How to trigger an on demand style Antivirus Scan with Malware Scanning in Defender for Storage ?

Question

How to trigger an on demand style Antivirus Scan with Malware Scanning in Defender for Storage ?

Jan 25

I am currently working with the new Defender for Storage Solution https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan to replace an old container based ClamAV Solution.

It is fairly simple to setup the on-upload scan, and either read the "Malware Scanning scan result" Tag or react to the Event Grid message.

But how would I build an on-demand Scan via custom Code (maybe Azure Function), that I can do weekly full scans with ?

It is a major oversight to only scan files once, if the newest Virus definition is just not known today.

So I am looking for the ability to schedule re-occurring full scans for the whole blob instead of only scanning on upload.

navba-MSFT 27,550 Reputation points Microsoft Employee Moderator

2023-09-22T09:35:31.6666667+00:00

@Jan Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

I understand that you want to trigger an on demand style Antivirus Scan with Malware Scanning in Defender for Storage.

Please note that the Malware Scanning in Defender for Storage helps protect your storage accounts from malicious content by performing a full malware scan on uploaded content in near real time, using Microsoft Defender Antivirus capabilities.

The malware scanning works using On-upload triggers when a blob is uploaded to a protected storage account - a malware scan is triggered. All upload methods trigger the scan. Modifying a blob is an upload operation and therefore the modified content is scanned after the update.

The multiple ways to retrieve the scan results are explained here.

Here is one sample AzureFunction App which listens to the EventGrid Trigger MoveMaliciousBlobEventTrigger, or write your own code to copy the blob elsewhere, then delete it from the source.

This article also talks about scanning the Azure Blob Storage content based using ClamAV using the BlobTrigger Function App.

Your ask of using Azure Functions to trigger a weekly ondemand scan instead of scanning on upload, wouldn't be possible.

Sharing some useful links here:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan

https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-storage-plan

https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-azure-portal-enablement?tabs=enable-subscription

Hope this answers.
Jan 25 Reputation points

2023-09-22T16:20:14.03+00:00

Duplicate posting
Jan 25 Reputation points

2023-09-22T16:30:36.4+00:00

Hi,

thank you very much for all those details.

As described in my question, all of those things have already been implemented.

As the Defender for Storage might not have a Virus definition for new threads that are developed recently, the inability to do an on-demand scan will leave already uploaded malicious files in place, as it did not know about the virus upon upload time.

As you mentioned:

All upload methods trigger the scan. Modifying a blob is an upload operation and therefore the modified content is scanned after the update.

I tried to set a Blob Index Tag, the same way the Defender does with its "Malware Scanning scan results". Sadly that does not change the Last modified Date and it does not trigger another scan.

So I guess I have to stick with my old ClamAv solution, as described in the original question.

I am hoping that you will fix this flaw in the future and provide the ability to Scan on demand as an addition to the upload trigger.

Accepted answer

0 additional answers

Your answer

navba-MSFT 27,550 Reputation points Microsoft Employee Moderator

2023-09-22T09:35:31.6666667+00:00

@Jan Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

I understand that you want to trigger an on demand style Antivirus Scan with Malware Scanning in Defender for Storage.

Please note that the Malware Scanning in Defender for Storage helps protect your storage accounts from malicious content by performing a full malware scan on uploaded content in near real time, using Microsoft Defender Antivirus capabilities.

The malware scanning works using On-upload triggers when a blob is uploaded to a protected storage account - a malware scan is triggered. All upload methods trigger the scan. Modifying a blob is an upload operation and therefore the modified content is scanned after the update.

The multiple ways to retrieve the scan results are explained here.

Here is one sample AzureFunction App which listens to the EventGrid Trigger MoveMaliciousBlobEventTrigger, or write your own code to copy the blob elsewhere, then delete it from the source.

This article also talks about scanning the Azure Blob Storage content based using ClamAV using the BlobTrigger Function App.

Your ask of using Azure Functions to trigger a weekly ondemand scan instead of scanning on upload, wouldn't be possible.

Sharing some useful links here:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan

https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-storage-plan

https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-azure-portal-enablement?tabs=enable-subscription

Hope this answers.
Jan 25 Reputation points

2023-09-22T16:20:14.03+00:00

Duplicate posting
Jan 25 Reputation points

2023-09-22T16:30:36.4+00:00

Hi,

thank you very much for all those details.

As described in my question, all of those things have already been implemented.

As the Defender for Storage might not have a Virus definition for new threads that are developed recently, the inability to do an on-demand scan will leave already uploaded malicious files in place, as it did not know about the virus upon upload time.

As you mentioned:

All upload methods trigger the scan. Modifying a blob is an upload operation and therefore the modified content is scanned after the update.

I tried to set a Blob Index Tag, the same way the Defender does with its "Malware Scanning scan results". Sadly that does not change the Last modified Date and it does not trigger another scan.

So I guess I have to stick with my old ClamAv solution, as described in the original question.

I am hoping that you will fix this flaw in the future and provide the ability to Scan on demand as an addition to the upload trigger.

Answer 1

@Jan Thanks for getting back. As of today, Defender for Storage’s malware scanner only scans file upon upload in Azure Blob Storage. We are currently collecting feature evidence on other triggers to run the malware scanner.

As per your feedback, I will submit a feature request on your behalf. Could you please share the below details with me over email at Azcommunity@microsoft.com and title it as ATTN:Naveen

Your name:
Your point contact name/email address/position:
Number of Azure Storage repositories (accounts) you have:
Your complete use case scenario along with the alternatives you have explored.

Please note, some of the above details you have already shared. Apologies if duplicate.

I will leverage these information and will create a feature request. Awaiting your reply.

**

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Embers99 50 Reputation points

2024-02-28T03:33:40.78+00:00

As the op stated, needs to be a way to retrigger a scan of the file hashes against latest known threats and ensure blobs get tagged as such perhaps along with a last scanned date meta tag. Perhaps one for new storage actions service?

Share via

How to trigger an on demand style Antivirus Scan with Malware Scanning in Defender for Storage ?

0 additional answers

Your answer