Add Anti-Malware AzureRM IaaS VM
Hello,
By default, IaaS virtual machine delivered by Microsoft do not have any anti-malware installed. Microsoft propose a VM extension to provide anti-malware services for free, you just need to add it to your VM.
Add Anti-Malware AzureRM IaaS VM – GUI
You can add it one VM at a time through the GUI :
Add Anti-Malware AzureRM IaaS VM – GUI
Add Anti-Malware AzureRM IaaS VM – PowerShell
You can also add it one by one with PowerShell :
$RegularServer = @'
{
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": true,
"ScheduledScanSettings": {
"isEnabled": false,
"day": 1,
"time": 180,
"scanType": "Full"
},
"Exclusions": {
"Extensions": "",
"Paths": "%allusersprofile%\NTUser.pol;%systemroot%\system32\GroupPolicy\Machine\registry.pol;%windir%\Security\database\*.chk;%windir%\Security\database\*.edb;%windir%\Security\database\*.jrs;%windir%\Security\database\*.log;%windir%\Security\database\*.sdb;%windir%\SoftwareDistribution\Datastore\Datastore.edb;%windir%\SoftwareDistribution\Datastore\Logs\edb.chk;%windir%\SoftwareDistribution\Datastore\Logs\edb*.log;%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs;%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs;%windir%\SoftwareDistribution\Datastore\Logs\Res1.log;%windir%\SoftwareDistribution\Datastore\Logs\Res2.log;%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb",
"Processes": ""
}
}
'@
$TypeHandlerVersion = ((Get-AzureRmVMExtensionImage -Location 'North Europe' -PublisherName 'Microsoft.Azure.Security' -Type 'IaaSAntimalware').Version[-1][0..2] -join '')
Set-AzureRmVMExtension -ResourceGroupName $ResourceGroupName -VMName $Name -Name 'IaaSAntimalware' -Publisher 'Microsoft.Azure.Security' -ExtensionType 'IaaSAntimalware' -SettingString $RegularServer -Location $Location -TypeHandlerVersion $TypeHandlerVersion
You can customize the settings in the JSON code inside the $RegularServer variable to fit your needs.
Add Anti-Malware AzureRM IaaS VM – PowerShell All in One
Thanks to PowerShell, you can also loop through each subscriptions of yours, and then loop around every VM inside each of them to install this anti-malware extension :
$RegularServer = @'
{
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": true,
"ScheduledScanSettings": {
"isEnabled": false,
"day": 1,
"time": 180,
"scanType": "Full"
},
"Exclusions": {
"Extensions": "",
"Paths": "%allusersprofile%\NTUser.pol;%systemroot%\system32\GroupPolicy\Machine\registry.pol;%windir%\Security\database\*.chk;%windir%\Security\database\*.edb;%windir%\Security\database\*.jrs;%windir%\Security\database\*.log;%windir%\Security\database\*.sdb;%windir%\SoftwareDistribution\Datastore\Datastore.edb;%windir%\SoftwareDistribution\Datastore\Logs\edb.chk;%windir%\SoftwareDistribution\Datastore\Logs\edb*.log;%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs;%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs;%windir%\SoftwareDistribution\Datastore\Logs\Res1.log;%windir%\SoftwareDistribution\Datastore\Logs\Res2.log;%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb",
"Processes": ""
}
}
'@
$TypeHandlerVersion = ((Get-AzureRmVMExtensionImage -Location 'North Europe' -PublisherName 'Microsoft.Azure.Security' -Type 'IaaSAntimalware').Version[-1][0..2] -join '')
Get-AzureRmSubscription | ForEach-Object {
Set-AzureRmContext -SubscriptionName $_.SubscriptionName | Out-Null
Get-AzureRMVM | ForEach-Object {
Set-AzureRmVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name 'IaaSAntimalware' -Publisher 'Microsoft.Azure.Security' -ExtensionType 'IaaSAntimalware' -SettingString $RegularServer -Location $_.Location -TypeHandlerVersion $TypeHandlerVersion
}
}
Note : It may take a few minutes to run depending on your workload.
Once you ran those lines, you can check inside your VM, the anti-malware agent should be there :
Add Anti-Malware AzureRM IaaS VM – SCEP
You can’t start the GUI, this is by design :
Add Anti-Malware AzureRM IaaS VM – No SCEP GUI
This was an explicit design decision made for the Azure environment. The intent is to avoid modal dialogs and popups surfacing on unattended service machines.