Scheer Wiki




Security on Azure – Threat Protection/Microsoft Antimalware for Azure and Vulnerability Management


With cloud computing you can easily connect to any resource from any device to your environment at any time. Data travels from on-premises to the cloud and back: the infrastructure is as alive as never before. Your identity protection is in place, policies are enrolled and monitoring alerts you if anything goes wrong. Long story short: everything looks fine and easy – in your opinion.

Gremlins in the Cloud

Sheriff Frank: Gremlins, huh?

Billy: Yes.

Sheriff Frank: Little monsters?

Billy: Right.

Sheriff Frank: Hundreds of them?

Billy: I don’t know, maybe thousands. Look, I know it sounds crazy. I know it does, but in a matter of hours, this town’s going to become a major disaster area! You have got to warn people!

Sheriff Frank: You think the kid is drunk?

Deputy Brent: No, but you are!

Gremlins caused a lot of chaos and destruction in the movies. These little, green and evil monsters (easily) flooded the streets of Kingston Falls and destroyed the peace and infrastructure of the city.

Now you’re (probably) wondering: “But this is a blog post about Security on Azure! Why is he talking about Gremlins?” And you’re right! There are no Gremlins living in the cloud – but other tiny and fast-spreading monsters, collectively called malware, do. Gremlins and malware share many characteristics


are evil and harmful
→ the easy accessibility of cloud environments makes malware easily accessible too.

spread and replicate fast
→ every day new malware appears in the IT landscape, ready to spread as fast as possible across your infrastructure and leak or destroy your data

hate light and brightness
→ most types of malware operate in the dark, unseen by operational IT units or security technologies

In sum, cloud infrastructures are fun for malware. Complex hybrid environments have vastly increased the number of opportunities for malware to compromise not only your cloud infrastructure, but your client infrastructure and other devices as well. Infections can cause data breaches, open the door for more sophisticated threats and seriously impact your business.

Fight the little Monsters

To protect your Azure resources (and consequently your connected infrastructure) against malware, Microsoft provides free real-time protection that helps identify and remove viruses, spyware and other malicious software. Microsoft Antimalware is based on the same antimalware platform as MSE or Windows Defender and is a single-agent solution, designed to run without intervention. It can be integrated in the Azure Security Center for more visibility.

The Microsoft Antimalware Agent can be deployed together with the Security Center, Powershell or with the Azure Diagnostic Extension.

Microsoft Antimalware for Azure offers the following features:

 Real-time protection – monitors activity in cloud services and on virtual machines to detect and block malware execution.

 Scheduled scanning – scans periodically to detect malware, including actively running programs.

 Malware remediation – automatically takes action on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.

 Signature updates – automatically installs the latest protection signatures (virus definitions) to ensure protection is up-to-date on a pre-determined frequency.

 Antimalware Engine updates – automatically updates the Microsoft antimalware engine.

 Antimalware Platform updates – automatically updates the Microsoft antimalware platform.

 Active protection – reports telemetry metadata about detected threats and suspicious resources to Microsoft Azure to ensure rapid response to the evolving threat landscape, as well as enabling real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS).

 Samples reporting – provides and reports samples to the Microsoft antimalware service to help refine the service and enable troubleshooting.

 Exclusions – allows application and service administrators to configure exclusions for files, processes, and drives.

 Antimalware event collection – records the antimalware service health, suspicious activities, and remediation actions taken in the operating system event log and collects them into the customer’s Azure Storage account.


-Source: Microsoft

While this outstanding array of features enables you to combat malware, detection of and protection against malicious software is only half the battle. The next step in improving your security status is to know your vulnerabilities.

Light in the Dark

Visibility is the key! You need to know where your weak points are and how to remedy them to avoid attacks from the little monsters. Pull them in the light.

“Ahh! light bright! light bright! light bright“

For this use case, Azure provides the Azure ATP and Microsoft Defender ATP services.

Darstellung Microsoft Defender
Source: Microsoft

While Azure ATP monitors the traffic on your domain controllers, Microsoft Defender ATP watches over your endpoints. Together, they can utilize the full power for protecting your environment and enable you to build up a vulnerability management system.

Microsoft Defender ATP delivers endpoint behavioral sensors (OS monitoring), cloud security analytics (cloud systems) and threat intelligence (identification of attacks). Azure ATP enhances these features by focusing on multiple phases of a cyber-attack, such as reconnaissance, lateral movement cycle and persistence.

Darstellung anonym attack
Source: Microsoft

They are inside. All of Them?

In addition to Azure ATP and Microsoft Defender ATP, you will need a vulnerability scanner to complete your armory. Vulnerability scanners identify security gaps, with the focus on known weaknesses in networks, systems and applications. They supplement and add to the findings of antimalware actions, to remedy weaknesses that can lead to infection.

The vulnerability scanner integrated in the Azure Security Center serves this purpose. The scanner is powered by Qualys, one of the leading tools for identifying vulnerabilities (in real-time!).

Darstellung Qualys
Source: Microsoft

The scanned systems are grouped according to their health status. For each machine with the status “unhealthy,” you will receive a solution to remedy the vulnerability.

Übersicht Vulnerability Assessment
Source: Microsoft
Darstellung Red Hat
Source: Microsoft

If the Qualys Vulnerability Scanner is not the product of your choice, feel free to integrate another third-party scanner into the Azure Security Center.

While the wealth of such features and names can be overwhelming and confusing, integration of these services and cloud intelligence will give you a single glass of pane for your operational security tasks!

So stay safe and don’t forget the most important rule:

„No matter how much he cries, or how much he begs, never, never feed him after midnight!“


Author: Dominic Iselt, IT Security Engineering Expert