Enable Malware Scanning

Implementation Effort: Medium — Requires configuration at the storage account or subscription level and integration with security operations for alert handling.

User Impact: Low — Malware scanning operates in the background; users are not required to take any action.

Overview

Malware scanning in Microsoft Defender for Storage enhances the security of Azure Storage accounts by detecting and mitigating malware threats using Microsoft Defender Antivirus. It supports two scanning modes:

• On-upload scanning: Automatically scans blobs when they are uploaded or modified. This is ideal for applications with frequent user uploads, such as web apps or collaborative platforms.
• On-demand scanning: Allows scanning of existing blobs at any time, useful for incident response, compliance audits, or establishing a security baseline.

Key benefits include:

• Detection of polymorphic and metamorphic malware
• Scanning of all file types, including archives (ZIP, RAR) up to 50 GB
• Integration with Microsoft Defender for Cloud alerts
• Support for automation via Logic Apps and Function Apps
• Logging for compliance and auditing
• Support for private endpoints to avoid public internet exposure

To enable malware scanning:

1. Navigate to Microsoft Defender for Cloud in the Azure portal.
2. Select your subscription or storage account.
3. Enable Defender for Storage and configure malware scanning settings.
4. Choose between on-upload and on-demand scanning based on your use case.

If malware scanning is not enabled, malicious files can enter your environment undetected, posing risks to data integrity, compliance, and downstream systems.

This capability supports the Zero Trust principle of "Assume Breach" by proactively detecting threats and preventing malware propagation within cloud storage.

Reference

• Introduction to Malware Scanning in Defender for Storage
• Configure Malware Scanning Responses
• On-upload Malware Scanning