microsoft antimalware

Azure VM Antimalware Extension Management

Azure VM Antimalware Extension Management

Azure VM Antimalware Extension Management has always been a tricky subject. You can easily enable the Microsoft Antimalware Extension from the Azure Portal upon the Azure VM creation or by using the Extensions blade. But after that, the management of the extension is somehow tricky. There is no way to manage the Microsoft Antimalware exclusion list and auto-scan setting from the portal or from inside the VM. Even using PowerShell there is not a single command to manage the Microsoft Antimalware settings.

There is no need to point out that all VMs must have an Endpoint Protection Solution. Azure provides the ability to add an Endpoint Protection Solution to all Azure VMs. Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system and it is absolutely free. For the 3rd party extensions you need to add your key.

For Windows Server VMs up to version 2012 R2, the extension will install the System Center Endpoint Protection client and apply the configuration policies. Windows Server 2016 and above have build-in the Windows Defender, so the extension will only apply the configuration.

Below we will walk through on how to deploy & manage the Microsoft Antimalware Extension Using the Azure Portal (Single VM), Using the Azure Security Center (Multiple VMs)and Using PowerShell for a Single VMand for Multiple VMs filtered by Resource Groups or Tags.

Deploy the Microsoft Antimalware Extension

Using the Azure Portal for single VM deployment

Go to the Azure VM’s blade, navigate to the Extensions section and press Add.

microsoft antimalware

Select the Microsoft Antimalware extension and press Create

microsoft antimalware

Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan  type and schedule.

microsoft antimalware

Using the Azure Security Center for multi VM deployment

Go to the Azure Security Center, navigate to “Compute & Apps” and click “Install endpoint protection solution on virtual machines”

microsoft antimalware

The Azure Security Center will check which VMs does not have Endpoint Protection and will check them all. Press “Install on # VMs” to select the extension

microsoft antimalware

Select “Microsoft Antimalware” and press create

microsoft antimalware

Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan  type and schedule.

microsoft antimalware

Using the PowerShell for single and multi VM deployments

Single VM

Declare the variables

$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"

Get the latest major version

#view all versions for the West Europe location
Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type | fl Version
#view the latest major version
((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#add the latest major version in a variable called "amversion"
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')

Set the Microsoft Antimalware Settings, exclusions and schedules

$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@

Enable the Microsoft Antimalware Extension at one Azure VM

Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio

The whole scipt

Login-AzAccount
#variables
$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings
Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversion

Multi VM – All VMs in a Resource Group

To deploy the extension to multiple VMs use the “For Each-Object” loop, like this:

#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

The whole script

#Login-AzAccount
#variables
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

Using Tags instead of Resource Group to filter the VMs

Login-AzAccount
#variables (filter by tags)
$tagName = "Service"
$tagValue = "dev"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, excusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs of a spesific Tag
$tagResList = Get-AzResource -TagName $tagName -TagValue $tagValue
foreach($tagRes in $tagResList) { 
    Set-AzVMExtension -ResourceGroupName $tagRes.ResourceGroupName -VMName $tagRes.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $tagRes.Location -TypeHandlerVersion $amversion
    }

After a successful deployment, at the VMs extensions, you will see an IaaS Antimalware extension with status “Provisioning succeeded”

microsoft antimalware

Change the settings in an existing deployment

After the first deployment / installation, to change any settings of the WIndows Defender  / Forefront Endpoint Protection, we need to run the same PowerShell after changing the required settings at the “#Antimalware extension settings, exclusions and schedules” section

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/iaas-antimalware-windows

Share

4 comments

  1. When following this guide I get the error
    “Expecting property name enclosed in double quotes: line 1 column 2 (char 1)”
    tried different formats on all parameters and different escapes on $amsettings.
    Same error haunts me.
    Any idea why?

  2. Hello Gustav

    I just run the “The whole script” to enable Antimalware at my devrgvm. There was some typos, I corrected them at the script above.

    Now, after adding all variables I run the command succesfully:

    PS C:\> Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversion

    RequestId IsSuccessStatusCode StatusCode ReasonPhrase
    ——— ——————- ———- ————
    True OK OK

  3. Hi Pantelis Apostolidis,

    We’ve been getting Azure Security Center alert when deploying Antimalware with exclusions in ARM template(just following the default exclusions). May I know why do these exclusions?
    “Exclusions”: {
    “Extensions”: “.log;.ldf”,
    “Paths”: “D:\\IISlogs;D:\\DatabaseLogs”,
    “Processes”: “mssence.svc”
    }

    1. Hi r0r0z0r0,

      the exclusions I used for the guide are just for reference. Just to understand how to add exclusions.
      You need to change the exclusions to much your needs.

      e.g “.log;.ldf” is for Microsoft SQL servers, to exclude the log files.
      “D:\\IISlogs; is for IIS servers, to exclude the log files. etc…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.