Basahin sa Ingles I-edit

Ibahagi sa

Microsoft Antimalware Extension for Windows

  • Artikulo

Overview

The modern threat landscape for cloud environments is dynamic, increasing the pressure on business IT cloud subscribers to maintain effective protection in order to meet compliance and security requirements. Microsoft Antimalware for Azure is free, real-time protection capability. Microsoft Antimalware helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems. The solution is built on the same antimalware platform as Microsoft Security Essentials (MSE), Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune, and Windows Defender for Windows 8.0 and higher. Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.

Prerequisites

Operating system

The Microsoft Antimalware for Azure solution includes the Microsoft Antimalware Client, and Service, Antimalware classic deployment model, Antimalware PowerShell cmdlets, and Azure Diagnostics Extension. The Microsoft Antimalware solution is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families. It isn't supported on the Windows Server 2008 operating system, and also isn't supported in Linux.

Windows Defender is the built-in Antimalware enabled in Windows Server 2016. The Windows Defender Interface is also enabled by default on some Windows Server 2016 SKUs. The Azure VM Antimalware extension can still be added to a Windows Server 2016 and above Azure VM with Windows Defender. In this scenario the extension applies any optional configuration policies to be used by Windows Defender. The extension does not deploy any other antimalware service. See the Samples section of the Microsoft Antimalware article for more details.

Internet connectivity

The Microsoft Antimalware for Windows requires that the target virtual machine is connected to the internet to receive regular engine and signature updates.

Template deployment

Azure VM extensions can be deployed with Azure Resource Manager templates. Templates are ideal when deploying one or more virtual machines that require post deployment configuration such as onboarding to Azure Antimalware.

The JSON configuration for a virtual machine extension can be nested inside the virtual machine resource, or placed at the root or top level of a Resource Manager JSON template. The placement of the JSON configuration affects the value of the resource name and type. For more information, see Set name and type for child resources.

The following example assumes the VM extension is nested inside the virtual machine resource. When nesting the extension resource, the JSON is placed in the "resources": [] object of the virtual machine.

JSON 
{
      "type": "Microsoft.Compute/virtualMachines/extensions",
      "name": "[concat(parameters('vmName'),'/', parameters('vmExtensionName'))]",
      "apiVersion": "2019-07-01",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
      ],

      "properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "IaaSAntimalware",
        "typeHandlerVersion": "1.3",
        "autoUpgradeMinorVersion": true,
        "settings": {
          "AntimalwareEnabled": "true",
          "Exclusions": {
            "Extensions": ".ext1;.ext2",
            "Paths": "c:\excluded-path-1;c:\excluded-path-2",
            "Processes": "excludedproc1.exe;excludedproc2.exe"
          },

          "RealtimeProtectionEnabled": "true",
          "ScheduledScanSettings": {
            "isEnabled": "true",
            "scanType": "Quick",
            "day": "7",
            "time": "120"
          }
        },
        "protectedSettings": null
      }
}

You must include, at a minimum, the following content to enable the Microsoft Antimalware extension:

{ "AntimalwareEnabled": true }

Microsoft Antimalware JSON configuration sample:

JSON 
{ "AntimalwareEnabled": true, "RealtimeProtectionEnabled": true, "ScheduledScanSettings": { "isEnabled": true, "day": 1, "time": 120, "scanType": "Full" },

"Exclusions": { "Extensions": ".ext1;.ext2", "Paths": "c:\excluded-path-1;c:\excluded-path-2", "Processes": "excludedproc1.exe;excludedproc2.exe" }
}

AntimalwareEnabled

  • required parameter

  • Values: true/false

    • true = Enable
    • false = Error out, as false isn't a supported value

RealtimeProtectionEnabled

  • Values: true/false, default is true

    • true = Enable
    • false = Disable

ScheduledScanSettings

  • isEnabled = true/false

  • day = 0-8 (0-daily, 1-Sunday, 2-Monday, ...., 7-Saturday, 8-Disabled)

  • time = 0-1440 (measured in minutes after midnight - 60->1AM, 120 -> 2AM, ... )

  • scanType = Quick/Full, default is Quick

  • If isEnabled = true is the only setting provided, the following defaults are set: day=7 (Saturday), time=120 (2 AM), scanType="Quick"

Exclusions

  • Multiple exclusions in the same list are specified by using semicolon delimiters
  • If no exclusions are specified, then the existing exclusions, if any, are overwritten by blank on the system

PowerShell deployment

Depends on your type of deployment, use the corresponding commands to deploy the Azure Antimalware virtual machine extension to an existing virtual machine.

Troubleshoot and support

Troubleshoot

Microsoft Antimalware extension logs are available at - %Systemdrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)\1.5.5.x(version#)\CommandExecution.log

Error codes and their meanings

Error code Meaning Possible action
-2147156224 MSI is busy with different installation Try running installation later
-2147156221 MSE setup already running Run only one instance at a time
-2147156208 Low disk space < 200 MB Delete unused files, and retry installation
-2147156187 Last installation, upgrade, update, or uninstall requested reboot Reboot, and retry installation
-2147156121 Setup tried to remove competitor product. But competitor product uninstall failed Try to remove the competitor product manually, reboot, and retry installation
-2147156116 Policy file validation failed Make sure you pass a valid policy XML file to setup
-2147156095 Setup couldn't start the Antimalware service Verify all binaries are correctly signed, and right licensing file is installed
-2147023293 A fatal error occurred during installation. In most cases, it will. Epp.msi, can't register\start\stop AM service or mini filter driver MSI logs from EPP.msi are required here for future investigation
-2147023277 Installation package couldn't be opened Verify that the package exists, and is accessible, or contact the application vendor to verify that this is a valid Windows Installer package
-2147156109 Windows Defender is required as a prerequisite
-2147205073 The websso issuer isn't supported
-2147024893 The system can't find the path specified
-2146885619 Not a cryptographic message or the cryptographic message isn't formatted correctly
-1073741819 The instruction at 0x%p referenced memory at 0x%p. The memory couldn't be %s
1 Incorrect Function

Support

If you need more help at any point in this article, you can contact the Azure experts on the Azure and Stack Overflow forums. Alternatively, you can file an Azure support incident. Go to the Azure support site, and select Get support. For information about using Azure Support, read the Microsoft Azure support FAQ.