On-upload malware scanning option is enabled for a storage account but still malware scan is not getting triggered on blob upload.

Question

I created a storage account and enabled the setting "Microsoft Defender for Cloud". Enabled all the options: Sensitive data threat detection, On-upload malware scanning, and Activity monitoring (log analysis based threat detection). But still after uploading the a blob to it, it is not performing the malware scan. Then I tried to enable "Override Defender for Storage subscription-level settings" and got below error on first try:

Could not enable on-upload malware scanning: Custom data scanner '/subscriptions/{SubscriptioID}/providers/Microsoft.Security/datascanners/StorageDataScanner' doesn't exists..

Could not enable sensitive data discovery: Custom data scanner '/subscriptions/{SubscriptioID}/providers/Microsoft.Security/datascanners/StorageDataScanner' doesn't exists.

################
Got below error on second try:
Plan enablement partially succeeded. Could not enable on-upload malware scanning: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown..

Could not enable sensitive data discovery: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.

Answer 1

Hello Aayush Agrawal, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

Issue: On-upload malware scanning option is enabled for a storage account but still malware scan is not getting triggered on blob upload.

Error Message:

tried to enable "Override Defender for Storage subscription-level settings" and got below error on first try:

Could not enable on-upload malware scanning: Custom data scanner '/subscriptions/{SubscriptioID}/providers/Microsoft.Security/datascanners/StorageDataScanner' doesn't exists..

Could not enable sensitive data discovery: Custom data scanner '/subscriptions/{SubscriptioID}/providers/Microsoft.Security/datascanners/StorageDataScanner' doesn't exists.

################ Got below error on second try: Plan enablement partially succeeded. Could not enable on-upload malware scanning: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown..

Could not enable sensitive data discovery: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.

 

Cause: Incorrect Storage type.

Solution: Customer was using Blob storage. After upgrading the Storage from BlobStorage to StorageV2., the issue got mitigated.

Answer 2

Hello Aayush Agrawal,

Greetings! Welcome to Microsoft Q&A Platform.

As the on-upload malware scanning and sensitive data discovery features could not be enabled for your Azure storage account, please note that for Malware Scanning and sensitive data threat detection at subscription and storage account levels, you need Owner roles (subscription owner/storage account owner) or specific roles with corresponding data actions.

The following table summarizes the permissions you need for each scenario. The permissions are either built-in Azure roles or action sets that you can assign to custom roles.

Details on unsupported features and services in Malware Scanning: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations

Hope this information helps! Please let us know if you have any further queries. I’m happy to assist you further.

---

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 3

Changing the Storage Kind from BlobStorage to StorageV2 resolved the issue. Thank you Nehruji R for all the responses.