Microsoft Antimalware for Azure Cloud Services and Virtual MachinesPREVIEW Microsoft Antimalware for Azure Cloud Services and Virtual Machines Abstract This paper provides an architectural overview of Microsoft Antimalware for Azure, including supported scenarios and configurations for enabling, configuring and deploying protection for Azure Cloud Services and Virtual Machines. We will cover basic configuration, management, and monitoring functionality accessible through Microsoft Azure service management API’s, PowerShell scripts, and the Azure Management Portal. NOTE: Certain recommendations contained herein may result in increased data, network, or compute resource usage resulting in additional license or subscription costs. Published May 2014 P A G E | 02 Microsoft Antimalware for Azure Cloud Services and Virtual Machines Acknowledgements Contributors: Microsoft Azure Security and Compliance Engineering Microsoft Malware Protection Engineering Microsoft Azure Engineering Systems (c) 2014 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples are for illustration only and are fictitious. No real association is intended or inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. P A G E | 03 Microsoft Antimalware for Azure Cloud Services and Virtual Machines Table of Contents 1 OVERVIEW .............................................................................................................................................. 5 2 ARCHITECTURE ..................................................................................................................................... 6 2.1 MICROSOFT ANTIMALWARE WORKFLOW .......................................................................................................................... 6 2.2 DEFAULT AND CUSTOM ANTIMALWARE CONFIGURATION.................................................................................... 8 ANTIMALWARE DEPLOYMENT SCENARIOS ...........................................................................10 3 3.1 ENABLE AND CONFIGURE ANTIMALWARE FOR AZURE CLOUD SERVICES .................................................................... 10 3.2 GET ANTIMALWARE CONFIGURATION FOR AZURE CLOUD SERVICES .......................................................... 10 3.3 REMOVE ANTIMALWARE CONFIGURATION FOR AZURE CLOUD SERVICES .................................................................. 11 3.4 ENABLE AND CONFIGURE ANTIMALWARE FOR AZURE VIRTUAL MACHINES ......................................................... 11 3.5 ENABLE AND CONFIGURE ANTIMALWARE MONITORING FOR CLOUD SERVICES AND VIRTUAL MACHINES...... 12 4 PROVIDING FEEDBACK ...................................................................................................................12 5 APPENDIX A: MICROSOFT ANTIMALWARE CONFIGURATION XML TEMPLATE ...........................13 6 APPENDIX B: ENABLE AND CONFIGURE MICROSOFT ANTIMALWARE FOR CLOUD SERVICES ..14 7 APPENDIX C: GET MICROSOFT ANTIMALWARE CONFIGURATION FOR CLOUD SERVICES ........16 8 APPENDIX D: REMOVE MICROSOFT ANTIMALWARE CONFIGURATION FOR CLOUD SERVICES 17 9 APPENDIX E: ENABLE AND CONFIGURE ANTIMALWARE FOR VIRTUAL MACHINES IN AZURE MANAGEMENT PORTAL .................................................................................................................................18 10 APPENDIX F: ENABLE AND CONFIGURE ANTIMALWARE FOR VIRTUAL MACHINES THROUGH AZURE POWERSHELL ...................................................................................................................19 11 APPENDIX G: ENABLE AND CONFIGURE ANTIMALWARE MONITORING FOR VIRTUAL MACHINES ........................................................................................................................................................22 12 REFERENCES AND FURTHER READING ............................................................................................26 P A G E | 04 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 1 Overview The modern threat landscape for cloud environments is extremely dynamic, increasing the pressure on business IT cloud subscribers to maintain effective protection in order to meet compliance and security requirements. Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system. The solution is built on the same antimalware platform as Microsoft Security Essentials [MSE], Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune, and Windows Defender for Windows 8.0 and higher. Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring. When you deploy and enable the Microsoft antimalware solution for your Azure applications, the following core features are available: Real-time protection - monitors activity in Cloud Services and on Virtual Machines to detect and block malware execution. Scheduled scanning - periodically performs targeted scanning to detect malware, including actively running programs. Malware remediation - automatically takes action on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries. Signature updates - automatically installs the latest protection signatures (virus definitions) to ensure protection is up-to-date on a pre-determined frequency. Antimalware Engine updates – automatically updates the Microsoft Antimalware engine. Antimalware Platform updates – automatically updates the Microsoft Antimalware platform. Active protection - reports telemetry metadata about detected threats and suspicious resources to Microsoft Azure to ensure rapid response to the evolving threat landscape, as well as enabling real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS). Samples reporting - provides and reports samples to the Microsoft Antimalware service to help refine the service and enable troubleshooting. Exclusions – allows application and service administrators to configure certain files, processes, and drives to exclude them from protection and scanning for performance and/or other reasons. Antimalware monitoring - records the antimalware service health, suspicious activities and remediation actions taken in the operating system event log and collects them into the customer’s Azure Storage account. The antimalware monitoring is enabled via the Azure Diagnostics Service extension as an advanced configuration. P A G E | 05 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 2 Architecture The Microsoft Antimalware for Azure Cloud Services and Virtual Machines includes the Microsoft Antimalware Client and Service, Antimalware Service Management Extension, Antimalware PowerShell cmdlets and Azure Diagnostics Service Extension. The Microsoft Antimalware solution is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families. It is not supported on the Windows Server 2008 operating system. The Microsoft Antimalware Client and Service is installed by default in disabled state in all supported Azure guest operating system families in the Cloud Services platform. The Microsoft Antimalware Client and Service is not installed by default in the Virtual Machines platform and is available as an optional feature through the Azure Management Portal Virtual Machine configuration page under Security Extensions. 2.1 Microsoft Antimalware Workflow The Azure Management Portal and Antimalware service management APIs (SMAPI) for both Cloud Services and Virtual Machines provides a way to configure and enable the Antimalware service for your Azure applications. To enable and configure the Microsoft Antimalware service programmatically using SMAPI or PowerShell cmdlets, the Azure service administrator needs to author the antimalware configuration and execute the PowerShell, or instrument the target application using SMAPI [refer to the Scenarios section for details]. The antimalware PowerShell cmdlet or service management API call pushes the antimalware extension package file to the Azure system at a pre-determined fixed location. The Azure guest agent (or the fabric agent) launches the antimalware extension, applying the antimalware configuration settings supplied as input. This step will enable the Antimalware service with default or custom antimalware configuration settings. If no custom configuration is provided, the antimalware service is enabled with the default configuration settings. The antimalware XML configuration settings template is included in the Appendix section of this whitepaper, showing the supported antimalware configuration settings. Once running, the Microsoft Antimalware client downloads the latest protection engine and signature definitions from the Internet and loads them on the Azure system. The Microsoft Antimalware service writes service-related events to the system OS events log under the “Microsoft Antimalware” event source. Events include the antimalware client health state, protection and remediation status, new and old configuration settings, engine updates and signature definitions, and others. You can enable monitoring to have the antimalware event log events written as they are produced to the Azure storage account you specify as an advanced (or custom) configuration option by including the monitoring setting [<Monitoring>ON] and your application Azure storage account in the antimalware configuration xml input. The antimalware service uses the Azure Diagnostics Service extension to collect antimalware events from the Azure system into the customer’s Azure Storage table account. P A G E | 06 Microsoft Antimalware for Azure Cloud Services and Virtual Machines The following diagram shows the workflow involved in enabling the antimalware solution for Azure Cloud Services (Web Role and Worker Role) and Virtual Machines: Figure 1: Microsoft Antimalware in Azure Workflow - Enable, Configure, and Monitor Microsoft Antimalware P A G E | 07 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 2.2 Default and Custom Antimalware Configuration The antimalware default configuration settings are used when you enable Microsoft Antimalware for Azure Virtual Machines through the Azure Management Portal. Similarly, the antimalware default configuration settings are used when you enable Microsoft Antimalware for Azure cloud services through the antimalware PowerShell cmdlets. The default configuration settings have been pre-optimized for running in the Microsoft Azure environment. Optionally, you can customize these settings as required for your Azure application or service deployment. The following table summarizes the settings available to configure for the antimalware service. The default configuration settings are marked under the Default column below. Setting Options Default Description AntimalwareEnabled true None true - Enables Microsoft Antimalware false Exclusions Extensions extension1, extension2, false – not supported None … … Exclusions Paths path1, List of file extensions to exclude from scanning. Example: gif, log, txt would exclude files with the .gif, .log, or .txt extension from being scanned. Each excluded file extension should be added as a separate row element value in your antimalwareconfig.XML None path2 … … List of paths to files or folders to exclude from scanning. Example: e:\approot\worker.dll, e:\approot\temp would exclude the file worker.dll in the e:\approot folder and anything under the folder e:\approot\temp from being scanned. Each excluded path should be added as a separate row element value in your antimalwareconfig.XML Exclusions Processes process1, process2, … … None List of process exclusions. Any file opened by an excluded process will not be scanned (the process itself will still be scanned – to exclude the process itself, use the ExcludedPaths configuration). Example: C:\Program Files\MyApp.exe would exclude any files opened by MyApp.exe from being scanned. Each excluded process should be added as a separate row element value in your antimalwareconfig.XML P A G E | 08 Microsoft Antimalware for Azure Cloud Services and Virtual Machines Monitoring ON None (Antimalware monitoring) OFF StorageAccountName Name of the Storage Account None Storage account name for your Azure store table to capture antimalware health and related events information RealtimeProtectionEnabl ed true true true – Enables real-time protection ScheduledScanSettings isEnabled true ScheduledScanSettings Day 0–8 OFF – Disable antimalware monitoring by removing antimalware monitoring config if it was previously turned ON false false – disables real-time protection None Enables or disables a periodic scan for active malware on the system 7 0 – scan daily, 1 – Sunday, 2 – Monday, 3Tuesday…, 7 – Saturday false (DayForWeeklySchedule dScans) ScheduledScanSettings Time ON - Enable antimalware monitoring using Azure diagnostics v1.1 Default = 7 if only ScheduledScanSettings isEnabled is true 0 – 1440 120 (TimeForWeeklySchedul edScans) Hour at which to begin the scheduled scan. Measured in 60 minute increments from midnight 60 mins – 1:00 AM 120 mins – 2:00 AM … 1380 mins – 11:00 PM Default = 120 mins if ScheduledScanSettings isEnabled is true scanType Quick/Full Quick Default = Quick if ScheduledScanSettings isEnabled is true P A G E | 09 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 3 Antimalware Deployment Scenarios The scenarios to enable and configure antimalware, including monitoring for Azure Cloud Services and Virtual Machines, are discussed in this section. 3.1 Enable and Configure Antimalware for Azure Cloud Services An Azure application or service can enable and configure Microsoft Antimalware for Azure Cloud Services using the PowerShell cmdlets available in Azure-sdk-tools (refer to the Resources section for more information). Note, that Microsoft Antimalware is installed in a disabled state in the cloud services platform and requires an action by an Azure application to enable it. The PowerShell cmdlet to enable and configure Microsoft Antimalware is: Set-AzureServiceAntimalwareExtension [-ServiceName] <string> [[-Slot] <string>] [[-Role] <string>] [-AntimalwareConfiguration] <XMLDocument> [[-Monitoring] <string>] [[StorageAccountName] <string>] [[-EndpointSuffix] <Storage Endpoint Suffix>] This cmdlet requires antimalware XML configuration as input. Optionally, the cmdlet accepts parameters that can override and supplement values in the antimalware XML config, such as storage account details. See the Appendix examples for more details. You can use Set-AzureServiceAntimalwareExtension PowerShell cmdlet to update the antimalware service configuration settings (updated XMl config) to your Azure application or service that is already running and or deployed in Azure, and the antimalware configuration settings will update automatically. 3.2 Get Antimalware Configuration for Azure Cloud Services The Azure application or service can retrieve the Microsoft Antimalware configuration for Cloud Services using the PowerShell cmdlets available in Azure-sdk-tools (refer to the Resources section for more information) as follows: Get-AzureServiceAntimalwareConfig [-ServiceName] <string> [[-Slot] <string>] This cmdlet gets the antimalware and monitoring configuration details associated with the extension for the specified service name. See the examples in the Appendix for more details. P A G E | 010 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 3.3 Remove Antimalware Configuration for Azure Cloud Services The Azure application or service can remove the antimalware configuration and any associated antimalware monitoring from the relevant antimalware and Azure diagnostics service extensions associated with the specified cloud service name using the below antimalware PowerShell cmdlets available in Azure-sdk-tools (refer to Resources section for more information). The PowerShell cmdlet to remove the Microsoft Antimalware configuration and antimalware monitoring configuration is: Remove-AzureServiceAntimalwareExtension [-ServiceName] <string> [[-Slot] <string>] [[-Role] <string[]>] [[-EndpointSuffix] <string>] See the Appendix examples for more details. 3.4 Enable and Configure Antimalware for Azure Virtual Machines The Azure application or service can enable and configure Microsoft antimalware for Azure Virtual Machines using the Azure Management Portal UX or Azure service management PowerShell cmdlets available in Azure-sdk-tools (refer to Resources section for more information). The steps to enable and configure Microsoft Antimalware using the Azure Management Portal with default antimalware configuration settings are shown in the Appendix. The Azure PowerShell cmdlet to enable and configure Microsoft Antimalware for Azure Virtual Machines is: (Get-AzureVM [[-ServiceName] <String>] [[-Name] <String>]) | Set-AzureVMExtension [ExtensionName <string>] [-Publisher <string>] [-PublicConfigFile <string>] [-Version <string>] | Update-AzureVM This cmdlet requires antimalware XML configuration as input to the PublicConfigFile parameter. If the antimalware XML configuration is not specified, the Microsoft antimalware service is enabled with default configuration settings. See Appendix examples for more details. You can use the above cmdlet example to update the antimalware service configuration settings (updated XMl config) to your Azure application or service that is already running and or deployed in Azure and the antimalware configuration settings will update automatically. P A G E | 011 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 3.5 Enable and Configure Antimalware Monitoring for Cloud Services and Virtual Machines Antimalware monitoring is enabled by specifying the following settings in the antimalware configuration XML <Monitoring>ON</Monitoring> <StorageAccountName>INPUT STORAGE ACCOUNT HERE</StorageAccountName> Antimalware Monitoring is also turned ON by specifying the Monitoring parameter value as “ON” in the Set-AzureServiceAntimalwareExtension PowerShell cmdlet call. To enable antimalware monitoring for Azure Virtual Machines, refer to the examples in the Appendix. 4 Providing Feedback The goal of the Microsoft Antimalware for Azure Cloud Services and Virtual Machines technology preview version, is to give you a chance to evaluate the solution to provide antimalware protection to your Azure applications and provide feedback. We want to hear from you! You can use the Security for Azure MSDN forum to post questions, suggestions, or issues you have with Microsoft Antimalware for Azure Cloud Services and Virtual Machines. P A G E | 012 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 5 Appendix A: Microsoft Antimalware Configuration XML Template NOTE – The following antimalware configuration template settings must be adjusted for your Azure cloud service and Virtual Machines. Only supported antimalware configuration settings are allowed. <?XML version="1.0" encoding="utf-8"?> <AntimalwareConfig> <!-AntimalwareEnabled: true/false. Note - This is a required parameter: Values: true = Enable. false = Error out as false is not a supported value. Note: true/false values are case sensitive and must be lowercase --> <AntimalwareEnabled></AntimalwareEnabled> <!-- RealtimeProtectionEnabled: true/false. Default is true. Values: true = Enable. false = Disable. Note: true/false values are case sensitive and must be lowercase--> <RealtimeProtectionEnabled></RealtimeProtectionEnabled> <!-- ScheduledScanSettings: By Default, ScheduledScan is Disabled Values: isEnabled="true/false" Note: true/false values are case sensitive and must be lowercase day="0-8" [0-daily, 1-Sunday, 2-Monday, ...., 7-Saturday, 8-Disabled] time="0-1440" (measured in minutes after midnight) scanType="Quick/Full" (Default is Quick - values are case sensitive and first letter must be uppercase). If isEnabled="true" is the only setting provided, the following defaults are set - day="7" (Saturday), time="120" (2 AM), scanType="Quick" --> <ScheduledScanSettings isEnabled="" day="" time="" scanType="" /> <!-Exclusions: If no Exclusions are specified below, then the existing exclusions, if any, are overwritten by blank on the system. By Default, there are NO Exclusions --> <Exclusions> <Extensions> <!-- Specify Extension exclusions as .txt, .log etc. Each excluded file extension should be added as a separate row element value--> <Extension></Extension> </Extensions> <Paths> <!-- Specify Path exclusions as E:\, F:\ etc. Each excluded path should be added as a separate row element value --> <Path></Path> </Paths> <Processes> <!-- Specify Process exclusions as foo.exe etc. Each excluded path should be added as a separate row element value --> <Process></Process> </Processes> </Exclusions> <!-Monitoring: ON/OFF. Antimalware monitoring can be specified here or as a cmdlet parameter to the antimalware PowerShell cmdlet if you wish to enable antimalware monitoring. By default, monitoring is OFF Values: ON = Antimalware monitoring is turned ON to collect events into user storage. OFF = Antimalware monitoring is turned OFF & events are not collected --> <Monitoring></Monitoring> <!-Storage account name must be specified here or as a cmdlet parameter to the antimalware PowerShell cmdlet to enable antimalware monitoring--> <StorageAccountName></StorageAccountName> </AntimalwareConfig> P A G E | 013 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 6 Appendix B: Enable and Configure Microsoft Antimalware for Cloud Services -------------------------- EXAMPLE 1 -------------------------STEP #0: Prerequisite step before using the Azure SDK PowerShell cmdlets Download a file which contains the publish settings information of your subscription. This will open a browser window and ask you to log in to get the file. Get-AzurePublishSettingsFile Import the file you downloaded and save it to a secure location. Notice that the file contains the credential of your subscription. You don't want to make it public; protect it securely. Import-AzurePublishSettingsFile "<file location>" Import-Module 'INPUT Azure SDK Install Path Location' For example: Azure SDK Install path could be 'C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\ServiceManagement\Azure\Azure.psd1' If the Install path of the Azure SDK changes in future releases, update the path accordingly in the ImportModule. STEP #1: Load your application Microsoft antimalware configuration XML (created in Appendix A). $service_name = "INPUT YOUR Cloud Service Name" $config_file_path = “INPUT YOUR Antimalware Config File Path” C:\PS>[System.Xml.XmlDocument] $xml_config = new-object System.Xml.XmlDocument; $xml_config.load($config_file_path) System.Xml.XmlDocument STEP #2: Enable Microsoft Antimalware in the default production slot with pre-loaded xml configuration from Appendix A. P A G E | 014 Microsoft Antimalware for Azure Cloud Services and Virtual Machines C:\PS>Set-AzureServiceAntimalwareExtension -ServiceName $service_name AntimalwareConfiguration $xml_config You will see an “Operation succeeded” message in your PowerShell console output. You can also review the execution log on the system located at “C:\Logs\Plugins\Microsoft.Azure.Security.PaaSAntimalware\” in the AntimalwareExtensionCfg.txt or CommandExecution.txt log files. -------------------------- EXAMPLE 2 -------------------------- Enable Microsoft Antimalware in the staging slot with the pre-loaded configuration in example #1. $service_name = "INPUT YOUR Cloud Service Name" C:\PS>Set-AzureServiceAntimalwareExtension -ServiceName $service_name -Slot "staging" AntimalwareConfiguration $xml_config You will see an “Operation succeeded” message in your PowerShell console output. You can also review the AntimalwareExtensionCfg.txt or CommandExecution.txt log files on the system located at “C:\Logs\Plugins\Microsoft.Azure.Security.PaaSAntimalware\”. -------------------------- EXAMPLE 3 -------------------------- Enable Microsoft Antimalware in the default production slot with the pre-loaded configuration in example #1, explicitly specifying monitoring and storage account name as cmdlet parameters (parameters specified here will override any corresponding values for these parameters that were specified within the antimalware XML configuration). $service_name = "INPUT YOUR Cloud Service Name" $storage_account_name = “INPUT YOUR Storage Account Name Here” C:\PS>Set-AzureServiceAntimalwareExtension -ServiceName $service_name -Slot $slot AntimalwareConfiguration $xml_config -Monitoring ON -StorageAccountName $storage_account_name P A G E | 015 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 7 Appendix C: Get Microsoft Antimalware Configuration for Cloud Services -------------------------- EXAMPLE 1 -------------------------- This command will return the antimalware configuration object for the specified service name in the default production slot. A monitoring configuration object will also be returned if monitoring was enabled. $service_name = “INPUT YOUR Cloud Service Name” C:\PS>Get-AzureServiceAntimalwareConfig -ServiceName $service_name -------------------------- EXAMPLE 2 -------------------------- This command will return the antimalware configuration object for the specified service name in the staging slot. A monitoring configuration object will also be returned if monitoring was enabled. $service_name = “INPUT YOUR Cloud Service Name” C:\PS>Get-AzureServiceAntimalwareConfig -ServiceName $service_name -Slot Staging P A G E | 016 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 8 Appendix D: Remove Microsoft Antimalware Configuration for Cloud Services -------------------------- EXAMPLE 1 -------------------------- Removes the antimalware extension and monitoring of associated antimalware events from the specified service name. $service_name = “INPUT YOUR Cloud Service Name” C:\PS>Remove-AzureServiceAntimalwareExtension -ServiceName $service_name -------------------------- EXAMPLE 2 -------------------------- Removes the antimalware extension and monitoring of associated antimalware events from all roles in the staging slot of the specified service name. $service_name = “INPUT YOUR Cloud Service Name” C:\PS>Remove-AzureServiceAntimalwareExtension -ServiceName $service_name -Slot Staging -------------------------- EXAMPLE 3 -------------------------- Removes the antimalware extension and monitoring of associated antimalware events from the specified service name in the corresponding slot and role. $service_name = “INPUT YOUR Cloud Service Name” $role = “INPUT YOUR Cloud Service Role Name” C:\PS>Remove-AzureServiceAntimalwareExtension -ServiceName $service_name -Slot $slot -Role $role P A G E | 017 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 9 Appendix E: Enable and Configure Antimalware for Virtual Machines in the Azure Management Portal 1) Click +New on the Virtual Machines in the Azure Management Portal, select Virtual Machine, select From Gallery. 2) Select the Microsoft Windows Server image from the image gallery and input the Virtual Machine configuration [page 2 and page 3]. 3) Check the Microsoft Antimalware checkbox under Security Extensions on the Virtual Machine configuration page [page 4] and submit. 4) Click the submit button to enable and configure Microsoft Antimalware for Azure Virtual Machines with default configuration settings. P A G E | 018 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 10 Appendix F: Enable and Configure Antimalware for Virtual Machines through Azure PowerShell -------------------------- EXAMPLE 1 -------------------------- STEP #0: Prerequisite step before using the Azure SDK PowerShell cmdlets Download the file which contains the publish settings information of your subscription. This will open a browser window and ask you to log in to get the file. Get-AzurePublishSettingsFile Import the file you downloaded and save it to a secure location. Notice that the file contains the credential of your subscription. You don't want to make it public; protect it securely. Import-AzurePublishSettingsFile "<file location>" Import-Module 'INPUT Azure SDK Install Path Location' For example: Azure SDK Install path could be 'C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\ServiceManagement\Azure\Azure.psd1' If the Install path of the Azure SDK changes in future releases, update the path accordingly in the ImportModule. STEP #1: Enable Microsoft Antimalware for Virtual Machines with your application custom/advanced antimalware configuration: $ms_antimalware_extension_name = "IaaSAntimalware" $ms_antimalware_publisher_name = "Microsoft.Azure.Security" $ms_antimalware_version = ‘1.0’ $ms_antimalware_xml_config = Get-Content “INPUT YOUR Antimalware Config File Path” $ms_antimalware_b64_config = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($ms_antimalware_xml_con fig)) P A G E | 019 Microsoft Antimalware for Azure Cloud Services and Virtual Machines $ms_antimalware_public_config = [string]::Format("{{""xmlCfg"":""{0}""}}",$ms_antimalware_b64_config) (Get-AzureVM -ServiceName $service_name -Name $service_name) | Set-AzureVMExtension ExtensionName $ms_antimalware_extension_name -Publisher $ms_antimalware_publisher_name PublicConfiguration $ms_antimalware_public_config -Version $ms_antimalware_version | UpdateAzureVM You will see “Operation succeeded” message in your PowerShell console output. You can also review the CommandExecution.txt log files on the system located at: “C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware” NOTE: As the Microsoft Antimalware extension for Virtual Machines is updated with new version in the Azure system, you can execute the following Azure PowerShell cmdlet to retrieve the latest version of the Microsoft Antimalware extension for Virtual Machines: $ms_antimalware_extension_name = "IaaSAntimalware" $ms_antimalware_publisher_name = "Microsoft.Azure.Security" Get-AzureVMAvailableExtension -Publisher $ms_antimalware_publisher_name -ExtensionName $ms_antimalware_extension_name P A G E | 020 Microsoft Antimalware for Azure Cloud Services and Virtual Machines -------------------------- EXAMPLE 2 -------------------------- Enable Microsoft Antimalware for Virtual Machines with the default antimalware configuration $ms_antimalware_extension_name = "IaaSAntimalware" $ms_antimalware_publisher_name = "Microsoft.Azure.Security" $ms_antimalware_version = ‘1.0’ (Get-AzureVM -ServiceName $service_name -Name $service_name) | Set-AzureVMExtension ExtensionName $ms_antimalware_extension_name -Publisher $ms_antimalware_publisher_name Version $ms_antimalware_version | Update-AzureVM You will see “Operation succeeded” message in your PowerShell console output. You can also review the CommandExecution.txt log on the system located at: “C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware” NOTE: As the Microsoft Antimalware extension for Virtual Machines is updated with the new version in the Azure system, you can execute the following Azure PowerShell cmdlet to retrieve the latest version of the Microsoft Antimalware extension for Virtual Machines: $ms_antimalware_extension_name = "IaaSAntimalware" $ms_antimalware_publisher_name = "Microsoft.Azure.Security" Get-AzureVMAvailableExtension -Publisher $ms_antimalware_publisher_name -ExtensionName $ms_antimalware_extension_name P A G E | 021 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 11 Appendix G: Enable and Configure Antimalware monitoring for Virtual Machines -------------------------- EXAMPLE 1 -------------------------- Enable Microsoft Antimalware monitoring for Virtual Machines using Azure Diagnostics through Azure PowerShell cmdlets. For antimalware events, the Azure Diagnostics extension is configured below to capture events from the System event log source “Microsoft Antimalware” to your Azure storage account. The antimalware event categories “Error”, “Warning”, “Informational” etc. are captured in your Azure storage. You can view the raw events by looking at the WADWindowsEventLogsTable table in your Azure storage account you configured to use to enable antimalware monitoring using Azure Diagnostics. This can be useful to validate that antimalware event collection is working. Example #2 below shows how to extract the antimalware events from your Azure storage account. STEP 1: #Construct Azure Diagnostics public config and convert to config format $wad_xml_config = "<WadCfg><DiagnosticMonitorConfiguration><WindowsEventLog scheduledTransferPeriod=""PT1M""><DataSource name=""System!*[System[Provider[@Name='Microsoft Antimalware']]]"" /></WindowsEventLog></DiagnosticMonitorConfiguration></WadCfg>" $wad_b64_config = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($wad_xml_config)) $wad_public_config = [string]::Format("{{""xmlCfg"":""{0}""}}",$wad_b64_config) STEP 2: #Construct Azure diagnostics private config $wad_storage_account_name = "STORAGE Account NAME Here" $wad_storage_account_key = (Get-AzureStorageKey $wad_storage_account_name).Primary $wad_private_config = [string]::Format("{{""storageAccountName"":""{0}"",""storageAccountKey"":""{1}""}}",$wad_storage_ account_name,$wad_storage_account_key) STEP 3: #Enable Antimalware monitoring for Virtual Machines $service_name = "VM-NAME-HERE" $wad_extension_name = "IaaSDiagnostics" $wad_publisher = "Microsoft.Azure.Diagnostics" P A G E | 022 Microsoft Antimalware for Azure Cloud Services and Virtual Machines $wad_version = 1.1 (Get-AzureVM -ServiceName $service_name -Name $service_name) | Set-AzureVMExtension ExtensionName $wad_extension_name -Publisher $wad_publisher -PublicConfiguration $wad_public_config -PrivateConfiguration $wad_private_config -Version $wad_version | UpdateAzureVM NOTE: As the Azure Diagnostics extension for Virtual Machines is updated with the new version in the Azure system, you can execute the following Azure PowerShell cmdlet to retrieve the latest version of the Azure Diagnostics extension for Virtual Machines: $wad_extension_name = "IaaSDiagnostics" $wad_publisher = "Microsoft.Azure.Diagnostics" Get-AzureVMAvailableExtension -Publisher $wad_publisher -ExtensionName $wad_extension_name -------------------------- EXAMPLE 2 -------------------------- Extract Microsoft Antimalware monitoring health and other event information from your Azure storage through Azure PowerShell cmdlets in a file. This data information can be sent to your IT Enterprise System for reporting and/or alerting and or notification. STEP #1: Provide storage account name belonging to the currently default subscription $storage_account_name = “INPUT YOUR Storage Account Name Here” STEP #2: Set this as the current storage account for the current subscription $subscription_name = (Get-AzureSubscription -Default).SubscriptionName Set-AzureSubscription -SubscriptionName $subscription_name -CurrentStorageAccountName $storage_account_name P A G E | 023 Microsoft Antimalware for Azure Cloud Services and Virtual Machines STEP #3: Look for the antimalware event log data in the storage account $tableName = (Get-AzureStorageTable -Prefix "WADWindowsEventLogs").Name; if ($tableName) { $stg = Get-AzureStorageAccount -StorageAccountName $storage_account_name $cloudTableClient = $stg.CreateCloudTableClient() $cloudTableData = $cloudTableClient.GetTableReference($tableName) $query = New-Object Microsoft.WindowsAzure.Storage.Table.TableQuery $response = $cloudTableData.ExecuteQuery($query) STEP #4: Extract out the relevant information $results = New-Object System.Collections.ArrayList foreach ($row in $response) { $obj = new-object psobject Add-Member -InputObject $obj -MemberType NoteProperty -Name "Timestamp" -Value $row.Properties.TIMESTAMP.PropertyAsObject.ToOADate() Add-Member -InputObject $obj -MemberType NoteProperty -Name "EventId" -Value $row.Properties.EventId.Int32Value Add-Member -InputObject $obj -MemberType NoteProperty -Name "Role" -Value $row.Properties.Role.StringValue Add-Member -InputObject $obj -MemberType NoteProperty -Name "RoleInstance" -Value $row.Properties.RoleInstance.StringValue Add-Member -InputObject $obj -MemberType NoteProperty -Name "Description" -Value $row.Properties.Description.StringValue.replace("`n","").replace("`r","") $total = $results.Add($obj) } Write-Host $total 'rows exported to csv output file (' $csv_output_file ')' P A G E | 024 Microsoft Antimalware for Azure Cloud Services and Virtual Machines STEP#4: Export to csv $results | Export-Csv -path $csv_output_file -NoTypeInformation } else { Write-Host 'No data found in storage account' } P A G E | 025 Microsoft Antimalware for Azure Cloud Services and Virtual Machines 12 References and Further Reading The following resources are available to provide more general information about Microsoft Azure and related Microsoft services, as well as specific items referenced in the main text: Microsoft Azure Home – general information and links about Microsoft Azure Microsoft Azure Documentation Center – developer guidance and information o o http://msdn.microsoft.com/en-us/windowsazure/default.aspx Microsoft Azure Trust Center o http://www.microsoft.com/windowsazure/ http://azure.microsoft.com/en-us/support/trust-center/ Microsoft Security Response Center [where Microsoft security vulnerabilities, including issues with Microsoft Azure, can be reported] o http://www.microsoft.com/security/msrc/default.aspx o Or via email to secure@microsoft.com. Microsoft Azure PowerShell SDK tools and SDK releases o https://github.com/Azure/azure-sdk-tools#get-started o https://github.com/Azure/azure-sdk-tools/releases Recommended File and Folder Exclusions o Microsoft Antimalware Event Information o http://support.microsoft.com/kb/943556 http://technet.microsoft.com/en-us/library/hh144989.aspx Managing Microsoft Antimalware for Azure Virtual Machines via SCCM For those customers licensed and using System Center Endpoint Protection on-premises to manage Microsoft endpoint protection, who want to also extend management to Microsoft Antimalware for Azure Virtual Machines, more information is available here: o http://blogs.technet.com/b/configmgrteam/archive/2013/10/23/configmgr-andendpoint-protection-support-for-windows-azure-vms.aspx covers the overall support. o http://technet.microsoft.com/enus/library/gg682067.aspx#BKMK_EndpointProtectionDeviceSettings has a note on the EP settings The old 2012 MEP CTP preview and associated documentation which follows will be sunset ~one (1) month post availability of this current Microsoft Antimalware for Azure Cloud Services and Virtual Machines Preview: o http://www.microsoft.com/enus/download/details.aspx?id=29209http://blogs.msdn.com/b/windowsazure/archive/201 2/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technologypreview-now-available-for-free-download.aspx P A G E | 026