Add Anti-Malware AzureRM IaaS VM

Add Anti-Malware AzureRM IaaS VM

Hello,

By default, IaaS virtual machine delivered by Microsoft do not have any anti-malware installed. Microsoft propose a VM extension to provide anti-malware services for free, you just need to add it to your VM.

Add Anti-Malware AzureRM IaaS VM – GUI

You can add it one VM at a time through the GUI :

Add Anti-Malware AzureRM IaaS VM - GUI

Add Anti-Malware AzureRM IaaS VM – GUI

Add Anti-Malware AzureRM IaaS VM – PowerShell

You can also add it one by one with PowerShell :

$RegularServer = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": false,
        "day": 1,
        "time": 180,
        "scanType": "Full"
    },
    "Exclusions": {
        "Extensions": "",   
        "Paths": "%allusersprofile%\NTUser.pol;%systemroot%\system32\GroupPolicy\Machine\registry.pol;%windir%\Security\database\*.chk;%windir%\Security\database\*.edb;%windir%\Security\database\*.jrs;%windir%\Security\database\*.log;%windir%\Security\database\*.sdb;%windir%\SoftwareDistribution\Datastore\Datastore.edb;%windir%\SoftwareDistribution\Datastore\Logs\edb.chk;%windir%\SoftwareDistribution\Datastore\Logs\edb*.log;%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs;%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs;%windir%\SoftwareDistribution\Datastore\Logs\Res1.log;%windir%\SoftwareDistribution\Datastore\Logs\Res2.log;%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb",
        "Processes": ""
    }
}
'@
$TypeHandlerVersion = ((Get-AzureRmVMExtensionImage -Location 'North Europe' -PublisherName 'Microsoft.Azure.Security' -Type 'IaaSAntimalware').Version[-1][0..2] -join '')
Set-AzureRmVMExtension -ResourceGroupName $ResourceGroupName -VMName $Name -Name 'IaaSAntimalware' -Publisher 'Microsoft.Azure.Security' -ExtensionType 'IaaSAntimalware' -SettingString $RegularServer -Location $Location -TypeHandlerVersion $TypeHandlerVersion

You can customize the settings in the JSON code inside the $RegularServer variable to fit your needs.

Add Anti-Malware AzureRM IaaS VM – PowerShell All in One

Thanks to PowerShell, you can also loop through each subscriptions of yours, and then loop around every VM inside each of them to install this anti-malware extension :

$RegularServer = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": false,
        "day": 1,
        "time": 180,
        "scanType": "Full"
    },
    "Exclusions": {
        "Extensions": "",   
        "Paths": "%allusersprofile%\NTUser.pol;%systemroot%\system32\GroupPolicy\Machine\registry.pol;%windir%\Security\database\*.chk;%windir%\Security\database\*.edb;%windir%\Security\database\*.jrs;%windir%\Security\database\*.log;%windir%\Security\database\*.sdb;%windir%\SoftwareDistribution\Datastore\Datastore.edb;%windir%\SoftwareDistribution\Datastore\Logs\edb.chk;%windir%\SoftwareDistribution\Datastore\Logs\edb*.log;%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs;%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs;%windir%\SoftwareDistribution\Datastore\Logs\Res1.log;%windir%\SoftwareDistribution\Datastore\Logs\Res2.log;%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb",
        "Processes": ""
    }
}
'@
$TypeHandlerVersion = ((Get-AzureRmVMExtensionImage -Location 'North Europe' -PublisherName 'Microsoft.Azure.Security' -Type 'IaaSAntimalware').Version[-1][0..2] -join '')

Get-AzureRmSubscription | ForEach-Object {
    Set-AzureRmContext -SubscriptionName $_.SubscriptionName | Out-Null
    Get-AzureRMVM | ForEach-Object {
        Set-AzureRmVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name 'IaaSAntimalware' -Publisher 'Microsoft.Azure.Security' -ExtensionType 'IaaSAntimalware' -SettingString $RegularServer -Location $_.Location -TypeHandlerVersion $TypeHandlerVersion
    }
}

Note : It may take a few minutes to run depending on your workload.

Once you ran those lines, you can check inside your VM, the anti-malware agent should be there :

Add Anti-Malware AzureRM IaaS VM - SCEP

Add Anti-Malware AzureRM IaaS VM – SCEP

You can’t start the GUI, this is by design :

Add Anti-Malware AzureRM IaaS VM - No SCEP GUI

Add Anti-Malware AzureRM IaaS VM – No SCEP GUI

Microsoft said :

This was an explicit design decision made for the Azure environment. The intent is to avoid modal dialogs and popups surfacing on unattended service machines.

 

Leave a Reply