Edit

Share via

Malware scanning

  • Article

Microsoft Defender for Cloud provides agentless malware scanning for virtual machines as part of its agentless scanning features that improve machine threat protection. Agentless scanning doesn't need any installed agents or network connectivity, and doesn't affect machine performance.

Agentless malware scanning for machines provides:

  • Improved coverage - If a machine doesn't have an antivirus solution enabled, the agentless detector scans that machine to detect malicious activity.
  • Potential threat detection - The agentless scanner scans all files and folders including any files or folders that are excluded from the agent-based antivirus scans, without having an effect on the performance of the machine.
  • Deep detection capabilities: Comprehensive, up-to-date malware detection using Microsoft Defender Antivirus with advanced cloud protection.
  • Different scan types - Agentless scanning can run quick and full scans.
  • Integrated security alerts - Malware security alerts are integrated into both Defender for Cloud and Defender XDR.

Agentless malware scanning for machines in available in Defender for Servers Plan 2 with agentless scanning enabled. Scanning for malware is supported for Azure VMs, and AWS/GCP machines connected to Defender for Cloud.

Malware security alerts

When a malicious file is detected, Defender for Cloud generates a security alert.

  • Security alerts contain details and context on the file, the malware type, and recommended investigation and remediation steps.
  • Security alerts only appear in the portal when threats are detected on your environment. If you don't have any alerts, it might be because there are no threats on your environment.
  • You can run a test to check that agentless malware scanning is working as expected.
  • You can configure automations based on these alerts.
  • You can also export security alerts to a security information and event management (SIEM) solution such as Microsoft Sentinel connector, or another SIEM of your choice.

Handle possible false positives

If you believe a file is being incorrectly detected as malware (false positive), you can submit it for analysis through the sample submission portal.

  • Defender security analysts analyze the submitted file.
  • If the analysis report indicates that the file is clean, then the file won't trigger new alerts from now on.

Defender for Cloud allows you to suppress false positive alerts. Make sure to limit the suppression rule by using the malware name or file hash.

Next step

Learn how to enable agentless scanning for VMs.