Manage endpoint protection issues with Azure Security Center
Azure Security Center monitors the status of antimalware protection and reports this under the Endpoint protection issues blade. Security Center highlights issues, such as detected threats and insufficient protection, which can make your virtual machines (VMs) and computers vulnerable to antimalware threats. By using the information under Endpoint protection issues, you can identify a plan to address any issues identified.
Security Center reports the following endpoint protection issues:
- Endpoint protection not installed on Azure VMs – A supported antimalware solution is not installed on these Azure VMs.
- Endpoint protection not installed on non-Azure computers – A supported antimalware is not installed on these non-Azure computers.
Endpoint protection health:
- Signature out of date – An antimalware solution is installed on these VMs and computers, but the solution does not have the latest antimalware signatures.
- No real time protection – An antimalware solution is installed on these VMs and computers, but it is not configured for real-time protection. The service may be disabled or Security Center may be unable to obtain the status because the solution is not supported. See partner integration for a list of supported solutions.
- Not reporting – An antimalware solution is installed but not reporting data.
Unknown – An antimalware solution is installed but its status is unknown or reporting an unknown error.
See Integrate security solutions for a list of endpoint protection security solutions integrated with Security Center.
Implement the recommendation
Endpoint protection issues is presented as a recommendation in Security Center. If your environment is vulnerable to antimalware threats, this recommendation will be displayed under Recommendations and under Compute. To see the Endpoint protection issues dashboard, you need to follow the Compute workflow.
In this example, we will use Compute. We will look at how to install antimalware on Azure VMs and on non-Azure computers.
Install antimalware on Azure VMs
Select Compute under the Security Center main menu or Overview.
Under Compute, select Endpoint protection issues. The Endpoint protection issues dashboard opens.
The top of the dashboard provides:
- Installed endpoint protection providers - Lists the different providers identified by Security Center.
- Installed endpoint protection health state - Shows the health state of VMs and computers that have an endpoint protection solution installed. The chart shows the number of VMs and computers that are healthy and the number with insufficient protection.
- Malware detected – Shows the number of VMs and computers where Security Center is reporting detected malware.
- Attacked computers – Shows the number of VMs and computers where Security Center is reporting attacks by malwares.
At the bottom of the dashboard there is a list of endpoint protection issues which includes the following information:
- TOTAL - The number of VMs and computers impacted by the issue.
A bar aggregating the number of VMs and computers impacted by the issue. The colors in the bar identify priority:
- Red - High priority and should be addressed immediately
- Orange - Medium priority and should be addressed as soon as possible
Select Endpoint protection not installed on Azure VMs.
Under Endpoint protection not installed on Azure VMs is a list of Azure VMs that do not have antimalware installed. You can choose to install antimalware on all VMs in the list or select individual VMs to install antimalware on by clicking on the specific VM.
- Under Select Endpoint protection, select the endpoint protection solution you want to use. In this example, select Microsoft Antimalware.
- Additional information about the endpoint protection solution is displayed. Select Create.
Install antimalware on non-Azure computers
Go back to Endpoint protection issues and select Endpoint protection not installed on non-Azure computers.
Under Endpoint protection not installed on non-Azure computers, select a workspace. A Log Analytics search query filtered to the workspace opens and lists computers missing antimalware. Select a computer from the list for more information.
Another search result opens with information filtered only for that computer.
We recommend that endpoint protection be provisioned for all VMs and computers to help identify and remove viruses, spyware, and other malicious software.
This article showed you how to implement the Security Center recommendation "Install Endpoint Protection." To learn more about enabling Microsoft Antimalware in Azure, see the following document:
- Microsoft Antimalware for Cloud Services and Virtual Machines -- Learn how to deploy Microsoft Antimalware.
To learn more about Security Center, see the following documents:
- Setting security policies in Azure Security Center -- Learn how to configure security policies.
- Managing security recommendations in Azure Security Center -- Learn how recommendations help you protect your Azure resources.
- Security health monitoring in Azure Security Center -- Learn how to monitor the health of your Azure resources.
- Managing and responding to security alerts in Azure Security Center -- Learn how to manage and respond to security alerts.
- Monitoring partner solutions with Azure Security Center -- Learn how to monitor the health status of your partner solutions.
- Azure Security Center FAQ -- Find frequently asked questions about using the service.
- Azure Security blog -- Find blog posts about Azure security and compliance.