Anti-Malware Solutions for Microsoft Azure Virtual Machines

Just about every company has a security policy that contains a statement that goes like this, “Every computer running Windows must have anti-virus installed.” We IT pros take that for granted. What about your virtual machines running a Windows guest OS in Azure? Don’t they need the same, if not more, security? In this article, I will discuss your options for deploying anti-malware in Azure virtual machines.

The Need for Anti-Malware

Nimda, Code Red, STUXNET, MS Blaster, Conficker… all send shivers up the spines of IT pros. There’s two things we consider to be good practice with Windows computers, be they servers or client devices, virtual or physical:

  1. Deploy Windows Updates: The primary means to prevent malware infections
  2. Install anti-malware: A real-time scheduled scanner with clean up functionality

Malware is a real threat, even in the ‘secure’ isolation of the computer room or data center. The old joke about making a computer secure is true: you need to dig a two meter deep hole, unplug the computer, throw it in the hole, fill it with rebar concrete, and post a guard with seismic sensors. And then you have a secure, but useless computer. A usable service is at risk, and therefore we have to take protective measures.
I worked in the hosting business, and once in a while, a customer would end up with an infected website (not updating WordPress, maybe) or an infected server (not applying their updates). Since then, a whole new market for malware has evolved. Zero-day attacks are targeting machines that are up to date. Spearphishing, watering hole, and drive-by attacks target unwitting browsers (lesson: Never browse the Internet from a server, and you shouldn’t browse with admin rights). The role of malware is evolving to a cleanup role as their effectiveness as a prevention is reduced by the increased amount of zero-day attacks.
Virtual machines in the cloud are just as susceptible to attacks as those in your computer room. In fact, if they have a public presence, then they are more vulnerable. This makes anti-malware even more critical.

Anti-Malware Solutions for Microsoft Azure

Do not assume that your existing anti-malware solution is supported by the vendor on Azure. Likewise, also do not assume that you are allowed to transfer existing licenses to Azure, which is known as license mobility in the licensing world.
Azure gives you several different anti-malware options that you can deploy into your virtual machines. Right now, there are four options that you can deploy from Azure into virtual machines using the extension functionality:

Microsoft Anti-Malware System Requirements

Microsoft announced the general availability of free anti-malware for Azure virtual machines on October 29 at TechEd Europe 2014. It provides real-time scanning, on-demand and scheduled scanning, and a collection of anti-malware events into an Azure storage account via Azure Diagnostics.
This is the same engine that is present in Microsoft Security Essentials, Microsoft Endpoint Protection, System Center Endpoint Protection, Windows Intune, and Windows Defender for Windows 8.0 and later. And while it might not be the highest-rated scanner on the market, and it does not offer lots of fancy features that you find in other solutions, it is free.
You can enable the Microsoft Anti-Malware extension in any Windows Server Azure virtual machine running Windows Server 2008 R2 or later, which does not include the Technical Preview at this time. There are some system requirements:

Microsoft Anti-Malware is easy to install via the Codename Ibiza preview Azure portal. Browse to your virtual machine, click Extensions, click Add, and select Microsoft Antimalware. You can also select one of the other vendor’s anti-malware solutions from here to install the trials.

Installing the Microsoft Antimalware extension in an Azure virtual machine. (Image Credit: Aidan Finn)
Installing the Microsoft Antimalware extension in an Azure virtual machine. (Image Credit: Aidan Finn)

Once the installation is complete, you should ensure that you configure scanning to match the workload of your workload. This is where the one-size-fits-all ‘standard’ security policy of ‘scan everything’ falls apart. Microsoft has published a list of scanning configurations for all antimalware for their server products that is rarely complied with, and this is often the cause of issues. A whitepaper from Microsoft discusses how you can use Set-AzureVMMicrosoftAntimalwareExtension to configure scanning exclusions.