Update on Microsoft Antimalware and Azure Resource Manager (ARM) VMs

  • Article

imageHello Azure security community!

Yuri Diogenes (CSI Enterprise Mobility and Azure Security team) here. Recently we updated our Microsoft Antimalware for Azure Cloud Services and Virtual Machines article and had some interesting discussions regarding Azure antimalware on ARM VMs.

While our original article has many examples for antimalware deployment using PowerShell, scripts for ARM VMs were not provided.

With the great assistance of Rakesh Narayan, Azure Security PM the following sample script was developed to fill this gap:

# Script to add Microsoft Antimalware extension to Azure Resource Manager (IAAS V2) VM’s# Specify your subscription ID#$subscriptionId= "SUBSCRIPTION ID HERE"# specify location, resource group, and VM for the extension#$location = "LOCATION HERE" # eg., “Southeast Asia” or “Central US”#$resourceGroupName = "RESOURCE GROUP NAME HERE"#$vmName = "VM NAME HERE"# Configuration.JSON configuration file can be customized as per MSDN documentation: https://msdn.microsoft.com/en-us/library/dn771716.aspx#$settingString = ‘{"AntimalwareEnabled": true}’;# Login to your Azure Resource Manager Account and select the Subscription to useLogin-AzureRmAccountSelect-AzureRmSubscription -SubscriptionId $subscriptionId# retrieve the most recent version number of the extension$allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName “Microsoft.Azure.Security” -Type “IaaSAntimalware”).Version$versionString = $allVersions[($allVersions.count)-1].Split(“.”)[0] + “.” + $allVersions[($allVersions.count)-1].Split(“.”)[1]# set the extension using prepared values# ****—-Use this script till cmdlets address the -SettingsString format issue we observed ****—-Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -Location $location -VMName $vmName -Name "IaaSAntimalware" -Publisher “Microsoft.Azure.Security” -ExtensionType “IaaSAntimalware” -TypeHandlerVersion $versionString -SettingString $settingString

You can also add a config file by using the line below:

Get-AzureVM -ServiceName $service -Name $name | Set-AzureVMMicrosoftAntimalwareExtension -AntimalwareConfiguration $config_string

Note:
The JSON configuration file can be customized using this article from MSDN

After deploying the antimalware using Set-AzureRmVMExtension, the antimalware user interface (UI) will not be available for the end user. As part of its setup, the Azure Antimalware extension modifies the policy to explicitly turn off the UI within the virtual machine.

This was an explicit design decision made for the Azure environment. The intent is to avoid modal dialogs and popups surfacing on unattended service machines. If you try to modify the antimalware settings via UI you may receive the following error message:

clip_image002

Important:
Changing the cleanuppolicy.xml file to bypass this error message is not a supported action.

Kudos also to Milind Pawar and Eric Jarvi for their contribution on this case.