On-demand malware scanning

On-demand malware scanning in Microsoft Defender for Storage enables you to scan existing blobs in your Azure Storage accounts whenever needed. This capability provides flexibility to scan stored data in response to evolving security requirements, compliance needs, or security incidents, ensuring your data is continuously protected.

By using Microsoft Defender Antivirus with the latest malware definitions, on-demand scanning offers a cloud-native solution. It doesn't require further infrastructure or operational overhead. This approach addresses gaps in coverage, especially for data uploaded before scanning was enabled. It also helps when new threats emerge, allowing you to proactively secure stored files and reduce potential exposure in cloud environments.

Common use cases for on-demand malware scanning

Using on-demand malware scanning in Microsoft Defender for Storage offers the following advantages:

• Respond to security events: Immediately scan storage accounts when security alerts or suspicious activities are detected.
• Ensure compliance: Run scheduled or on-demand scans to meet data protection and regulatory compliance requirements.
• Proactive security management: Set recurring scans to maintain a continuously secure environment.
• Create a security baseline: Scan existing data upon first enabling Defender for Storage to establish a baseline for future security.

Malware can infiltrate cloud storage environments and pose significant risks to organizations. On-demand malware scanning provides a built-in, cloud-native solution to detect and mitigate these threats by scanning your existing data for malicious content.

Shared aspects with on-upload scanning

The following sections are applicable to both on-demand and on-upload malware scanning.

• Additional costs Including Azure Storage read operations, blob indexing, and Event Grid notifications.
• Viewing and consuming scan results: Methods such as Blob index tags, Defender for Cloud security alerts, Event Grid events, and Log Analytics.
• Response automation: Automate actions like blocking, deleting, or moving files based on scan results.
• Supported content and limitations: Covers supported file types, sizes, encryption, and region limitations.
• Access and data privacy: Details on how the service accesses and processes your data, including privacy considerations.
• Handling false positives and false negatives: Steps for submitting files for review and creating suppression rules.
• Blob scans and impact on IOPS: Learn how scans trigger further read operations and update blob index tags.

For detailed information on these topics, see the Introduction to malware scanning page.

Initiate on-demand scans

Understand the on-demand scanning process

• Cost estimation: Before initiating a scan, the Azure portal provides an estimated cost based on the Blob Capacity metric and data volume, offering visibility into potential scanning cost.
• Scan initiation: Scans can be started manually from the Azure portal, triggered programmatically using the REST API, or automated through Logic Apps, Automation runbooks, or PowerShell scripts, enabling integration into various workflows.
• Listing and sending blobs for scanning: Once a scan is initiated, the system lists all supported blobs in the storage account and sends them for scanning in parallel. Depending on blob quantity and size, this process might take from minutes to several hours.
• Monitoring progress: Scan progress can be tracked through the Azure portal or API, with details on the number of blobs scanned, skipped files, data volume, malicious files detected, scan status, and duration.
• Completion and results: After all blobs are scanned, the system marks the scan as complete and provides a summary of findings. The API can also be used to query the details of the last scan.

Key considerations

• Single scan limitation: Only one on-demand scan can run per storage account at a time.
• Cancellation: Scans can only be canceled during the initial stages of the scan.

Prerequisites

• Permissions: Owner or Contributor role on the subscription or storage account, or specific roles with the necessary permissions.
• Defender for Storage with malware scanning: Must be enabled on the subscription or individual storage accounts.

From the Azure portal

1. Sign in to the Azure portal and navigate to your storage account.

2. Under Security + networking, select Microsoft Defender for Cloud.

   

3. In the On-demand malware scanning section, evaluate the estimated cost based on data volume.

   

4. Select Scan blobs for malware to initiate the scan. Confirm the action when prompted.

   

5. Monitor progress:

   • Scan status and findings are updated every 20-30 seconds.

   • View details such as scan status, blobs scanned, data scanned, malicious blobs found, and scan duration.

6. Review findings:

   • If threats are found, review the details under the Security incidents and alerts section.

   • Refresh the page if alerts aren't immediately visible.

   

Note

You can cancel an ongoing scan by selecting Cancel. Cancellation is only possible during the initial stages of the scan, before it reaches the Waiting for completion state. Once the scan enters this state or beyond, it's not be possible to cancel.

Use the REST API

Initiate the scan

To start a malware scan using the REST API, follow these steps:

• Request URL:

  POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}/providers/Microsoft.Security/defenderForStorageSettings/current/startMalwareScan?api-version=2024-10-01-preview
  

• Authentication:

  • Ensure you obtained a valid bearer token. This is required for API access.

• Example:

  POST https://management.azure.com/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount/providers/Microsoft.Security/defenderForStorageSettings/current/StartMalwareScan?api-version=2024-10-01-preview
  Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOi...
  

Check scan status and results

Once a scan starts, you can check the status and review the results using the following commands:

• Request URL:

  GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}/providers/Microsoft.Security/defenderForStorageSettings/current/malwareScans/latest?api-version=2024-10-01-preview
  

• Response example:

  {
    "scanId": "abcd1234-5678-90ab-cdef-1234567890ab",
    "scanStatus": "InProgress",
    "scanStartTime": "2024-10-03T12:34:56Z",
    "scanSummary": {
      "blobs": {
        "totalBlobsScanned": 150,
        "maliciousBlobsCount": 2,
        "skippedBlobsCount": 0,
        "scannedBlobsInGB": 10.5
      },
      "estimatedScanCostUSD": 1.575
    }
  }
  

Cancel a scan

You can only cancel an in-progress scan during its initial stages. Once the scan reaches the WaitingForCompletion state or beyond, cancellation isn't possible. To cancel the scan, send the following cancellation request:

• Request URL:

  POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}/providers/Microsoft.Security/defenderForStorageSettings/current/malwareScans/latest/cancelMalwareScan?api-version=2024-10-01-preview
  

Cost considerations

Before starting an on-demand scan, the Azure portal provides a cost estimate based on the Blob Capacity metric, updated every few hours. The estimate is shown in USD and reflects the cost per GB scanned. Unlike on-upload scanning, there's no monthly cap—costs are entirely based on usage.

Best practices for cost control

• Review cost estimates: Always check the estimated cost in the Azure portal before initiating a scan.
• Set scanning frequency wisely: Schedule or automate scans based on risk, focusing on high-priority data to avoid unnecessary costs.
• Automate efficiently: Ensure automation triggers scans only when needed, such as in response to specific events or alerts.

Best practices

To maximize the effectiveness of on-demand malware scanning in Microsoft Defender for Storage, consider the following recommendations:

• Integrate with incident response: Use on-demand scanning to quickly address security incidents by scanning potentially compromised files in response to alerts.
• Automate compliance scans: Set up automated, regular scans to ensure ongoing compliance with regulatory requirements and audit readiness. Use Logic Apps or runbooks to streamline this process.
• Set up automated responses to scan results: Configure automated workflows that respond to malware scan results, such as moving infected files to quarantine or forwarding clean files.
• Manage costs proactively: Always review cost estimates provided in the Azure portal before initiating scans, especially for large datasets or frequent scans.
• Monitor results consistently: Continuously monitor scan outcomes and security alerts to stay informed about potential threats and take timely action.

Related content

• Introduction to malware scanning
• On-upload malware scanning in Microsoft Defender for Storage