Security Control: Malware Defense
Note
The most up-to-date Azure Security Benchmark is available here.
Control the installation, spread, and execution of malicious code at multiple points in the environment, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
8.1: Use centrally managed anti-malware software
Azure ID | CIS IDs | Responsibility |
---|---|---|
8.1 | 8.1 | Customer |
Use Microsoft Antimalware for Azure Cloud Services and Virtual Machines to continuously monitor and defend your resources. For Linux, use third party antimalware solution. Also, use Azure Defender for Storage to detect malware uploaded to storage accounts.
8.2: Pre-scan files to be uploaded to non-compute Azure resources
Azure ID | CIS IDs | Responsibility |
---|---|---|
8.2 | 8.1 | Customer |
Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Azure App Service), however it does not run on your content.
Pre-scan any files being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, etc.
Use Azure Defender for Storage to detect malware uploaded to storage accounts.
8.3: Ensure anti-malware software and signatures are updated
Azure ID | CIS IDs | Responsibility |
---|---|---|
8.3 | 8.2 | Customer |
Microsoft Antimalware will automatically install the latest signatures and engine updates by default. Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. For Linux, use third party antimalware solution.
Next steps
- See the next Security Control: Data Recovery