This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 44%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAI%3C/text%3E%3C/svg%3E)
Hello.
We’re developing a FastAPI solution hosted on Azure App Services, with an endpoint that uploads PDF files to Azure Blob Storage. To ensure file safety, we enabled Microsoft Defender’s file-scanning feature on upload and set up a Logic App to send alerts if any files are flagged as malicious.
However, every PDF file we upload is being detected as malicious, even though we believe these files are safe. We’ve reviewed our configuration and haven’t identified any settings that might explain these false positives.
Could you please assist us in diagnosing and resolving this issue? You can reach me via email at Your help is greatly appreciated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 73%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
Hi Ahmed,
Are you certain PDF files that get uploaded are properly formatted? Are these files generated automatically? If that’s the case, you can ensure their integrity using tools like PDF/A validator. Please also make sure they don’t contain malicious scripts (or any scripts for that matter).
Let me know and we’ll walk through some other steps if that didn’t work for you…
Regards,
Haleem Sherbiny
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Hello @Ahmad Ido
For better understanding can you please help me with the steps and documents you followed for this approach.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Ahmad Ido Thank you for reaching out to us, As I understand your concern is with respect to pdf file being marked as malicious by defender for cloud (with an endpoint that uploads PDF files to Azure Blob Storage).
As per my understanding below are the few reasons:
Assuming your ask is related to 3rd point, false positive detection.
If you suspect that the file is not malicious and that the detection is a false positive, you can submit the file for analysis here - https://learn.microsoft.com/en-us/unified-secops-platform/submission-guide In the form, make sure to enter the provider's name "Defender for Storage".
Also review this section Handle possible false positives for more insights on how to handle false positives.
Defender for Cloud allows you to suppress false positive alerts. Make sure to limit the suppression rule by using the malware name or file hash.
Let me know if you have any further questions, feel free to post back, if needed we can connect offline to discuss further on the same.
Hello,
Here’s a breakdown of the situation:
Test File Details:
sample-job-description-2.pdfSolution Summary:
I'm working in Python, using asynchronous calls to:
Code Snippets:
Upload Function:
await blob_client.upload_blob(
file_content,
blob_type="BlockBlob",
metadata=metadata,
content_type=content_type,
overwrite=True
)
Malware Scan Check:
if "msft_defender_scan_verdict" in metadata:
verdict = metadata.get("msft_defender_scan_verdict", "").lower()
if verdict == "malicious":
return False, "Malware detected"
elif verdict in ["clean", "no threats found"]:
return True, None
elif verdict == "scan failed":
return False, "Security scan failed"
Auto-delete Malicious Files:
if not is_safe:
await self.delete_file(container_name, file_name)
return False, error
Issue:
Regardless of the file being valid and clean, the scan always returns a "malicious" verdict. I’ve tested with multiple safe files, and I still get flagged results.
Questions:
Any guidance you can provide would be greatly appreciated. Please let me know if you need logs, additional file samples, or access to the environment to assist further.
Thank you
@Ahmad Ido Let me review your above-mentioned queries, however, would like to know the outcome when you submit the file for analysis here - https://learn.microsoft.com/en-us/unified-secops-platform/submission-guide
Please provide more details on specific service and the logic app detection method. We assume you are referring to the blob storage malware scan in Defender for Storage. Is it possible that your logic app is the cause? The storage scan is supposed to generate alerts in Defender for Cloud on its own.
Asking around internally. Might take a few days. I agree, this could be a timing issue. Maybe files default to bad until scanned.
Alternatively, have you considered that Defender for Storage should generate an alert if malware is detected. I am not clear on why you are trying to add API-based alerting.