Share via

Microsoft Defender Storage Malware Scanner - ABAC for already created BLOBs

Bartosz Suchorowski 0 Reputation points
2024-02-12T18:52:33.5333333+00:00

Hey,

I followed this video https://www.microsoft.com/videoplayer/embed/RW193F2 to enable ABAC based protection from Malware. This scenario suits us best and we don't want to introduce Azure Function yet. Our assumptions are as follows:

  • BLobs X are uploaded to container Y
  • Blob X is unavailable until file is scanned and is safe

Unfortunately, this works only for newly uploaded files. Our Storage Accounts already contain thousands of files spreaded across multiple accounts within 3 tenants. Once we set ABAC then they stop working as they don't have expected attribute. We don't want to extend ABAC condition by adding empty-attributes in the condition as we are afraid that this will also allow to download freshly-uploaded but yet not scanned files.

  1. Is there way to tell the difference between "old" and "new but not yet scanned" files?
  2. The only solution that comes to my mind is to batch add an attribute/tag to all blobs via script. As I mentioned - we would need to run it on over 25 Storage Accounts. Is it the only way?
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,423 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,499 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nehruji R 8,171 Reputation points Microsoft External Staff
    2024-02-13T10:08:37.4366667+00:00

    Hello Bartosz Suchorowski,

    Welcome to Microsoft Q&A Forum, thank you for posting your query here!

    As of today, Defender for Storage’s malware scanner indeed only scans files upon upload in Azure Blob Storage. It ensures that any content uploaded to your storage accounts is thoroughly inspected for malicious elements before being stored. This proactive approach helps maintain the security and integrity of your data.

    I understand that you would like to scan the files that are across other storage accounts as well, for your specific scenario I would suggest you try with a script that iterates through all existing blobs in your storage accounts.

    • For each blob, check if it has the desired attribute/tag (e.g., “scanned”).
    • If not, add the attribute/tag to the blob’s metadata.
    • This script can be run periodically to ensure consistency.

      Alternatively, you can perform this operation across multiple storage accounts, consider using Azure Data Factory.

    o   Create a pipeline that iterates through all blobs and updates their metadata.

    o   This approach provides scalability and centralized management.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.