bengtfredh
commented
1 month ago Malware scanning is turned on for all storage accounts in service owners subscriptions.
What happens when files i scanned
- When a blob is scanned for malware, the scan result can be assessed in A blob index tag - an index tag with the key “Malware Scanning scan result”
- Defender do not do anything more with the file, we need to set up procedure to handle infected files
Reporting on scanning can buildt-in be sent to:
- An event grid
- Log analytics workspace
- Defender for cloud
There are several ways we can handle infected files:
- Block access to unscanned or malicious files using ABAC. Allow applications and users to access only scanned files that are clean.
- You can use code or workflow automation to delete or move malicious files to quarantine.
Azure provides example on using:
- Logic App based on Microsoft Defender for Cloud security alerts
- Function App based on Event Grid events
- Make your applications and data flows aware of malware scanning scan results
I think we need to discuss if we are going to change existing file scan service together with defender for storage scan. Or if we want to change what we do with infected files and reporting to service owners.
Description
What happens if Defender for Storage identifies malware in a blob being uploaded. Will the blob be missing or unavailable? We need decide whether we want to keep the file-scan features with status and results in the DataElement metadata for the Blob or if it can be discontinued.
In scope
No response
Out of scope
No response
Additional Information
No response
Analysis
No response
Conclusion
No response