How To Update #Microsoft #Antimalware Policies For #Azure Virtual Machines With #PowerShell #ARM #JSON #AzureSecurity

Introduction

Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system. The solution can be enabled and configured from the Azure Portal, Service Management REST API, and Microsoft Azure PowerShell cmdlets.

The Microsoft Antimalware extension is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families. Windows Defender is the built-in Antimalware enabled in Windows Server 2016 and Windows Server 2019. The Azure VM Antimalware extension can still be added to a Windows Server 2016 and Windows Server 2019 Azure VM with Windows Defender, but in this scenario the extension will apply any optional configuration policies to be used by Windows Defender, the extension will not deploy any additional Antimalware service. You can read more about this update here.

Install Microsoft Antimalware for Azure Virtual Machines

To enable Antimalware with a custom configuration, input the supported values for the configuration settings provided on the Install Extension blade, such as excluding file extensions and processes as showing in the following screenshot, and then click OK.

Once the Antimalware extension is provisioned successfully.

You can check the configuration settings through different ways as follows:

Azure Portal ARM Template

You can got to the Azure portal and use the Automation Script and look for:

“publisher”: “Microsoft.Azure.Security”,
“type”: “[parameters(‘extensions_IaaSAntimalware_name’)]”,

You can find the settings that you set at the initial installation.

Windows Defender

You can also login to the virtual machine and open Windows Defender > Exclusions

If you are using an earlier OS version than Windows Server 2016 or Windows Server 2019, then you should look for Microsoft Antimalware instead of Windows Defender.

Registry

You can also open the Registry and look for one of these location based on your operating system:

  • Windows Server 2016 / 2019: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
  • Windows Server 2012 / R2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions
  • Windows Server 2008 R2: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions

Now you want to update the settings for Antimalware to add additional Exclusions, Extensions, Paths, and Processes.

Unfortunately, you cannot update the policy through the Azure Portal. The remaining options to update the configuration settings is through ARM JSON template and PowerShell, or you can login to the virtual machine and update the settings manually which is not so efficient if you want to update the policy for many virtual machines.

In this blog post, I will show you how to update Microsoft Antimalware policies through the ARM JSON template so you can automate this process across multiple Azure virtual machines.

Update Microsoft Antimalware Policies

First, you need to customize a JSON template as per MSDN documentation here. For the purpose of this example, I will use the following updated JSON configuration file:

Next, you need to save the JSON template. In this example, I saved it under C:\Temp and I named it template.JSON.

Open an elevated PowerShell window and run the following script.

You will be asked to enter additional details such as Azure subscription name, Azure region, Azure virtual machine name, and resource group name.

Now hop over to the virtual machine and see the policy is updated. In this example, I have added the Exclusion for SQL .ldf Extension and two Paths: D:\IISlogs and D:\DatabaseLogs

I want to thank Rakesh Narayan, Azure Security Program Manager for supporting me.

Hope this helps someone out there!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 384 Articles
Charbel Nemnom is a Microsoft Cloud Solutions Architect, totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize performance of mission-critical enterprise systems. Excellent communicator adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design and virtualization.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.