Agentless machine scanning

Microsoft Defender for Cloud improves compute posture for Azure, AWS and GCP environments with machine scanning. For requirements and support, see the compute support matrix in Defender for Cloud.

Agentless scanning for virtual machines (VM) provides:

• Broad, frictionless visibility into your software inventory using Microsoft Defender Vulnerability Management.
• Deep analysis of operating system configuration and other machine meta data.
• Vulnerability assessment using Defender Vulnerability Management.
• Secret scanning to locate plain text secrets in your compute environment.
• Threat detection with agentless malware scanning, using Microsoft Defender Antivirus.

Agentless scanning assists you in the identification process of actionable posture issues without the need for installed agents, network connectivity, or any effect on machine performance. Agentless scanning is available through both the Defender Cloud Security Posture Management (CSPM) plan and Defender for Servers P2 plan.

Availability

Aspect	Details
Release state:	GA
Pricing:	Requires either Defender Cloud Security Posture Management (CSPM) or Microsoft Defender for Servers Plan 2
Supported use cases:	Vulnerability assessment (powered by Defender Vulnerability Management) Software inventory (powered by Defender Vulnerability Management) Secret scanning Malware scanning (Preview) Only available with Defender for Servers plan 2
Clouds:	Azure Commercial clouds Azure Government Microsoft Azure operated by 21Vianet Connected AWS accounts Connected GCP projects
Operating systems:	Windows Linux
Instance and disk types:	Azure Standard VMs Unmanaged disks Virtual machine scale set - Flex Virtual machine scale set - Uniform AWS EC2 Auto Scale instances Instances with a ProductCode (Paid AMIs) GCP Compute instances Instance groups (managed and unmanaged)
Encryption:	Azure Unencrypted Encrypted – managed disks using Azure Storage encryption with platform-managed keys (PMK) Encrypted – other scenarios using platform-managed keys (PMK) Encrypted – customer-managed keys (CMK) (preview) AWS Unencrypted Encrypted - PMK Encrypted - CMK GCP Google-managed encryption key Customer-managed encryption key (CMEK) Customer-supplied encryption key (CSEK)

How agentless scanning works

Agentless scanning for VMs uses cloud APIs to collect data. Whereas agent-based methods use operating system APIs in runtime to continuously collect security related data. Defender for Cloud takes snapshots of VM disks and performs an out-of-band, deep analysis of the operating system configuration and file system stored in the snapshot. The copied snapshot remains in the same region as the VM. The VM isn't affected by the scan.

After acquiring the necessary metadata is acquired from the copied disk, Defender for Cloud immediately deletes the copied snapshot of the disk and sends the metadata to Microsoft engines to detect configuration gaps and potential threats. For example, in vulnerability assessment, the analysis is done by Defender Vulnerability Management. The results are displayed in Defender for Cloud, which consolidates both the agent-based and agentless results on the Security alerts page.

The scanning environment where disks are analyzed is regional, volatile, isolated, and highly secure. Disk snapshots and data unrelated to the scan aren't stored longer than is necessary to collect the metadata, typically a few minutes.

Next steps

This article explains how agentless scanning works and how it helps you collect data from your machines.

• Learn more about how to enable agentless scanning for VMs.

• Check out common questions about agentless scanning and how it affects the subscription/account, agentless data collection, and permissions used by agentless scanning.