Agentless machine scanning
Microsoft Defender for Cloud improves compute posture for Azure, AWS and GCP environments with machine scanning. For requirements and support, see the compute support matrix in Defender for Cloud.
Agentless scanning for virtual machines (VM) provides:
- Broad, frictionless visibility into your software inventory using Microsoft Defender Vulnerability Management.
- Deep analysis of operating system configuration and other machine meta data.
- Vulnerability assessment using Defender Vulnerability Management.
- Secret scanning to locate plain text secrets in your compute environment.
- Threat detection with agentless malware scanning, using Microsoft Defender Antivirus.
Agentless scanning assists you in the identification process of actionable posture issues without the need for installed agents, network connectivity, or any effect on machine performance. Agentless scanning is available through both the Defender Cloud Security Posture Management (CSPM) plan and Defender for Servers P2 plan.
Availability
Aspect | Details |
---|---|
Release state: | GA |
Pricing: | Requires either Defender Cloud Security Posture Management (CSPM) or Microsoft Defender for Servers Plan 2 |
Supported use cases: |
Vulnerability assessment (powered by Defender Vulnerability Management) Software inventory (powered by Defender Vulnerability Management) Secret scanning Malware scanning Only available with Defender for Servers plan 2 Kubernetes nodes protection Only available with Defender for Servers P2 in Azure Commercial clouds |
Clouds: |
Azure Commercial clouds Azure Government Microsoft Azure operated by 21Vianet Connected AWS accounts Connected GCP projects |
Operating systems: |
Windows Linux |
Instance and disk types: | Azure Standard VMs Unmanaged disks Maximum total disk size allowed: 4TB (the sum of all disks) Maximum number of disks allowed: 6 Virtual machine scale set - Flex Virtual machine scale set - Uniform AWS EC2 Auto Scale instances Instances with a ProductCode (Paid AMIs) GCP Compute instances Instance groups (managed and unmanaged) Unsupported disk types: If any of the VM's disks are on this list, the VM won't be scanned. UltraSSD_LRS PremiumV2_LRS Unsupported resource type: Databricks VM |
Encryption: | Azure Unencrypted Encrypted – managed disks using Azure Storage encryption with platform-managed keys (PMK) Encrypted – other scenarios using platform-managed keys (PMK) Encrypted – customer-managed keys (CMK) (preview) AWS Unencrypted Encrypted - PMK Encrypted - CMK GCP Google-managed encryption key Customer-managed encryption key (CMEK) Customer-supplied encryption key (CSEK) |
How agentless scanning works
Agentless scanning for VMs uses cloud APIs to collect data. Whereas agent-based methods use operating system APIs in runtime to continuously collect security related data. Defender for Cloud takes snapshots of VM disks and performs an out-of-band, deep analysis of the operating system configuration and file system stored in the snapshot. The copied snapshot remains in the same region as the VM. The VM isn't affected by the scan.
After acquiring the necessary metadata is acquired from the copied disk, Defender for Cloud immediately deletes the copied snapshot of the disk and sends the metadata to Microsoft engines to detect configuration gaps and potential threats. For example, in vulnerability assessment, the analysis is done by Defender Vulnerability Management. The results are displayed in Defender for Cloud, which consolidates both the agent-based and agentless results on the Security alerts page.
The scanning environment where disks are analyzed is regional, volatile, isolated, and highly secure. Disk snapshots and data unrelated to the scan aren't stored longer than is necessary to collect the metadata, typically a few minutes.
Related content
This article explains how agentless scanning works and how it helps you collect data from your machines.
Learn more about how to enable agentless scanning for VMs.
Check out common questions about agentless scanning and how it affects the subscription/account, agentless data collection, and permissions used by agentless scanning.