Are costs incurred when attempting to scan password-protected files in Blob Storage with Microsoft Defender for Storage’s malware scanning?

Question

We are encountering a potential issue with Microsoft Defender for Storage’s malware scanning functionality related to handling password-protected zip archives stored in Azure Blob Storage. Our application generates and stores these password-protected zip files as part of a feature that allows customers to export large datasets.

The concern is that Microsoft Defender for Storage might still count the size of these password-protected files against the customer’s monthly quota for malware scanning, even if the files are not fully scanned due to their encrypted nature. This could result in a significant portion of the scanning quota being consumed by files that are not directly scannable, potentially affecting the cost management and usage efficiency of our customers.

We need to confirm whether these scan attempts are counted towards the scanning quota and, if so, explore ways to mitigate the impact on our customers’ monthly limits.

Answer 1

@Anonymous Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Microsoft Defender for Storage does indeed scan all file types, including archives like zip files, and returns a result for every scan. This means that even password-protected zip files are counted towards the scanning quota, regardless of whether the contents are fully scanned or not.

Microsoft Defender for Storage performs a full malware scan on uploaded content in near real-time using Microsoft Defender Antivirus capabilities. It is designed to help fulfill security and compliance requirements for handling untrusted content. However, there is a file size limit of 2 GB for each scan. Additionally, Microsoft has methods for scanning the contents of password-protected zip files, such as extracting possible passwords from the bodies of an email or the name of the file itself

To mitigate the impact on monthly limits, you might consider the following approaches:

1. File Size Management: Ensure that the size of the password-protected zip files does not exceed the 2 GB limit to avoid unnecessary consumption of the scanning quota.
2. Password Management: Use common passwords that Microsoft Defender can easily extract and scan, reducing the likelihood of these files being counted as unscannable.
3. Quota Monitoring: Regularly monitor the scanning quota usage and adjust the storage and scanning policies accordingly.

Malware scanning in Defender for Storage

Increase the monthly quota for malware scanning: You can contact Azure support to request an increase in the monthly quota for malware scanning. This may be a viable option if your customers are consistently hitting their monthly limits due to password-protected zip archives. For Quota increase, please reach out to  Billing and Subscription team would be the best to provide more insight and guidance on this scenario: https://azure.microsoft.com/en-us/support/options/

Please let us know if you have any further queries. I’m happy to assist you further.    

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.