Share via

On-upload malware scanning option is enabled for a storage account but still malware scan is not getting triggered on blob upload.

Aayush Agrawal 0 Reputation points
2024-07-19T02:22:38.3866667+00:00

I created a storage account and enabled the setting "Microsoft Defender for Cloud". Enabled all the options: Sensitive data threat detection, On-upload malware scanning, and Activity monitoring (log analysis based threat detection). But still after uploading the a blob to it, it is not performing the malware scan. Then I tried to enable "Override Defender for Storage subscription-level settings" and got below error on first try:

Could not enable on-upload malware scanning: Custom data scanner '/subscriptions/{SubscriptioID}/providers/Microsoft.Security/datascanners/StorageDataScanner' doesn't exists..

Could not enable sensitive data discovery: Custom data scanner '/subscriptions/{SubscriptioID}/providers/Microsoft.Security/datascanners/StorageDataScanner' doesn't exists.

################
Got below error on second try:
Plan enablement partially succeeded. Could not enable on-upload malware scanning: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown..

Could not enable sensitive data discovery: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,948 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,644 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,286 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nehruji R 4,766 Reputation points Microsoft Vendor
    2024-07-19T07:13:40.89+00:00

    Hello Aayush Agrawal,

    Greetings! Welcome to Microsoft Q&A Platform.

    As the on-upload malware scanning and sensitive data discovery features could not be enabled for your Azure storage account, please note that for Malware Scanning and sensitive data threat detection at subscription and storage account levels, you need Owner roles (subscription owner/storage account owner) or specific roles with corresponding data actions.

    The following table summarizes the permissions you need for each scenario. The permissions are either built-in Azure roles or action sets that you can assign to custom roles.

    User's image

    User's image

    Details on unsupported features and services in Malware Scanning: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-malware-scan#limitations

    Hope this information helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. Aayush Agrawal 0 Reputation points
    2024-07-30T16:41:49.39+00:00

    Changing the Storage Kind from BlobStorage to StorageV2 resolved the issue. Thank you Nehruji R for all the responses.

    0 comments