Azure VM Antimalware Extension Management
Azure VM Antimalware Extension Management has always been a tricky subject. You can easily enable the Microsoft Antimalware Extension from the Azure Portal upon the Azure VM creation or by using the Extensions blade. But after that, the management of the extension is somehow tricky. There is no way to manage the Microsoft Antimalware exclusion list and auto-scan setting from the portal or from inside the VM. Even using PowerShell there is not a single command to manage the Microsoft Antimalware settings.
There is no need to point out that all VMs must have an Endpoint Protection Solution. Azure provides the ability to add an Endpoint Protection Solution to all Azure VMs. Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system and it is absolutely free. For the 3rd party extensions you need to add your key.
For Windows Server VMs up to version 2012 R2, the extension will install the System Center Endpoint Protection client and apply the configuration policies. Windows Server 2016 and above have build-in the Windows Defender, so the extension will only apply the configuration.
Below we will walk through on how to deploy & manage the Microsoft Antimalware Extension Using the Azure Portal (Single VM), Using the Azure Security Center (Multiple VMs)and Using PowerShell for a Single VMand for Multiple VMs filtered by Resource Groups or Tags.
Deploy the Microsoft Antimalware Extension
Using the Azure Portal for single VM deployment
Go to the Azure VM’s blade, navigate to the Extensions section and press Add.
Select the Microsoft Antimalware extension and press Create
Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan type and schedule.
Using the Azure Security Center for multi VM deployment
Go to the Azure Security Center, navigate to “Compute & Apps” and click “Install endpoint protection solution on virtual machines”
The Azure Security Center will check which VMs does not have Endpoint Protection and will check them all. Press “Install on # VMs” to select the extension
Select “Microsoft Antimalware” and press create
Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan type and schedule.
Using the PowerShell for single and multi VM deployments
Single VM
Declare the variables
$ResourceGroupName = "devrg" $VMName = "devrgvm" $Location = "West Europe" $PublisherName = "Microsoft.Azure.Security" $Type = "IaaSAntimalware"
Get the latest major version
#view all versions for the West Europe location Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type | fl Version #view the latest major version ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '') #add the latest major version in a variable called "amversion" $amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
Set the Microsoft Antimalware Settings, exclusions and schedules
$amsettings = @' { "AntimalwareEnabled": true, "RealtimeProtectionEnabled": true, "ScheduledScanSettings": { "isEnabled": true, "day": 7, "time": 120, "scanType": "Quick" }, "Exclusions": { "Extensions": ".log;.ldf", "Paths": "D:\\IISlogs;D:\\DatabaseLogs", "Processes": "mssence.svc" } } '@
Enable the Microsoft Antimalware Extension at one Azure VM
Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio
The whole scipt
Login-AzAccount #variables $ResourceGroupName = "devrg" $VMName = "devrgvm" $Location = "West Europe" $PublisherName = "Microsoft.Azure.Security" $Type = "IaaSAntimalware" #Get the latest major version $amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '') #Antimalware extension settings, exclusions and schedules $amsettings = @' { "AntimalwareEnabled": true, "RealtimeProtectionEnabled": true, "ScheduledScanSettings": { "isEnabled": true, "day": 7, "time": 120, "scanType": "Quick" }, "Exclusions": { "Extensions": ".log;.ldf", "Paths": "D:\\IISlogs;D:\\DatabaseLogs", "Processes": "mssence.svc" } } '@ #enable the Microsoft Antimalware Extension with the above settings Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversion
Multi VM – All VMs in a Resource Group
To deploy the extension to multiple VMs use the “For Each-Object” loop, like this:
#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object { Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion }
The whole script
#Login-AzAccount #variables $Location = "West Europe" $PublisherName = "Microsoft.Azure.Security" $Type = "IaaSAntimalware" #Get the latest major version $amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '') #Antimalware extension settings, exclusions and schedules $amsettings = @' { "AntimalwareEnabled": true, "RealtimeProtectionEnabled": true, "ScheduledScanSettings": { "isEnabled": true, "day": 7, "time": 120, "scanType": "Quick" }, "Exclusions": { "Extensions": ".log;.ldf", "Paths": "D:\\IISlogs;D:\\DatabaseLogs", "Processes": "mssence.svc" } } '@ #enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object { Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion }
Using Tags instead of Resource Group to filter the VMs
Login-AzAccount #variables (filter by tags) $tagName = "Service" $tagValue = "dev" $Location = "West Europe" $PublisherName = "Microsoft.Azure.Security" $Type = "IaaSAntimalware" #Get the latest major version $amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '') #Antimalware extension settings, excusions and schedules $amsettings = @' { "AntimalwareEnabled": true, "RealtimeProtectionEnabled": true, "ScheduledScanSettings": { "isEnabled": true, "day": 7, "time": 120, "scanType": "Quick" }, "Exclusions": { "Extensions": ".log;.ldf", "Paths": "D:\\IISlogs;D:\\DatabaseLogs", "Processes": "mssence.svc" } } '@ #enable the Microsoft Antimalware Extension with the above settings to all VMs of a spesific Tag $tagResList = Get-AzResource -TagName $tagName -TagValue $tagValue foreach($tagRes in $tagResList) { Set-AzVMExtension -ResourceGroupName $tagRes.ResourceGroupName -VMName $tagRes.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $tagRes.Location -TypeHandlerVersion $amversion }
After a successful deployment, at the VMs extensions, you will see an IaaS Antimalware extension with status “Provisioning succeeded”
Change the settings in an existing deployment
After the first deployment / installation, to change any settings of the WIndows Defender / Forefront Endpoint Protection, we need to run the same PowerShell after changing the required settings at the “#Antimalware extension settings, exclusions and schedules” section
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/iaas-antimalware-windows
Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.
When following this guide I get the error
“Expecting property name enclosed in double quotes: line 1 column 2 (char 1)”
tried different formats on all parameters and different escapes on $amsettings.
Same error haunts me.
Any idea why?
Hello Gustav
I just run the “The whole script” to enable Antimalware at my devrgvm. There was some typos, I corrected them at the script above.
Now, after adding all variables I run the command succesfully:
PS C:\> Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversion
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
——— ——————- ———- ————
True OK OK
Hi Pantelis Apostolidis,
We’ve been getting Azure Security Center alert when deploying Antimalware with exclusions in ARM template(just following the default exclusions). May I know why do these exclusions?
“Exclusions”: {
“Extensions”: “.log;.ldf”,
“Paths”: “D:\\IISlogs;D:\\DatabaseLogs”,
“Processes”: “mssence.svc”
}
Hi r0r0z0r0,
the exclusions I used for the guide are just for reference. Just to understand how to add exclusions.
You need to change the exclusions to much your needs.
e.g “.log;.ldf” is for Microsoft SQL servers, to exclude the log files.
“D:\\IISlogs; is for IIS servers, to exclude the log files. etc…