How To Update Microsoft Antimalware Policies For Azure Virtual Machines with PowerShell

Introduction

Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system. The solution can be enabled and configured from the Azure Portal, Service Management REST API, and Microsoft Azure PowerShell cmdlets.

The Microsoft Antimalware extension is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families. Windows Defender is the built-in Antimalware enabled in Windows Server 2016 and Windows Server 2019. The Azure VM Antimalware extension can still be added to a Windows Server 2016 and Windows Server 2019 Azure VM with Windows Defender, but in this scenario, the extension will apply any optional configuration policies to be used by Windows Defender, the extension will not deploy any additional Antimalware service. You can read more about this update here.

Install Microsoft Antimalware for Azure Virtual Machines

To enable Antimalware with a custom configuration, input the supported values for the configuration settings provided on the Install Extension blade, such as excluding file extensions and processes as shown in the figure below, and then click OK.

Once the Antimalware extension is provisioned successfully.

You can check the configuration settings through different ways as follows:

Azure Portal ARM Template

You can get to the Azure portal and use the Automation Script and look for:

"publisher": "Microsoft.Azure.Security",
"type": "[parameters('extensions_IaaSAntimalware_name')]",

You can find the settings that you set at the initial installation.

Windows Defender

You can also login to the virtual machine and open Windows Defender > Exclusions

If you are using an earlier OS version than Windows Server 2016 or Windows Server 2019, then you should look for Microsoft Antimalware instead of Windows Defender.

Registry

You can also open the Registry and look for one of these locations based on your operating system:

• Windows Server 2016/2019/2022: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
• Windows Server 2012/ R2: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Extensions
• Windows Server 2008 R2: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions

Now you want to update the settings for Antimalware to add additional Exclusions, Extensions, Paths, and Processes.

Unfortunately, you cannot update the policy through the Azure Portal. The remaining options to update the configuration settings are through ARM JSON template and PowerShell, or you can log in to the virtual machine and update the settings manually which is not so efficient if you want to update the policy for many virtual machines.

In this blog post, I will show you how to update Microsoft Antimalware policies through the ARM JSON template so you can automate this process across multiple Azure virtual machines.

Update Microsoft Antimalware Policies

First, you need to customize a JSON template as per MSDN documentation here. For the purpose of this example, we will use the following updated JSON configuration file:

{
        "AntimalwareEnabled": "true",
        "Exclusions": {
          "Extensions": ".mdf;.log;.ldf",
          "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
          "Processes": "SQLServr.exe"
        },

        "RealtimeProtectionEnabled": "true",
        "ScheduledScanSettings": {
          "isEnabled": "true",
          "scanType": "Full",
          "day": "7",
          "time": "180"
        }
            
}

Next, you need to save the JSON template. In this example, I saved it under C:\Temp and I named it template.JSON.

Open an elevated PowerShell window and run the following script.

You will be asked to enter additional details such as Azure subscription name, Azure region, Azure virtual machine name, and resource group name.

<#
//-----------------------------------------------------------------------

//     Copyright (c) {https://charbelnemnom.com}. All rights reserved.

//-----------------------------------------------------------------------

.NOTES
File Name : Update-AzureIaaSAntimalwarePolicy.ps1
Author    : Charbel Nemnom
Version   : 1.2
Date      : 13-June-2018
Update    : 10-January-2022
Requires  : PowerShell Version 5.0 or above
Module    : AzureRM Version 6.2 or above

.LINK
To provide feedback or for further assistance please visit: https://charbelnemnom.com
#>

Try {
    # Login to Azure
    $AzureSubName = Read-Host "`n Enter Azure Subscription name"
    $AzAcctInfo = Login-AzureRmAccount -Subscription $AzureSubName
    Write-Output "Connecting to Azure Cloud..."
   }
Catch {
    Write-Output "Cannot connect to Azure environment. Please check your credentials and Azure Subscription name. Exiting!"
    Break
}

# Get the Azure subscription ID and store it in a variable
$AzureSubID = $AzAcctInfo.Context.Subscription.Id

# Specify location, resource group, and VM for the extension
$Location = Read-Host "`n Enter the Azure region location of your Azure Virtual Machine" # e.g. “West Europe” or “Southeast Asia” or “Central US”
$ResourceGroupName = Read-Host "`n Enter the Azure Resource Group Name"
$vmName = Read-Host "`n Enter the name of your Azure Virtual Machine"

# Read JSON configuration file
# JSON template can be customized as per MSDN documentation @ https://msdn.microsoft.com/en-us/library/dn771716.aspx
$SettingString = [IO.File]::ReadAllText('C:\temp\template.json')

Select-AzureRmSubscription -SubscriptionId $AzureSubID

# Retrieve the most recent version number of the IaaS Antimalware extension
$allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version
$versionString = $allVersions[($allVersions.count)-1].Split(".")[0] + "." + $allVersions[($allVersions.count)-1].Split(".")[1]

# Update Microsoft Antimalware Policies for Azure ARM Virtual Machines
Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -Location $location -VMName $vmName -Name "IaaSAntimalware" `
-Publisher "Microsoft.Azure.Security" -ExtensionType "IaaSAntimalware" -TypeHandlerVersion $versionString -SettingString $SettingString

Now hop over to the virtual machine and see the policy is updated. In this example, I have added the Exclusion for SQL .ldf Extension and two Paths: D:\IISlogs and D:\DatabaseLogs

I want to thank Rakesh Narayan, Azure Security Program Manager for supporting me.

Hope this helps someone out there!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-