Deploying Antimalware Solutions on Azure Virtual Machines

Binary code

This is joint blog post from me and my colleague Sung Hsueh who works as Security Program Manager for Microsoft Azure Compute.

The blog post is a continuation of the ‘Virtual Machine Extensions’ series and in this one I’ll be giving a high level overview three new security extensions announced at TechEd, North America. These security solutions – Symantec Endpoint Protection, Trend Micro Deep Security as a Service and Microsoft Antimalware solution are embedded into the Azure Portal and deployed on the Virtual Machines using the Extension technology. There will be follow-up posts for each of these.

If you have existing subscription for Trend or Symantec software for on-premise, it can be used for protecting Azure Virtual Machines. If you are a new customer you can get a trial subscriptions to get started. Here is the licensing information for both products:

Symantec: http://www.symantec.com/business/support/index?page=content&id=HOWTO98414

TrendMicro: http://www.trendmicro.com/us/business/saas/deep-security-as-a-service/index.html

Microsoft Antimalware : The preview version of Microsoft Antimalware is free.

Any of these three security extensions can be enabled during the creation of a VM as shown below.

PortalUI

 

These security solutions can be added on existing Virtual Machines using Azure PowerShell cmdlets as described in the sections below.

Pre-Requisites for running enabling Extensions using PowerShell cmdlets:

  • Install Azure PowerShell Cmdlets V0.8.2 or above from here.
  • If the scripts will be run on an existing VM, make sure VM Agent is enabled on the VM, if not follow this blog post to install one.

 

Trend Micro Deep Security as a Service:

Trend Micro Deep Security as a Service provides a complete set of security capabilities required for both physical and Virtual Machines. Deep Security Services delivers the following capabilities – Anti-Malware protection, Intrusion Detection, Firewall, Web Reputation, and Integrity Monitoring. You can find information here to get started using free trial subscriptions. Once you have a Trend Micro subscription, you can run the following to install the agent on existing Virtual Machines:

1. Trend Micro Deep Security Agent can be enabled on Azure Virtual Machines from the Azure Portal while creating a new VM. It can also be enabled on existing or new VMs by using the following PowerShell cmdlets.

# Get the VM
$vm = Get-AzureVM –ServiceName $servicename –Name $name

# Add Deep Security Agent to the Virtual Machine
Set-AzureVMExtension -Publisher TrendMicro.DeepSecurity -ExtensionName TrendMicroDSA -Version 9.* -VM $vm.VM

# Update the VM which will install the DSA Agent
Update-AzureVM -Name $servicename -ServiceName $name -VM $vm.VM

2.  Activate the Trend Micro Deep Agent in an automated way using Azure’s CustomScript Extension

  • Login to the Deep Security Service portal with your credentials and Select Help->Deployment Scripts on the right side of the Trend Micro Deep Security portal.
DeploymentScripts
  • From this link copy the activation command to a PowerShell file, which can later be executed by CustomScript Extension.
DSAScript
  • Paste the activation command to a PowerShell file:

& $Env:ProgramFiles”\Trend Micro\Deep Security Agent\dsa_control” -a dsm://agents.deepsecurity.trendmicro.com:443/ “tenantID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx” “tenantPassword: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx”

  • Upload the file to an Azure Storage container and deploy it to each VM using Custom Script Extension by following the instructions here.
# Get the VM
$vm = Get-AzureVM –ServiceName $servicename –Name $name

# The configuration script 'ds-config_local.ps1' is stored in a container of the default storage account.
# CustomScript Extension pulls the scripts from the storage account and runs them on the VM.
Set-AzureVMCustomScriptExtension -ContainerName DSAConfig -FileName 'ds-config_local.ps1' -VM $vm.VM

# Update the VM which will install the DSA Agent
Update-AzureVM -Name $servicename -ServiceName $name -VM $vm.VM

Note: Once the Deep Security Agent is installed, it takes a couple of minutes to start running. Activation can be performed only when it’s running.

Symantec Endpoint Protection

Symantec Endpoint Protection provides multiple layers of protection spreading across Network Protection, File Protection, Reputation Protection, Repair and Remediation. Complete information about the Symantec Endpoint Protection for Azure can be found here.

Symantec Endpoint Protection agent can be enabled on Virtual Machines while creating a new VM from Azure Portal. To install on an existing Virtual Machine, you have to run the following cmdlets:

# Get the VM
$vm = Get-AzureVM –ServiceName $servicename –Name $name

# Add Symantec Endpoint Protection Agent to the Virtual Machine
Set-AzureVMExtension -Publisher Symantec -ExtensionName SymantecEndpointProtection -Version 12.* -VM $vm.VM

# Update the VM which will install the Symantec Endpoint Protection Agent
Update-AzureVM -Name $servicename -ServiceName $name -VM $vm.VM

 

Microsoft Antimalware

Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alert when known malicious or unwanted software attempts to install itself or run on your system. A complete overview of the Microsoft Antimalware solution can be found here. Microsoft Antimalware solution can be enabled while creating a new VM from Azure Portal. To install on an existing Virtual Machine, you have to run the following cmdlets:

# Get the VM
$vm = Get-AzureVM –ServiceName $servicename –Name $name

# Add Microsoft Antimalware Agent to the Virtual Machine
Set-AzureVMExtension -Publisher Microsoft.Azure.Security -ExtensionName IaaSAntimalware -Version 1.* -VM $vm.VM

# Update the VM which will install the Antimalware Agent
Update-AzureVM -Name $servicename -ServiceName $name -VM $vm.VM

Uninstalling Extensions:

Any of the above added extensions can be uninstalled using the cmdlets below.

# Get the VM
$vm = Get-AzureVM –ServiceName $servicename –Name $name

# Uninstall the extension from the Virtual Machine
Set-AzureVMExtension -Publisher $publishername -ExtensionName $extensionname -Version $version -VM $vm.VM -Uninstall

# Update the VM which will uninstall the extension
Update-AzureVM -Name $servicename -ServiceName $name -VM $vm.VM

 

This integration brings together Azure Virtual Machines and the existing security solutions and makes it easy to deploy and manage them together. Hope you’ll find these solutions useful  in your cloud environment. Please post your comments/questions to here. We’d love to hear from you!