5666667+00:00

    @Marc Hedgley Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    I need to ensure that the data feed is automatically scanned for security threats such as Malware. Can someone please confirm that Microsoft Defender would cover this?

    Yes, Microsoft Defender does have malware scanning that works with SFTP:

    Malware scanning in Microsoft Defender for Storage - Microsoft Defender for Cloud | Microsoft Learn

     

    It utilizes blob storage events that emit during uploads and triggers to either delete or quarantine those blobs if they are flagged as a security threat. NOTE: hash reputation analysis is NOT supported for SFTP: Microsoft Defender for Storage - the benefits and features - Microsoft Defender for Cloud | Microsoft Learn

     

    I also have a need to scan/filter the data feed for specific file format and automatically reject any that fall outside of the list Is this possible within Azure?

    I don't think this is doable prior to the upload, but a trigger could certainly detect those file extensions once uploaded and remove/quarantine accordingly. Example that does similar filtering:

    Tutorial: Trigger Azure Functions on blob containers using an event subscription | Microsoft Learn

    Please let us know if you have any further queries. I’m happy to assist you further.     


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Tushar Kumar 3,221 Reputation points MVP
    2023-09-18T10:01:29.0766667+00:00

    Hi Marc Hedgley,

    Defender for storage (Malware protection) can definetly help you with the 1st part of the requiremehnt where in w need to scan Malware to uploaded files.

    https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan

    For file type restriction you need to handle that on Application level to automatically reject non-allowed ones.

    Please Click "Accept as answer" if this helps