Facing cloud exception while enabling the defender for blob storage for malware scan.

Gupta, Garima 20 Reputation points
2024-07-10T10:23:00.5566667+00:00
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,938 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,420 questions
{count} votes

Accepted answer
  1. Deepanshukatara-6769 10,690 Reputation points
    2024-07-10T10:33:13.2866667+00:00

    Hi Garima,

    I understand that you're encountering a cloud exception when trying to enable Defender for Blob Storage for malware scanning. This issue can be troubleshooted by following the steps below:

    Unsupported features and services

    • Unsupported storage accounts: Legacy v1 storage accounts aren't supported by malware scanning.
    • Unsupported service: Azure Files isn't supported by malware scanning.
    • Unsupported regions: Jio India West, Korea South, South Africa West.
    • Regions that are supported by Defender for Storage but not by malware scanning. Learn more about availability for Defender for Storage.
    • Unsupported blob types: Append and Page blobs aren't supported for Malware Scanning.
    • Unsupported encryption: Client-side encrypted blobs aren't supported as they can't be decrypted before scanning by the service. However, data encrypted at rest by Customer Managed Key (CMK) is supported.
    • Unsupported index tag results: Index tag scan result isn't supported in storage accounts with Hierarchical namespace enabled (Azure Data Lake Storage Gen2).
    • Event Grid: Event Grid topics that don't have public network access enabled (i.e. private endpoint connections) are not supported by malware scanning in Defender for Storage.

    For more detailed instructions, you can view solution:

    Please let us know if any questions

    Kindly accept answer if it helps

    Thanks

    Deepanshu


1 additional answer

Sort by: Most helpful
  1. Nehruji R 8,151 Reputation points Microsoft Vendor
    2024-07-11T13:20:48.3966667+00:00

    Hello Gupta, Garima,

    Greetings! Welcome to Microsoft Q&A Platform.Adding to above information, please note that for Malware Scanning and sensitive data threat detection at subscription and storage account levels, you need Owner roles (subscription owner/storage account owner) or specific roles with corresponding data actions.

    The following table summarizes the permissions you need for each scenario. The permissions are either built-in Azure roles or action sets that you can assign to custom roles.

    User's image

    User's image

    Details on unsupported features and services in Malware Scanning: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations

    You can check if you file has any of these limitations.

    For your use case with files <= 2GB, I would recommend using Azure Logic Apps for handling malware scan results and copying the blob to another storage account. Logic Apps provide a simple, no-code approach to setting up response, although the response time might be slower than the event-driven code-based approach. Please see Option 1: Logic App based on Microsoft Defender for Cloud security alerts for steps on configuring this, the default is delete but you can modify to move it.

    Reference - https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.