Microsoft Antimalware for Azure Cloud Services and Virtual Machines

Microsoft Antimalware for
Azure Cloud Services and
Virtual MachinesPREVIEW
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
Abstract
This paper provides an architectural overview of Microsoft Antimalware for Azure, including supported
scenarios and configurations for enabling, configuring and deploying protection for Azure Cloud Services
and Virtual Machines. We will cover basic configuration, management, and monitoring functionality
accessible through Microsoft Azure service management API’s, PowerShell scripts, and the Azure
Management Portal.
NOTE: Certain recommendations contained herein may result in increased data, network, or compute
resource usage resulting in additional license or subscription costs.
Published May 2014
P A G E | 02
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
Acknowledgements
Contributors:

Microsoft Azure Security and Compliance Engineering

Microsoft Malware Protection Engineering

Microsoft Azure Engineering Systems
(c) 2014 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed in
this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using
it. Some examples are for illustration only and are fictitious. No real association is intended or inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may
copy and use this document for your internal, reference purposes.
P A G E | 03
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
Table of Contents
1
OVERVIEW .............................................................................................................................................. 5
2
ARCHITECTURE ..................................................................................................................................... 6
2.1
MICROSOFT ANTIMALWARE WORKFLOW .......................................................................................................................... 6
2.2
DEFAULT AND CUSTOM ANTIMALWARE CONFIGURATION.................................................................................... 8
ANTIMALWARE DEPLOYMENT SCENARIOS ...........................................................................10
3
3.1
ENABLE AND CONFIGURE ANTIMALWARE FOR AZURE CLOUD SERVICES .................................................................... 10
3.2
GET ANTIMALWARE CONFIGURATION FOR AZURE CLOUD SERVICES .......................................................... 10
3.3
REMOVE ANTIMALWARE CONFIGURATION FOR AZURE CLOUD SERVICES .................................................................. 11
3.4
ENABLE AND CONFIGURE ANTIMALWARE FOR AZURE VIRTUAL MACHINES ......................................................... 11
3.5
ENABLE AND CONFIGURE ANTIMALWARE MONITORING FOR CLOUD SERVICES AND VIRTUAL MACHINES...... 12
4
PROVIDING FEEDBACK ...................................................................................................................12
5
APPENDIX A: MICROSOFT ANTIMALWARE CONFIGURATION XML TEMPLATE ...........................13
6
APPENDIX B: ENABLE AND CONFIGURE MICROSOFT ANTIMALWARE FOR CLOUD SERVICES ..14
7
APPENDIX C: GET MICROSOFT ANTIMALWARE CONFIGURATION FOR CLOUD SERVICES ........16
8
APPENDIX D: REMOVE MICROSOFT ANTIMALWARE CONFIGURATION FOR CLOUD SERVICES
17
9
APPENDIX E: ENABLE AND CONFIGURE ANTIMALWARE FOR VIRTUAL MACHINES IN AZURE
MANAGEMENT PORTAL .................................................................................................................................18
10
APPENDIX F: ENABLE AND CONFIGURE ANTIMALWARE FOR VIRTUAL MACHINES
THROUGH AZURE POWERSHELL ...................................................................................................................19
11
APPENDIX G: ENABLE AND CONFIGURE ANTIMALWARE MONITORING FOR VIRTUAL
MACHINES ........................................................................................................................................................22
12
REFERENCES AND FURTHER READING ............................................................................................26
P A G E | 04
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
1 Overview
The modern threat landscape for cloud environments is extremely dynamic, increasing the pressure on
business IT cloud subscribers to maintain effective protection in order to meet compliance and security
requirements. Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time
protection capability that helps identify and remove viruses, spyware, and other malicious software, with
configurable alerts when known malicious or unwanted software attempts to install itself or run on your
system.
The solution is built on the same antimalware platform as Microsoft Security Essentials [MSE], Microsoft
Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune, and
Windows Defender for Windows 8.0 and higher. Microsoft Antimalware for Azure is a single-agent
solution for applications and tenant environments, designed to run in the background without human
intervention. You can deploy protection based on the needs of your application workloads, with either
basic secure-by-default or advanced custom configuration, including antimalware monitoring.
When you deploy and enable the Microsoft antimalware solution for your Azure applications, the
following core features are available:
Real-time protection - monitors activity in Cloud Services and on Virtual Machines to detect and block
malware execution.
Scheduled scanning - periodically performs targeted scanning to detect malware, including actively
running programs.
Malware remediation - automatically takes action on detected malware, such as deleting or quarantining
malicious files and cleaning up malicious registry entries.
Signature updates - automatically installs the latest protection signatures (virus definitions) to ensure
protection is up-to-date on a pre-determined frequency.
Antimalware Engine updates – automatically updates the Microsoft Antimalware engine.
Antimalware Platform updates – automatically updates the Microsoft Antimalware platform.
Active protection - reports telemetry metadata about detected threats and suspicious resources to
Microsoft Azure to ensure rapid response to the evolving threat landscape, as well as enabling real-time
synchronous signature delivery through the Microsoft Active Protection System (MAPS).
Samples reporting - provides and reports samples to the Microsoft Antimalware service to help refine
the service and enable troubleshooting.
Exclusions – allows application and service administrators to configure certain files, processes, and drives
to exclude them from protection and scanning for performance and/or other reasons.
Antimalware monitoring - records the antimalware service health, suspicious activities and remediation
actions taken in the operating system event log and collects them into the customer’s Azure Storage
account. The antimalware monitoring is enabled via the Azure Diagnostics Service extension as an
advanced configuration.
P A G E | 05
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
2 Architecture
The Microsoft Antimalware for Azure Cloud Services and Virtual Machines includes the Microsoft
Antimalware Client and Service, Antimalware Service Management Extension, Antimalware PowerShell
cmdlets and Azure Diagnostics Service Extension. The Microsoft Antimalware solution is supported on
Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families.
It is not supported on the Windows Server 2008 operating system.
The Microsoft Antimalware Client and Service is installed by default in disabled state in all supported
Azure guest operating system families in the Cloud Services platform.
The Microsoft Antimalware Client and Service is not installed by default in the Virtual Machines platform
and is available as an optional feature through the Azure Management Portal Virtual Machine
configuration page under Security Extensions.
2.1 Microsoft Antimalware Workflow
The Azure Management Portal and Antimalware service management APIs (SMAPI) for both Cloud
Services and Virtual Machines provides a way to configure and enable the Antimalware service for your
Azure applications.
To enable and configure the Microsoft Antimalware service programmatically using SMAPI or PowerShell
cmdlets, the Azure service administrator needs to author the antimalware configuration and execute the
PowerShell, or instrument the target application using SMAPI [refer to the Scenarios section for details].
The antimalware PowerShell cmdlet or service management API call pushes the antimalware extension
package file to the Azure system at a pre-determined fixed location. The Azure guest agent (or the fabric
agent) launches the antimalware extension, applying the antimalware configuration settings supplied as
input. This step will enable the Antimalware service with default or custom antimalware configuration
settings. If no custom configuration is provided, the antimalware service is enabled with the default
configuration settings. The antimalware XML configuration settings template is included in the Appendix
section of this whitepaper, showing the supported antimalware configuration settings.
Once running, the Microsoft Antimalware client downloads the latest protection engine and signature
definitions from the Internet and loads them on the Azure system. The Microsoft Antimalware service
writes service-related events to the system OS events log under the “Microsoft Antimalware” event source.
Events include the antimalware client health state, protection and remediation status, new and old
configuration settings, engine updates and signature definitions, and others. You can enable monitoring
to have the antimalware event log events written as they are produced to the Azure storage account you
specify as an advanced (or custom) configuration option by including the monitoring setting
[<Monitoring>ON] and your application Azure storage account in the antimalware configuration xml
input. The antimalware service uses the Azure Diagnostics Service extension to collect antimalware events
from the Azure system into the customer’s Azure Storage table account.
P A G E | 06
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
The following diagram shows the workflow involved in enabling the antimalware solution for Azure Cloud
Services (Web Role and Worker Role) and Virtual Machines:
Figure 1: Microsoft Antimalware in Azure Workflow - Enable, Configure, and Monitor Microsoft Antimalware
P A G E | 07
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
2.2 Default and Custom Antimalware Configuration
The antimalware default configuration settings are used when you enable Microsoft Antimalware for
Azure Virtual Machines through the Azure Management Portal. Similarly, the antimalware default
configuration settings are used when you enable Microsoft Antimalware for Azure cloud services through
the antimalware PowerShell cmdlets. The default configuration settings have been pre-optimized for
running in the Microsoft Azure environment. Optionally, you can customize these settings as required for
your Azure application or service deployment.
The following table summarizes the settings available to configure for the antimalware service. The default
configuration settings are marked under the Default column below.
Setting
Options
Default
Description
AntimalwareEnabled
true
None
true - Enables Microsoft Antimalware
false
Exclusions Extensions
extension1,
extension2,
false – not supported
None
…
…
Exclusions Paths
path1,
List of file extensions to exclude from
scanning. Example:
gif, log, txt would exclude files with the .gif,
.log, or .txt extension from being scanned.
Each excluded file extension should be added
as a separate row element value in your
antimalwareconfig.XML
None
path2
…
…
List of paths to files or folders to exclude from
scanning. Example: e:\approot\worker.dll,
e:\approot\temp would exclude the file
worker.dll in the e:\approot folder and
anything under the folder e:\approot\temp
from being scanned.
Each excluded path should be added as a
separate row element value in your
antimalwareconfig.XML
Exclusions Processes
process1,
process2,
…
…
None
List of process exclusions. Any file opened by
an excluded process will not be scanned (the
process itself will still be scanned – to exclude
the process itself, use the ExcludedPaths
configuration). Example: C:\Program
Files\MyApp.exe would exclude any files
opened by MyApp.exe from being scanned.
Each excluded process should be added as a
separate row element value in your
antimalwareconfig.XML
P A G E | 08
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
Monitoring
ON
None
(Antimalware
monitoring)
OFF
StorageAccountName
Name of the
Storage
Account
None
Storage account name for your Azure store
table to capture antimalware health and
related events information
RealtimeProtectionEnabl
ed
true
true
true – Enables real-time protection
ScheduledScanSettings
isEnabled
true
ScheduledScanSettings
Day
0–8
OFF – Disable antimalware monitoring by
removing antimalware monitoring config if it
was previously turned ON
false
false – disables real-time protection
None
Enables or disables a periodic scan for active
malware on the system
7
0 – scan daily, 1 – Sunday, 2 – Monday, 3Tuesday…, 7 – Saturday
false
(DayForWeeklySchedule
dScans)
ScheduledScanSettings
Time
ON - Enable antimalware monitoring using
Azure diagnostics v1.1
Default = 7 if only ScheduledScanSettings
isEnabled is true
0 – 1440
120
(TimeForWeeklySchedul
edScans)
Hour at which to begin the scheduled scan.
Measured in 60 minute increments from
midnight
60 mins – 1:00 AM
120 mins – 2:00 AM
…
1380 mins – 11:00 PM
Default = 120 mins if ScheduledScanSettings
isEnabled is true
scanType
Quick/Full
Quick
Default = Quick if ScheduledScanSettings
isEnabled is true
P A G E | 09
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
3 Antimalware Deployment Scenarios
The scenarios to enable and configure antimalware, including monitoring for Azure Cloud Services and
Virtual Machines, are discussed in this section.
3.1 Enable and Configure Antimalware for Azure Cloud Services
An Azure application or service can enable and configure Microsoft Antimalware for Azure Cloud Services
using the PowerShell cmdlets available in Azure-sdk-tools (refer to the Resources section for more
information). Note, that Microsoft Antimalware is installed in a disabled state in the cloud services
platform and requires an action by an Azure application to enable it. The PowerShell cmdlet to enable and
configure Microsoft Antimalware is:
Set-AzureServiceAntimalwareExtension [-ServiceName] <string> [[-Slot] <string>] [[-Role]
<string>] [-AntimalwareConfiguration] <XMLDocument> [[-Monitoring] <string>] [[StorageAccountName] <string>] [[-EndpointSuffix] <Storage Endpoint Suffix>]
This cmdlet requires antimalware XML configuration as input. Optionally, the cmdlet accepts parameters
that can override and supplement values in the antimalware XML config, such as storage account details.
See the Appendix examples for more details.
You can use Set-AzureServiceAntimalwareExtension PowerShell cmdlet to update the antimalware service
configuration settings (updated XMl config) to your Azure application or service that is already running
and or deployed in Azure, and the antimalware configuration settings will update automatically.
3.2 Get Antimalware Configuration for Azure Cloud Services
The Azure application or service can retrieve the Microsoft Antimalware configuration for Cloud Services
using the PowerShell cmdlets available in Azure-sdk-tools (refer to the Resources section for more
information) as follows:
Get-AzureServiceAntimalwareConfig [-ServiceName] <string> [[-Slot] <string>]
This cmdlet gets the antimalware and monitoring configuration details associated with the extension for
the specified service name. See the examples in the Appendix for more details.
P A G E | 010
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
3.3 Remove Antimalware Configuration for Azure Cloud Services
The Azure application or service can remove the antimalware configuration and any associated
antimalware monitoring from the relevant antimalware and Azure diagnostics service extensions
associated with the specified cloud service name using the below antimalware PowerShell cmdlets
available in Azure-sdk-tools (refer to Resources section for more information). The PowerShell cmdlet to
remove the Microsoft Antimalware configuration and antimalware monitoring configuration is:
Remove-AzureServiceAntimalwareExtension [-ServiceName] <string> [[-Slot] <string>] [[-Role]
<string[]>] [[-EndpointSuffix] <string>]
See the Appendix examples for more details.
3.4 Enable and Configure Antimalware for Azure Virtual Machines
The Azure application or service can enable and configure Microsoft antimalware for Azure Virtual
Machines using the Azure Management Portal UX or Azure service management PowerShell cmdlets
available in Azure-sdk-tools (refer to Resources section for more information).
The steps to enable and configure Microsoft Antimalware using the Azure Management Portal with
default antimalware configuration settings are shown in the Appendix.
The Azure PowerShell cmdlet to enable and configure Microsoft Antimalware for Azure Virtual Machines
is:
(Get-AzureVM [[-ServiceName] <String>] [[-Name] <String>]) | Set-AzureVMExtension [ExtensionName <string>] [-Publisher <string>] [-PublicConfigFile <string>] [-Version <string>] |
Update-AzureVM
This cmdlet requires antimalware XML configuration as input to the PublicConfigFile parameter. If the
antimalware XML configuration is not specified, the Microsoft antimalware service is enabled with default
configuration settings.
See Appendix examples for more details.
You can use the above cmdlet example to update the antimalware service configuration settings (updated
XMl config) to your Azure application or service that is already running and or deployed in Azure and the
antimalware configuration settings will update automatically.
P A G E | 011
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
3.5 Enable and Configure Antimalware Monitoring for Cloud Services
and Virtual Machines
Antimalware monitoring is enabled by specifying the following settings in the antimalware configuration
XML
<Monitoring>ON</Monitoring>
<StorageAccountName>INPUT STORAGE ACCOUNT HERE</StorageAccountName>
Antimalware Monitoring is also turned ON by specifying the Monitoring parameter value as “ON” in the
Set-AzureServiceAntimalwareExtension PowerShell cmdlet call.
To enable antimalware monitoring for Azure Virtual Machines, refer to the examples in the Appendix.
4 Providing Feedback
The goal of the Microsoft Antimalware for Azure Cloud Services and Virtual Machines technology preview
version, is to give you a chance to evaluate the solution to provide antimalware protection to your Azure
applications and provide feedback. We want to hear from you! You can use the Security for Azure MSDN
forum to post questions, suggestions, or issues you have with Microsoft Antimalware for Azure Cloud
Services and Virtual Machines.
P A G E | 012
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
5 Appendix A: Microsoft Antimalware Configuration XML Template
NOTE – The following antimalware configuration template settings must be adjusted for your Azure cloud
service and Virtual Machines. Only supported antimalware configuration settings are allowed.
<?XML version="1.0" encoding="utf-8"?>
<AntimalwareConfig>
<!-AntimalwareEnabled: true/false. Note - This is a required parameter:
Values: true = Enable. false = Error out as false is not a supported value.
Note: true/false values are case sensitive and must be lowercase -->
<AntimalwareEnabled></AntimalwareEnabled>
<!--
RealtimeProtectionEnabled: true/false. Default is true.
Values: true = Enable. false = Disable.
Note: true/false values are case sensitive and must be lowercase-->
<RealtimeProtectionEnabled></RealtimeProtectionEnabled>
<!--
ScheduledScanSettings: By Default, ScheduledScan is Disabled
Values: isEnabled="true/false" Note: true/false values are case sensitive and
must be lowercase
day="0-8" [0-daily, 1-Sunday, 2-Monday, ...., 7-Saturday, 8-Disabled]
time="0-1440" (measured in minutes after midnight)
scanType="Quick/Full" (Default is Quick - values are case sensitive and first
letter must be uppercase).
If isEnabled="true" is the only setting provided, the following defaults are set
- day="7" (Saturday), time="120" (2 AM), scanType="Quick" -->
<ScheduledScanSettings isEnabled="" day="" time="" scanType="" />
<!-Exclusions: If no Exclusions are specified below, then the existing exclusions,
if any, are overwritten by blank on the system. By Default, there are NO Exclusions -->
<Exclusions>
<Extensions>
<!-- Specify Extension exclusions as .txt, .log etc. Each excluded file extension should
be added as a separate row element value-->
<Extension></Extension>
</Extensions>
<Paths>
<!-- Specify Path exclusions as E:\, F:\ etc. Each excluded path should be added as a
separate row element value -->
<Path></Path>
</Paths>
<Processes>
<!-- Specify Process exclusions as foo.exe etc. Each excluded path should be added as a
separate row element value -->
<Process></Process>
</Processes>
</Exclusions>
<!-Monitoring: ON/OFF. Antimalware monitoring can be specified here or as a cmdlet
parameter to the antimalware PowerShell cmdlet if you wish to enable antimalware
monitoring. By default, monitoring is OFF
Values: ON = Antimalware monitoring is turned ON to collect events into user
storage. OFF = Antimalware monitoring is turned OFF & events are not collected -->
<Monitoring></Monitoring>
<!-Storage account name must be specified here or as a cmdlet parameter to the
antimalware PowerShell cmdlet to enable antimalware monitoring-->
<StorageAccountName></StorageAccountName>
</AntimalwareConfig>
P A G E | 013
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
6 Appendix B: Enable and Configure Microsoft Antimalware for
Cloud Services
-------------------------- EXAMPLE 1 -------------------------STEP #0: Prerequisite step before using the Azure SDK PowerShell cmdlets
Download a file which contains the publish settings information of your subscription. This will open a
browser window and ask you to log in to get the file.
Get-AzurePublishSettingsFile
Import the file you downloaded and save it to a secure location. Notice that the file contains the
credential of your subscription. You don't want to make it public; protect it securely.
Import-AzurePublishSettingsFile "<file location>"
Import-Module 'INPUT Azure SDK Install Path Location'
For example: Azure SDK Install path could be 'C:\Program Files (x86)\Microsoft SDKs\Windows
Azure\PowerShell\ServiceManagement\Azure\Azure.psd1'
If the Install path of the Azure SDK changes in future releases, update the path accordingly in the ImportModule.
STEP #1: Load your application Microsoft antimalware configuration XML (created in Appendix A).
$service_name = "INPUT YOUR Cloud Service Name"
$config_file_path = “INPUT YOUR Antimalware Config File Path”
C:\PS>[System.Xml.XmlDocument] $xml_config = new-object System.Xml.XmlDocument;
$xml_config.load($config_file_path) System.Xml.XmlDocument
STEP #2:
Enable Microsoft Antimalware in the default production slot with pre-loaded xml configuration from
Appendix A.
P A G E | 014
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
C:\PS>Set-AzureServiceAntimalwareExtension -ServiceName $service_name AntimalwareConfiguration $xml_config
You will see an “Operation succeeded” message in your PowerShell console output. You can also review
the execution log on the system located at “C:\Logs\Plugins\Microsoft.Azure.Security.PaaSAntimalware\”
in the AntimalwareExtensionCfg.txt or CommandExecution.txt log files.
-------------------------- EXAMPLE 2 --------------------------
Enable Microsoft Antimalware in the staging slot with the pre-loaded configuration in example #1.
$service_name = "INPUT YOUR Cloud Service Name"
C:\PS>Set-AzureServiceAntimalwareExtension -ServiceName $service_name -Slot "staging"
AntimalwareConfiguration $xml_config
You will see an “Operation succeeded” message in your PowerShell console output. You can also review
the AntimalwareExtensionCfg.txt or CommandExecution.txt log files on the system located at
“C:\Logs\Plugins\Microsoft.Azure.Security.PaaSAntimalware\”.
-------------------------- EXAMPLE 3 --------------------------
Enable Microsoft Antimalware in the default production slot with the pre-loaded configuration in example
#1, explicitly specifying monitoring and storage account name as cmdlet parameters (parameters
specified here will override any corresponding values for these parameters that were specified within the
antimalware XML configuration).
$service_name = "INPUT YOUR Cloud Service Name"
$storage_account_name = “INPUT YOUR Storage Account Name Here”
C:\PS>Set-AzureServiceAntimalwareExtension -ServiceName $service_name -Slot $slot AntimalwareConfiguration $xml_config -Monitoring ON -StorageAccountName
$storage_account_name
P A G E | 015
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
7 Appendix C: Get Microsoft Antimalware Configuration for Cloud
Services
-------------------------- EXAMPLE 1 --------------------------
This command will return the antimalware configuration object for the specified service name in the
default production slot. A monitoring configuration object will also be returned if monitoring was
enabled.
$service_name = “INPUT YOUR Cloud Service Name”
C:\PS>Get-AzureServiceAntimalwareConfig -ServiceName $service_name
-------------------------- EXAMPLE 2 --------------------------
This command will return the antimalware configuration object for the specified service name in the
staging slot. A monitoring configuration object will also be returned if monitoring was enabled.
$service_name = “INPUT YOUR Cloud Service Name”
C:\PS>Get-AzureServiceAntimalwareConfig -ServiceName $service_name -Slot Staging
P A G E | 016
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
8 Appendix D: Remove Microsoft Antimalware Configuration for
Cloud Services
-------------------------- EXAMPLE 1 --------------------------
Removes the antimalware extension and monitoring of associated antimalware events from
the specified service name.
$service_name = “INPUT YOUR Cloud Service Name”
C:\PS>Remove-AzureServiceAntimalwareExtension -ServiceName $service_name
-------------------------- EXAMPLE 2 --------------------------
Removes the antimalware extension and monitoring of associated antimalware events from
all roles in the staging slot of the specified service name.
$service_name = “INPUT YOUR Cloud Service Name”
C:\PS>Remove-AzureServiceAntimalwareExtension -ServiceName $service_name -Slot Staging
-------------------------- EXAMPLE 3 --------------------------
Removes the antimalware extension and monitoring of associated antimalware events from
the specified service name in the corresponding slot and role.
$service_name = “INPUT YOUR Cloud Service Name”
$role = “INPUT YOUR Cloud Service Role Name”
C:\PS>Remove-AzureServiceAntimalwareExtension -ServiceName $service_name -Slot $slot -Role
$role
P A G E | 017
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
9 Appendix E: Enable and Configure Antimalware for Virtual
Machines in the Azure Management Portal
1) Click +New on the Virtual Machines in the Azure Management Portal, select Virtual Machine,
select From Gallery.
2) Select the Microsoft Windows Server image from the image gallery and input the Virtual Machine
configuration [page 2 and page 3].
3) Check the Microsoft Antimalware checkbox under Security Extensions on the Virtual Machine
configuration page [page 4] and submit.
4) Click the submit button to enable and configure Microsoft Antimalware for Azure Virtual
Machines with default configuration settings.
P A G E | 018
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
10 Appendix F: Enable and Configure Antimalware for Virtual
Machines through Azure PowerShell
-------------------------- EXAMPLE 1 --------------------------
STEP #0: Prerequisite step before using the Azure SDK PowerShell cmdlets
Download the file which contains the publish settings information of your subscription. This will open a
browser window and ask you to log in to get the file.
Get-AzurePublishSettingsFile
Import the file you downloaded and save it to a secure location. Notice that the file contains the
credential of your subscription. You don't want to make it public; protect it securely.
Import-AzurePublishSettingsFile "<file location>"
Import-Module 'INPUT Azure SDK Install Path Location'
For example: Azure SDK Install path could be 'C:\Program Files (x86)\Microsoft SDKs\Windows
Azure\PowerShell\ServiceManagement\Azure\Azure.psd1'
If the Install path of the Azure SDK changes in future releases, update the path accordingly in the ImportModule.
STEP #1: Enable Microsoft Antimalware for Virtual Machines with your application custom/advanced
antimalware configuration:
$ms_antimalware_extension_name = "IaaSAntimalware"
$ms_antimalware_publisher_name = "Microsoft.Azure.Security"
$ms_antimalware_version = ‘1.0’
$ms_antimalware_xml_config = Get-Content “INPUT YOUR Antimalware Config File Path”
$ms_antimalware_b64_config =
[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($ms_antimalware_xml_con
fig))
P A G E | 019
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
$ms_antimalware_public_config =
[string]::Format("{{""xmlCfg"":""{0}""}}",$ms_antimalware_b64_config)
(Get-AzureVM -ServiceName $service_name -Name $service_name) | Set-AzureVMExtension ExtensionName $ms_antimalware_extension_name -Publisher $ms_antimalware_publisher_name PublicConfiguration $ms_antimalware_public_config -Version $ms_antimalware_version | UpdateAzureVM
You will see “Operation succeeded” message in your PowerShell console output. You can also review the
CommandExecution.txt log files on the system located at:
“C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware”
NOTE: As the Microsoft Antimalware extension for Virtual Machines is updated with new version in the
Azure system, you can execute the following Azure PowerShell cmdlet to retrieve the latest version of the
Microsoft Antimalware extension for Virtual Machines:
$ms_antimalware_extension_name = "IaaSAntimalware"
$ms_antimalware_publisher_name = "Microsoft.Azure.Security"
Get-AzureVMAvailableExtension -Publisher $ms_antimalware_publisher_name -ExtensionName
$ms_antimalware_extension_name
P A G E | 020
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
-------------------------- EXAMPLE 2 --------------------------
Enable Microsoft Antimalware for Virtual Machines with the default antimalware configuration
$ms_antimalware_extension_name = "IaaSAntimalware"
$ms_antimalware_publisher_name = "Microsoft.Azure.Security"
$ms_antimalware_version = ‘1.0’
(Get-AzureVM -ServiceName $service_name -Name $service_name) | Set-AzureVMExtension ExtensionName $ms_antimalware_extension_name -Publisher $ms_antimalware_publisher_name Version $ms_antimalware_version | Update-AzureVM
You will see “Operation succeeded” message in your PowerShell console output. You can also review the
CommandExecution.txt log on the system located at:
“C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware”
NOTE: As the Microsoft Antimalware extension for Virtual Machines is updated with the new version in
the Azure system, you can execute the following Azure PowerShell cmdlet to retrieve the latest version of
the Microsoft Antimalware extension for Virtual Machines:
$ms_antimalware_extension_name = "IaaSAntimalware"
$ms_antimalware_publisher_name = "Microsoft.Azure.Security"
Get-AzureVMAvailableExtension -Publisher $ms_antimalware_publisher_name -ExtensionName
$ms_antimalware_extension_name
P A G E | 021
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
11 Appendix G: Enable and Configure Antimalware monitoring for
Virtual Machines
-------------------------- EXAMPLE 1 --------------------------
Enable Microsoft Antimalware monitoring for Virtual Machines using Azure Diagnostics through Azure
PowerShell cmdlets. For antimalware events, the Azure Diagnostics extension is configured below to
capture events from the System event log source “Microsoft Antimalware” to your Azure storage account.
The antimalware event categories “Error”, “Warning”, “Informational” etc. are captured in your Azure
storage.
You can view the raw events by looking at the WADWindowsEventLogsTable table in your Azure storage
account you configured to use to enable antimalware monitoring using Azure Diagnostics. This can be
useful to validate that antimalware event collection is working. Example #2 below shows how to extract
the antimalware events from your Azure storage account.
STEP 1: #Construct Azure Diagnostics public config and convert to config format
$wad_xml_config = "<WadCfg><DiagnosticMonitorConfiguration><WindowsEventLog
scheduledTransferPeriod=""PT1M""><DataSource
name=""System!*[System[Provider[@Name='Microsoft Antimalware']]]""
/></WindowsEventLog></DiagnosticMonitorConfiguration></WadCfg>"
$wad_b64_config =
[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($wad_xml_config))
$wad_public_config = [string]::Format("{{""xmlCfg"":""{0}""}}",$wad_b64_config)
STEP 2: #Construct Azure diagnostics private config
$wad_storage_account_name = "STORAGE Account NAME Here"
$wad_storage_account_key = (Get-AzureStorageKey $wad_storage_account_name).Primary
$wad_private_config =
[string]::Format("{{""storageAccountName"":""{0}"",""storageAccountKey"":""{1}""}}",$wad_storage_
account_name,$wad_storage_account_key)
STEP 3: #Enable Antimalware monitoring for Virtual Machines
$service_name = "VM-NAME-HERE"
$wad_extension_name = "IaaSDiagnostics"
$wad_publisher = "Microsoft.Azure.Diagnostics"
P A G E | 022
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
$wad_version = 1.1
(Get-AzureVM -ServiceName $service_name -Name $service_name) | Set-AzureVMExtension ExtensionName $wad_extension_name -Publisher $wad_publisher -PublicConfiguration
$wad_public_config -PrivateConfiguration $wad_private_config -Version $wad_version | UpdateAzureVM
NOTE: As the Azure Diagnostics extension for Virtual Machines is updated with the new version in
the Azure system, you can execute the following Azure PowerShell cmdlet to retrieve the latest
version of the Azure Diagnostics extension for Virtual Machines:
$wad_extension_name = "IaaSDiagnostics"
$wad_publisher = "Microsoft.Azure.Diagnostics"
Get-AzureVMAvailableExtension -Publisher $wad_publisher -ExtensionName
$wad_extension_name
-------------------------- EXAMPLE 2 --------------------------
Extract Microsoft Antimalware monitoring health and other event information from your Azure storage
through Azure PowerShell cmdlets in a file. This data information can be sent to your IT Enterprise System
for reporting and/or alerting and or notification.
STEP #1: Provide storage account name belonging to the currently default subscription
$storage_account_name = “INPUT YOUR Storage Account Name Here”
STEP #2: Set this as the current storage account for the current subscription
$subscription_name = (Get-AzureSubscription -Default).SubscriptionName
Set-AzureSubscription -SubscriptionName $subscription_name -CurrentStorageAccountName
$storage_account_name
P A G E | 023
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
STEP #3: Look for the antimalware event log data in the storage account
$tableName = (Get-AzureStorageTable -Prefix "WADWindowsEventLogs").Name;
if ($tableName)
{
$stg = Get-AzureStorageAccount -StorageAccountName $storage_account_name
$cloudTableClient = $stg.CreateCloudTableClient()
$cloudTableData = $cloudTableClient.GetTableReference($tableName)
$query = New-Object Microsoft.WindowsAzure.Storage.Table.TableQuery
$response = $cloudTableData.ExecuteQuery($query)
STEP #4: Extract out the relevant information
$results = New-Object System.Collections.ArrayList
foreach ($row in $response)
{
$obj = new-object psobject
Add-Member -InputObject $obj -MemberType NoteProperty -Name "Timestamp" -Value
$row.Properties.TIMESTAMP.PropertyAsObject.ToOADate()
Add-Member -InputObject $obj -MemberType NoteProperty -Name "EventId" -Value
$row.Properties.EventId.Int32Value
Add-Member -InputObject $obj -MemberType NoteProperty -Name "Role" -Value
$row.Properties.Role.StringValue
Add-Member -InputObject $obj -MemberType NoteProperty -Name "RoleInstance" -Value
$row.Properties.RoleInstance.StringValue
Add-Member -InputObject $obj -MemberType NoteProperty -Name "Description" -Value
$row.Properties.Description.StringValue.replace("`n","").replace("`r","")
$total = $results.Add($obj)
}
Write-Host $total 'rows exported to csv output file (' $csv_output_file ')'
P A G E | 024
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
STEP#4: Export to csv
$results | Export-Csv -path $csv_output_file -NoTypeInformation
}
else
{
Write-Host 'No data found in storage account'
}
P A G E | 025
Microsoft Antimalware for Azure Cloud Services and Virtual Machines
12 References and Further Reading
The following resources are available to provide more general information about Microsoft Azure and
related Microsoft services, as well as specific items referenced in the main text:

Microsoft Azure Home – general information and links about Microsoft Azure

Microsoft Azure Documentation Center – developer guidance and information
o
o

http://msdn.microsoft.com/en-us/windowsazure/default.aspx
Microsoft Azure Trust Center
o

http://www.microsoft.com/windowsazure/
http://azure.microsoft.com/en-us/support/trust-center/
Microsoft Security Response Center [where Microsoft security vulnerabilities, including issues with
Microsoft Azure, can be reported]


o
http://www.microsoft.com/security/msrc/default.aspx
o
Or via email to secure@microsoft.com.
Microsoft Azure PowerShell SDK tools and SDK releases
o
https://github.com/Azure/azure-sdk-tools#get-started
o
https://github.com/Azure/azure-sdk-tools/releases
Recommended File and Folder Exclusions
o

Microsoft Antimalware Event Information
o

http://support.microsoft.com/kb/943556
http://technet.microsoft.com/en-us/library/hh144989.aspx
Managing Microsoft Antimalware for Azure Virtual Machines via SCCM
For those customers licensed and using System Center Endpoint Protection on-premises to
manage Microsoft endpoint protection, who want to also extend management to Microsoft
Antimalware for Azure Virtual Machines, more information is available here:
o
http://blogs.technet.com/b/configmgrteam/archive/2013/10/23/configmgr-andendpoint-protection-support-for-windows-azure-vms.aspx covers the overall support.
o
http://technet.microsoft.com/enus/library/gg682067.aspx#BKMK_EndpointProtectionDeviceSettings has a note on the EP
settings

The old 2012 MEP CTP preview and associated documentation which follows will be sunset ~one
(1) month post availability of this current Microsoft Antimalware for Azure Cloud Services and
Virtual Machines Preview:
o
http://www.microsoft.com/enus/download/details.aspx?id=29209http://blogs.msdn.com/b/windowsazure/archive/201
2/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technologypreview-now-available-for-free-download.aspx
P A G E | 026