• 3 min read

Microsoft Antimalware for Azure Cloud Services and Virtual Machines

At the 2014 TechEd EMEA conference, Microsoft Azure announced the availability of Microsoft Antimalware for Azure Cloud Services and Virtual Machines solution for Windows.

Yesterday, we announced the availability of Microsoft Antimalware for Azure Cloud Services and Virtual Machines at TechEd Europe. It provides real time protection from the latest threats, on-demand scheduled scanning, and collection of antimalware events to your storage account via Azure Diagnostics at no additional charge.

Solution Overview

The Microsoft Antimalware capability in Azure is a single-agent solution built on the same platform as Microsoft Security Essentials [MSE], Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune, and Windows Defender for Windows 8.0 and higher. It is designed to run in the background without human intervention. You can deploy protection and monitoring based on the needs of your application workloads to enable real-time protection, scheduled scanning, malware remediation, protection updates, and active protection and enable antimalware event collection to your storage account for insight into the antimalware service health.

The Microsoft Antimalware Client and Service is installed by default in a disabled state in all Cloud Services. The Microsoft Antimalware Client and Service is not installed by default in the Virtual Machines platform; it is available as an optional security extension.

Pre-requisites to deploy Microsoft Antimalware for Azure:

1) Microsoft Azure Subscription account – You must have a valid and active Azure subscription account to use the Microsoft antimalware for Azure features and deploy antimalware for your cloud services and or virtual machines.

2) Operating Systems Requirement: The Microsoft Antimalware solution is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families. It is not supported on the Windows Server 2008 operating system. At this time Windows Server Technical Preview is not supported and we intend to support it in the future.

3) VM Agent: The VM agent is required to run the Microsoft antimalware extension on the virtual machine. Make sure VM agent is enabled on the VM, if not follow this blog post to install one.

4) Microsoft Azure PowerShell SDK Tools: You must install the latest Azure PowerShell SDK tools to access the Microsoft Antimalware PowerShell cmdlets. The antimalware PowerShell cmdlets are available at https://github.com/Azure/azure-sdk-tools/releases.

5) Azure Storage Account: The Azure storage account is required to enable antimalware event collection from the Azure systems to your storage account.

How it Works, Deployment Scenarios and Configuration Settings:

The Azure service administrator can enable Antimalware with a default or custom configuration for your Virtual Machines and Cloud Services using the following options:

  • Virtual Machines – In the Azure Management Portal, under Security Extensions
  • Virtual Machines – Using the Visual Studio virtual machines configuration in Server Explorer
  • Virtual Machines and Cloud Services – Using the Antimalware service management APIs (SMAPI)
  • Virtual Machines and Cloud Services – Using Antimalware PowerShell cmdlets

The below figure shows the workflow involved in enabling the antimalware solution for Azure Cloud Services (Web Role and Worker Role) and Virtual Machines.


Once running, the Microsoft Antimalware client downloads the latest protection engine and signature definitions from the Internet and loads them on the Azure system. The Microsoft Antimalware service writes service-related events to the system OS events log under the “Microsoft Antimalware” event source. Events include the Antimalware client health state, protection and remediation status, new and old configuration settings, engine updates and signature definitions, and others. You can enable Antimalware monitoring to collect Antimalware events from the systems to your Azure storage account and can pipe the event information to HDInsight or to your System Information and Event Management system for further analysis.

Default and Custom Antimalware Configuration

You can enable the Microsoft antimalware service with either basic secure-by-default or advanced custom antimalware configuration. The default configuration settings have been pre-optimized for running in the Microsoft Azure environment. You can customize the default antimalware configuration settings as required for your Azure application or service deployment and apply them for the Antimalware deployment scenarios.

The antimalware whitepaper summarizes the settings available to enable and configure antimalware service and the supported antimalware deployment scenarios. You can refer to the Microsoft Antimalware Whitepaper for further details.

Antimalware Support

If you run into a problem with Microsoft Antimalware solution for your Azure application for virtual machines or cloud services, you can contact us. The support topics documentation is available at:

1) Support Options – https://azure.microsoft.com/en-us/support/options/

2) Get Support – https://manage.windowsazure.com/?getsupport=true

After choosing Technical Support from get support link, options for opening a case for Microsoft Antimalware for Azure are:

  • For Cloud Services:
    • Choose Product = Cloud Services from Product dropdown list
    • Choose Problem Type = Malware, Viruses, or Intrusion Analysis
    • Choose Category = Microsoft Antimalware for Azure
  • For Virtual Machines:
    • Choose Product = Virtual Machines from Product dropdown list
    • Choose Problem Type = Virtual Machines Agents and Extensions
    • Choose Category = Microsoft Antimalware for Azure