If Defender for Blob doesn't scan a file (no tags) is there anything we can do to force it to look again?

Ed Russell 0 Reputation points
2024-05-29T14:02:34.32+00:00

We have a system that scans all files uploaded to blob on upload. However, we've noticed that occassionally some files just never get scanned (i.e. never get the tags against them). In the documents it does say this can happen if the file throughput is over 2gb per minute which it could be at points. These files then just sit there as our client system is awaiting these tags to be written before anything can happen so it means everything downstream is blocked. Is there anything we can do? I had considered taking the blob and re-writing it to storage but that seems overkill for this?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,564 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,242 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Anand Prakash Yadav 7,620 Reputation points Microsoft Vendor
    2024-05-30T07:14:33.9433333+00:00

    Hello Ed Russell,

    Thank you for posting your query here!

    Microsoft Defender for Storage uses hash reputation analysis to determine whether an uploaded file is suspicious. The threat protection tools don't scan the uploaded files; rather they analyze the telemetry generated from the Blobs Storage and Files services. Defender for Storage then compares the hashes of newly uploaded files with hashes of known viruses, trojans, spyware, and ransomware.

    However, hash reputation analysis isn't supported for all files protocols and operation types. Some, but not all, of the telemetry logs contain the hash value of the related blob or file. In some cases, the telemetry doesn't contain a hash value. As a result, some operations can't be monitored for known malware uploads. Examples of such unsupported use cases include SMB file-shares and when a blob is created using Put Block and Put Block List. Every file type is scanned (including archives like zip files) and a result is returned for every scan. The file size limit is 2 GB.

    However, there are some limitations which are not supported by Malware Scanning mentioned https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations

    You can check if your file has any of these limitations.

    Alternatively, you can use Azure Logic Apps for handling malware scan results and copying the blob to another storage account. Logic Apps provide a simple, no-code approach to setting up response, although the response time might be slower than the event-driven code-based approach. Please see Option 1: Logic App based on Microsoft Defender for Cloud security alerts for steps on configuring this, the default is delete but you can modify to move it.

    Reference - https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan

    Do let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.