Security Control: Malware Defense

Control the installation, spread, and execution of malicious code at multiple points the environment, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

8.1: Use centrally managed anti-malware software

Azure ID CIS IDs Responsibility
8.1 8.1 Customer

Use Microsoft Antimalware for Azure Cloud Services and Virtual Machines to continuously monitor and defend your resources. For Linux, use third party antimalware solution. Also, use Azure Security Center's Threat detection for data services to detect malware uploaded to storage accounts.

8.2: Pre-scan files to be uploaded to non-compute Azure resources

Azure ID CIS IDs Responsibility
8.2 8.1 Customer

Microsoft Antimalware is enabled on the underlying host that supports Azure services (for example, Azure App Service), however it does not run on your content.

Pre-scan any files being uploaded to non-compute Azure resources, such as App Service, Data Lake Storage, Blob Storage, etc.

Use Azure Security Center's Threat detection for data services to detect malware uploaded to storage accounts.

8.3: Ensure anti-malware software and signatures are updated

Azure ID CIS IDs Responsibility
8.3 8.2 Customer

Microsoft Antimalware will automatically install the latest signatures and engine updates by default. Follow recommendations in Azure Security Center: "Compute & Apps" to ensure all endpoints are up to date with the latest signatures. For Linux, use third party antimalware solution.

Next steps