The world of virus and malware are unpredictable. There are many historically stories about the virus for example Conflicker or Nimda which damaged hugely to hijacked network. The most recent story is ransomware WannaCry which is considered the largest attack in the world.
Some of the actions such a malware does is:
- Slow down your virtual machine
- Stop some critical services on your virtual machine
- Automatically attack other virtual machines in the same network
- Be a backdoor sending message and sensitive information to attacker
- Encrypt your file and extort your money
Such a malware can be very dangerous when infecting to your virtual machine. I used to involve in a disaster recovery for a big security incident in which a malware encrypted database of a SharePoint system. The root cause could come from a poisoned computer which did not install antimalware. Such a case is not new to the world, having happened everywhere.
If you want to learn advanced Azure IaaS Defense in Depth with lot of hands-on labs to practice, go pre-order my upcoming book here
Planning and deploying antimalware solution is always a good practice in security, especially in defense in depth strategy. Microsoft Azure provides you free real-time protection capability through something they call virtual machine extension to identify virus, spyware and malicious software like so-called antivirus software in your personal computer. Microsoft Azure antimalware offers the following features:
- Real-time protection
- Scheduled scanning
- Malware remediation
- Signature updates
- Antimalware Engine updates
- Antimalware Platform updates
- Active protection
- Samples reporting
- Antimalware event collection
Antimalware service is running on your virtual machine, responsible for collecting signature and data from Microsoft Antimalware Engine. You can create a new storage account to store antimalware events.
When you install Microsoft antimalware extension, you are to install a client software on your virtual machine. The software looks like System Center 2012 Endpoint Protection if running on Windows Server 2008 R2, 2012 and 2012 R2. In Windows Server 2016, it’s called Windows Defender.
You can enable Microsoft Antimalware extension for your virtual machine by the following ways:
- Azure Portal
- Visual Studio Virtual Machine configuration
- Azure Security Center
Microsoft Antimalware extension is not the only option. You can go with third-party antivirus for enterprise such as Symantec, Trend Micro, Intel McAfee to protect your virtual machine. These third-party products are not available in Azure virtual machine extensions. You must go to install individually.
Lab: Deploying Microsoft Antimalware Extension in Azure Portal
Log into the Azure Management Portal (https://portal.azure.com) using your administrator account. From the left panel, click Virtual machines. Click a virtual machine to start installing the extensions. On the did-jump01-vm blade, click Extensions.
On the Extensions blade, there is one extension named IaaSDiagnostics which has been already installed during your virtual machine provisioning. Click Add. On the New resource blade, click Microsoft Antimalware.
On Microsoft Antimalware blade, click Create. On the Install extension blade, you need to set up some specific configurations for your Antimalware.
Enter excluded file and location you do not want Microsoft Antimalware client application scan under EXCLUDED FILE AND LOCATION setting. Enter excluded file extensions under EXCLUDED FILE EXTENSIONS setting. Enter excluded processes under EXCLUDED PROCESSES setting.
Select Enable under REAL-TIME PROTECTION setting. Select Enable or Disable under RUN A SCHEDULED SCAN setting. If you select Disable, you can still configure a schedule directly from the Antimalware tool. Select Quick or Full under SCAN TYPE setting.
Set you date you wish the Antimalware tool to scan and scan time under SCAN TIME You can hover your mouse on the tooltip icon to understand this setting. Click OK.
Wait around 5 – 10 minutes until the installation is complete.
Note that if you apply Deny-All Outbound rule using Network Security Group, make sure to add a new “Allow” Outbound rule so your virtual machine can connect to Microsoft Antimalware engine. Follow steps described in this article to allow Internet-bound to Microsoft Antimalware cloud service. Otherwise the extension installation will not run because your virtual machine does not allow Internet outbound network traffic.
If the OS is Windows Server 2016, the Antimalware client is Windows Defender. If the OS is Windows Server 2012, it is System Center Endpoint Protection. By default, Microsoft Antimalware does not provide Graphic User Interface (GUI) version in Windows Server 2012. When you open System Center Endpoint Protection, you will receive the error message below:
However, you can enable GUI version. Go to registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\UX Configuration . Click double on UILockdown Change the value under Value data setting from 1 to 0. Click OK.
Open System Center Endpoint Protection again. From Settings tab, there are settings you can configure for your antimalware.
You cannot enable diagnostics logging via Azure Management Portal for your Antimalware extension. You can use PowerShell to enable diagnostics logging, which can be found here.
Microsoft Antimalware can be a free tool to protect your Azure virtual machine. Not only Microsoft Antimalware, there are still many security solutions including antimalware capability you can find from Azure Marketplace. You can also consider using centralized enterprise antimalware solution from big vendors such as Intel, Kaspersky, Symantec.
Below is the list of additional helpful references about Microsoft Antimalware for Azure virtual machine: