Why is Microsoft Defender for Storage scanning entire blobs every time we append data, instead of only scanning the modified portion? How can we optimize scanning behavior to reduce unnecessary costs?

Question

We are using Microsoft Defender for Storage , and our storage contains log files that are continuously appended with new data . However, we have noticed that Defender scans the entire blob every time new data is appended, instead of only scanning the modified portion or the incoming requests .

This behavior is leading to excessive scanning charges , even though only minor updates are applied to the files. We have analyzed storage account API logs and confirmed that Defender Malware Scanner triggers multiple scans on the same blob whenever new data is appended .

We would like to understand if there a way to optimize Defender for Storage so that it only scans new or modified data instead of the entire storage account?

Answer 1

@Samarth Bhadane

Welcome to the Microsoft Q&A community.

I understand your concern about the excessive scanning charges due to the current behavior of Microsoft Defender for Storage. Unfortunately, as of now, Microsoft Defender for Storage does not have a built-in feature to scan only the modified portion of a blob. It scans the entire blob whenever new data is appended.

However, there are a few strategies you can consider to optimize your scanning process and potentially reduce costs:

On-Upload Malware Scanning: This feature scans blobs automatically when they're uploaded or modified, providing near real-time detection. This might help in reducing the number of scans if the blobs are frequently modified.

On-Demand Malware Scanning: This allows you to scan existing blobs whenever necessary, making it ideal for incident response, compliance, and proactive security. You can schedule these scans during off-peak hours to manage costs better.

Automate Responses: You can set up automated responses to handle malicious files, such as moving them to a quarantine container or deleting them. This can help in managing the storage and scanning costs more effectively.

Review and Optimize Storage Practices: Consider breaking down large blobs into smaller chunks if feasible. This way, only the modified chunks will be scanned, potentially reducing the scanning overhead.

For more detailed information, you can refer to the Microsoft Defender for Storage documentation.

See also:

• https://learn.microsoft.com/en-us/azure/defender-for-cloud/introduction-malware-scanning
• https://learn.microsoft.com/en-us/azure/defender-for-cloud/on-upload-malware-scanning
• https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-configure-malware-scan

I hope these suggestions help you optimize your Defender for Storage usage. Let me know if you have any further questions or need additional assistance.

Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

Answer 2

@Samarth Bhadane

It appears that the on-demand scanning section might not be visible if on-upload scanning is disabled. This could be due to the way the settings are configured in Microsoft Defender for Storage.

To address this, you can try the following steps:

1. Enable On-Upload Scanning Temporarily: Enable on-upload scanning temporarily to access the on-demand scanning settings. Once you have configured the on-demand scanning, you can disable on-upload scanning again if needed.
2. Check Permissions: Ensure that you have the necessary permissions to configure on-demand scanning. You might need to have specific roles or permissions assigned to access these settings.
3. Update Defender for Storage: Make sure that you are using the latest version of Microsoft Defender for Storage. Sometimes, updates or changes in the service can affect the visibility of certain settings.
4. Contact Support: If the issue persists, consider reaching out to Microsoft support for assistance. They can provide guidance and help resolve any configuration issues you might be facing. For more detailed information, you can refer to the Microsoft Defender for Storage on-demand malware scanning documentation. I hope these suggestions help you optimize your Defender for Storage usage.

Let me know if you have any further questions or need additional assistance.

Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.