documentation: index tags aren't tamper-resistant

[MattPil29]

This article includes:

Blob index tags can be used by applications to automate workflows, but aren't tamper-resistant. Read more on setting up response.

Can this be further explained/referenced? The hyperlink leads to a page that seems to heavily rely on Index Tags before data is ingested by the application.

Additionally its not clear if the ABAC approach is itself dependent on the Index Tag - if so doesn't it have the same weakness?

If a file is marked as a threat what is the safest way of determining this if Index tags aren't tamper resistant?

Thanks, Matt

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: a28f4225-b147-4f40-8e8b-e353a2cbe5cf
• Version Independent ID: 846fd438-7fae-b01c-48ad-2cb7f97559a8
• Content: Malware scanning in Microsoft Defender for Storage - Microsoft Defender for Cloud
• Content Source: articles/defender-for-cloud/defender-for-storage-malware-scan.md
• Service: defender-for-cloud
• GitHub Login: @dcurwin
• Microsoft Alias: dacurwin

[ManoharLakkoju-MSFT]

@MattPil29 Thanks for your feedback! We will investigate and update as appropriate.

[Naveenommi-MSFT]

@MattPil29 Based on the article you provided, it seems that the statement you mentioned is not directly related to blob index tags. The article is discussing the use of Azure Defender for Storage to scan for malware in your storage account. The statement you mentioned is referring to the fact that while Azure Defender for Storage can be used to automate workflows, it is not tamper-resistant. This means that if an attacker gains access to your storage account, they may be able to tamper with the results of the malware scan.

Regarding your question about ABAC, it stands for Attribute-Based Access Control, which is a security model that uses attributes to determine access to resources. While blob index tags can be used as attributes in an ABAC model, they are not required. ABAC can use other attributes such as user roles, IP addresses, and time of day to determine access.

If a file is marked as a threat, the safest way to determine this would be to use a combination of methods, including malware scanning, threat intelligence, and manual review. While blob index tags can be used to categorize data and make it easier to find, they are not a security feature and should not be relied upon as the sole method of detecting threats.

If there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.

[ElazarK]

reassign:alizabernstein

[Naveenommi-MSFT]

@MattPil29 I've delegated this to content author @AlizaBernstein, who will review it and offer their insightful opinions.

[MattPil29]

Thanks all for the quick response. I'm aware the article focuses on defender, thats my interest.

Put another way I'm looking for the best way to integrate defender malware scanning with an application that uploads and downloads files. If a user uploads a file I write it to blob, grab its id and store in a table with some metadata. Another page returns a list of uploads using the meta data. The user clicks a link and the server fetches the blob and streams it back to the user. All very standard.

If you throw in defender you now have an out of cycle process to handle. I can use events or polling to update some kind of status on the sql table. Or I can use a direct attribute of the blob (e.g. Index Tag or ABAC) to determine if its marked as safe just before download.

So you rule out index tags "they are not a security feature and should not be relied upon as the sole method of detecting threats." That would suuggest this is a bad idea

And state ABAC uses other attributes but list things that don't appear relevant to defender results. Watching the video here we see that the author is using tags in the ABAC!!!! or

I'm confused, how do I securely determine if a file is safe or not after defender completes if index tags aren't secure? whats the underlying 'flag' or 'mechanism' used in your proposed approach?

[AlizaBernstein]

Opened work item https://dev.azure.com/msft-skilling/Content/_workitems/edit/194632

label:"backlog-item-created"

[TPavanBalaji]

@v-regandowner Could you please review it.

[v-regandowner]

@v-regandowner Could you please review it.

@dcurwin Is the author of this content. I may appear as a contributor because I am a member of the PR review team but I have no capacity to author/add to this content. I'll remove my assignment now.

Thanks.