Anti-Malware Solutions for Microsoft Azure Virtual Machines
Just about every company has a security policy that contains a statement that goes like this, “Every computer running Windows must have anti-virus installed.” We IT pros take that for granted. What about your virtual machines running a Windows guest OS in Azure? Don’t they need the same, if not more, security? In this article, I will discuss your options for deploying anti-malware in Azure virtual machines.
The Need for Anti-Malware
Nimda, Code Red, STUXNET, MS Blaster, Conficker… all send shivers up the spines of IT pros. There’s two things we consider to be good practice with Windows computers, be they servers or client devices, virtual or physical:
- Deploy Windows Updates: The primary means to prevent malware infections
- Install anti-malware: A real-time scheduled scanner with clean up functionality
Malware is a real threat, even in the ‘secure’ isolation of the computer room or data center. The old joke about making a computer secure is true: you need to dig a two meter deep hole, unplug the computer, throw it in the hole, fill it with rebar concrete, and post a guard with seismic sensors. And then you have a secure, but useless computer. A usable service is at risk, and therefore we have to take protective measures.
I worked in the hosting business, and once in a while, a customer would end up with an infected website (not updating WordPress, maybe) or an infected server (not applying their updates). Since then, a whole new market for malware has evolved. Zero-day attacks are targeting machines that are up to date. Spearphishing, watering hole, and drive-by attacks target unwitting browsers (lesson: Never browse the Internet from a server, and you shouldn’t browse with admin rights). The role of malware is evolving to a cleanup role as their effectiveness as a prevention is reduced by the increased amount of zero-day attacks.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Virtual machines in the cloud are just as susceptible to attacks as those in your computer room. In fact, if they have a public presence, then they are more vulnerable. This makes anti-malware even more critical.
Anti-Malware Solutions for Microsoft Azure
Do not assume that your existing anti-malware solution is supported by the vendor on Azure. Likewise, also do not assume that you are allowed to transfer existing licenses to Azure, which is known as license mobility in the licensing world.
Azure gives you several different anti-malware options that you can deploy into your virtual machines. Right now, there are four options that you can deploy from Azure into virtual machines using the extension functionality:
- Microsoft Anti-Malware: A free security addition by Microsoft, which recently was made generally available.
- McAfee Endpoint Protection by Intel: A 30-day trial that can be extended with a license purchase from Intel Security.
- Symantec Endpoint Protection: A 60-day trial that can be extended with a license purchase from Symantec.
- TrendMicro Deep Security Platform: Also available as a trial with a follow-up purchase from Trend Micro.
Microsoft Anti-Malware System Requirements
Microsoft announced the general availability of free anti-malware for Azure virtual machines on October 29 at TechEd Europe 2014. It provides real-time scanning, on-demand and scheduled scanning, and a collection of anti-malware events into an Azure storage account via Azure Diagnostics.
This is the same engine that is present in Microsoft Security Essentials, Microsoft Endpoint Protection, System Center Endpoint Protection, Windows Intune, and Windows Defender for Windows 8.0 and later. And while it might not be the highest-rated scanner on the market, and it does not offer lots of fancy features that you find in other solutions, it is free.
You can enable the Microsoft Anti-Malware extension in any Windows Server Azure virtual machine running Windows Server 2008 R2 or later, which does not include the Technical Preview at this time. There are some system requirements:
- You must have an active Azure subscription.
- You must have a supported guest OS.
- The VM Agent must be installed in the virtual machine.
- If you want PowerShell management, then you must get the latest Microsoft Azure PowerShell SDK Tools.
- You need an Azure storage account to store events.
Microsoft Anti-Malware is easy to install via the Codename Ibiza preview Azure portal. Browse to your virtual machine, click Extensions, click Add, and select Microsoft Antimalware. You can also select one of the other vendor’s anti-malware solutions from here to install the trials.
Once the installation is complete, you should ensure that you configure scanning to match the workload of your workload. This is where the one-size-fits-all ‘standard’ security policy of ‘scan everything’ falls apart. Microsoft has published a list of scanning configurations for all antimalware for their server products that is rarely complied with, and this is often the cause of issues. A whitepaper from Microsoft discusses how you can use Set-AzureVMMicrosoftAntimalwareExtension to configure scanning exclusions.