Jump to content













Photo
- - - - -

Azure VM Antimalware Extension Management

  Posted by Pantelis Apostolidis , in Azure 31 March 2019 · 45 views

<h1 style="text-align: left;">Azure VM Antimalware Extension Management</h1>
<p style="text-align: justify;">Azure VM Antimalware Extension Management has always been a tricky subject. You can easily enable the Microsoft Antimalware Extension from the Azure Portal upon the Azure VM creation or by using the Extensions blade. But after that, the management of the extension is somehow tricky. There is no way to manage the Microsoft Antimalware exclusion list and auto-scan setting from the portal or from inside the VM. Even using PowerShell there is not a single command to manage the Microsoft Antimalware settings.</p>
<p style="text-align: justify;">There is no need to point out that all VMs must have an Endpoint Protection Solution. Azure provides the ability to add an Endpoint Protection Solution to all Azure VMs. Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system and it is absolutely free. For the 3rd party extensions you need to add your key.</p>
<p style="text-align: justify;">For Windows Server VMs up to version 2012 R2, the extension will install the System Center Endpoint Protection client and apply the configuration policies. Windows Server 2016 and above have build-in the Windows Defender, so the extension will only apply the configuration.</p>
<p>Below we will walk through on how to deploy &amp; manage the Microsoft Antimalware Extension Using the <strong><a href="#portal">Azure Portal (Single VM)</a>, </strong>Using the <strong><a href="#asc">Azure Security Center (Multiple VMs)</a></strong>and Using <strong><a href="#singlevm">PowerShell for a Single VM</a></strong>and <strong><a href="#multivmrg">for Multiple VMs filtered by Resource Groups </a></strong>or <strong><a href="#multivmtags">Tags</a>.</strong></p>
<h2 style="text-align: justify;">Deploy the Microsoft Antimalware Extension</h2>
<h3 style="text-align: justify;"><a id="portal"></a>Using the Azure Portal for single VM deployment</h3>
<p style="text-align: justify;">Go to the Azure VM’s blade, navigate to the Extensions section and press Add</p>
<p id="TEeDKhy" style="text-align: justify;"><img class="alignnone wp-image-2499 size-full" src="https://www.e-aposto...0ed33ac441.png"alt="microsoft antimalware" width="743" height="475" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/03/img_5ca0ed33ac441.png 743w, https://www.e-aposto...441-300x192.png 300w, https://www.e-aposto...441-600x384.png 600w" sizes="(max-width: 743px) 100vw, 743px" /></p>
<p style="text-align: justify;">Select the Microsoft Antimalware extension and press Create</p>
<p id="tirjqKm" style="text-align: justify;"><img class="alignnone wp-image-2500 size-full" src="https://www.e-aposto...0ed79238b1.png"alt="microsoft antimalware" width="628" height="247" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/03/img_5ca0ed79238b1.png 628w, https://www.e-aposto...8b1-300x118.png 300w, https://www.e-aposto...8b1-600x236.png 600w" sizes="(max-width: 628px) 100vw, 628px" /></p>
<p style="text-align: justify;">Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan type and schedule.</p>
<p id="ureoQSb" style="text-align: justify;"><img class="alignnone wp-image-2501 size-full" src="https://www.e-aposto...0eddcbfa5d.png"alt="microsoft antimalware" width="581" height="900" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/03/img_5ca0eddcbfa5d.png 581w, https://www.e-aposto...a5d-194x300.png 194w" sizes="(max-width: 581px) 100vw, 581px" /></p>
<h2 style="text-align: justify;"><a id="asc"></a>Using the Azure Security Center for multi VM deployment</h2>
<p style="text-align: justify;">Go to the Azure Security Center, navigate to “Compute &amp; Apps” and click “Install endpoint protection solution on virtual machines”</p>
<p id="lzlorCc" style="text-align: justify;"><img class="alignnone wp-image-2503 size-full" src="https://www.e-aposto...0ef8a831e5.png"alt="microsoft antimalware" width="689" height="625" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/03/img_5ca0ef8a831e5.png 689w, https://www.e-aposto...1e5-300x272.png 300w, https://www.e-aposto...1e5-600x544.png 600w" sizes="(max-width: 689px) 100vw, 689px" /></p>
<p style="text-align: justify;">The Azure Security Center will check which VMs does not have Endpoint Protection and will check them all. Press “Install on # VMs” to select the extension</p>
<p id="lRCNkXB" style="text-align: justify;"><img class="alignnone wp-image-2504 size-full" src="https://www.e-aposto...0f16488ced.png"alt="microsoft antimalware" width="624" height="533" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/03/img_5ca0f16488ced.png 624w, https://www.e-aposto...ced-300x256.png 300w, https://www.e-aposto...ced-600x513.png 600w" sizes="(max-width: 624px) 100vw, 624px" /></p>
<p style="text-align: justify;">Select “Microsoft Antimalware” and press create</p>
<p id="pmQCFtC" style="text-align: justify;"><img class="alignnone wp-image-2505 size-full" src="https://www.e-aposto...0f1b89bcd7.png"alt="microsoft antimalware" width="559" height="126" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/03/img_5ca0f1b89bcd7.png 559w, https://www.e-aposto...bcd7-300x68.png 300w" sizes="(max-width: 559px) 100vw, 559px" /></p>
<p style="text-align: justify;">Fill the “Install extension” form as desired and press OK. Here we can set the exclusions and the scan type and schedule.</p>
<p style="text-align: justify;"><img class="alignnone wp-image-2501 size-full" src="https://www.e-aposto...0eddcbfa5d.png"alt="microsoft antimalware" width="581" height="900" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/03/img_5ca0eddcbfa5d.png 581w, https://www.e-aposto...a5d-194x300.png 194w" sizes="(max-width: 581px) 100vw, 581px" /></p>
<h2 style="text-align: justify;">Using the PowerShell for single and multi VM deployments</h2>
<h3 style="text-align: justify;"><a id="singlevm"></a>Single VM</h3>
<p style="text-align: justify;">Declare the variables</p>
<p></p><pre class="crayon-plain-tag">$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"</pre><p></p>
<p style="text-align: justify;">Get the latest major version</p>
<p></p><pre class="crayon-plain-tag">#view all versions for the West Europe location
Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type | fl Version
#view the latest major version
((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#add the latest major version in a variable called "amversion"
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')</pre><p></p>
<p style="text-align: justify;">Set the Microsoft Antimalware Settings, exclusions and schedules</p>
<p></p><pre class="crayon-plain-tag">$amsettings = @'
{
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": true,
"ScheduledScanSettings": {
"isEnabled": true,
"day": 7,
"time": 120,
"scanType": "Quick"
},
"Exclusions": {
"Extensions": ".log;.ldf",
"Paths": "D:\IISlogs;D:\DatabaseLogs",
"Processes": "mssence.svc"
}
}
'@</pre><p></p>
<h3 style="text-align: justify;">Enable the Microsoft Antimalware Extension at one Azure VM</h3>
<p></p><pre class="crayon-plain-tag">Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio</pre><p></p>
<p style="text-align: justify;">The whole scipt</p>
<p></p><pre class="crayon-plain-tag">Login-AzAccount
#variables
$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": true,
"ScheduledScanSettings": {
"isEnabled": true,
"day": 7,
"time": 120,
"scanType": "Quick"
},
"Exclusions": {
"Extensions": ".log;.ldf",
"Paths": "D:\IISlogs;D:\DatabaseLogs",
"Processes": "mssence.svc"
}
}
'@
#enable the Microsoft Antimalware Extension with the above settings
Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName-Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio</pre><p></p>
<h3 style="text-align: justify;"><a id="multivmrg"></a>Multi VM – All VMs in a Resource Group</h3>
<p style="text-align: justify;">To deploy the extension to multiple VMs use the “For Each-Object” loop, like this:</p>
<p></p><pre class="crayon-plain-tag">#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
}</pre><p></p>
<p style="text-align: justify;">The whole script</p>
<p></p><pre class="crayon-plain-tag">#Login-AzAccount
#variables
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": true,
"ScheduledScanSettings": {
"isEnabled": true,
"day": 7,
"time": 120,
"scanType": "Quick"
},
"Exclusions": {
"Extensions": ".log;.ldf",
"Paths": "D:\IISlogs;D:\DatabaseLogs",
"Processes": "mssence.svc"
}
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
}</pre><p></p>
<h2 style="text-align: justify;"><a id="multivmtags"></a>Using Tags instead of Resource Group to filter the VMs</h2>
<p></p><pre class="crayon-plain-tag">Login-AzAccount
#variables (filter by tags)
$tagName = "Service"
$tagValue = "dev"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, excusions and schedules
$amsettings = @'
{
"AntimalwareEnabled": true,
"RealtimeProtectionEnabled": true,
"ScheduledScanSettings": {
"isEnabled": true,
"day": 7,
"time": 120,
"scanType": "Quick"
},
"Exclusions": {
"Extensions": ".log;.ldf",
"Paths": "D:\IISlogs;D:\DatabaseLogs",
"Processes": "mssence.svc"
}
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs of a spesific Tag
$tagResList = Get-AzResource -TagName $tagName -TagValue $tagValue
foreach($tagRes in $tagResList) {
Set-AzVMExtension -ResourceGroupName $tagRes.ResourceGroupName -VMName $tagRes.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $tagRes.Location -TypeHandlerVersion $amversion
}</pre><p></p>
<p style="text-align: justify;">After a successful deployment, at the VMs extensions, you will see an IaaS Antimalware extension with status “Provisioning succeeded”</p>
<p id="qBfxdXr" style="text-align: justify;"><img class="alignnone wp-image-2508 size-full" src="https://www.e-aposto...0fc70cd676.png"alt="microsoft antimalware" width="1217" height="457" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/03/img_5ca0fc70cd676.png 1217w, https://www.e-aposto...676-300x113.png 300w, https://www.e-aposto...676-768x288.png 768w, https://www.e-aposto...76-1024x385.png 1024w, https://www.e-aposto...676-600x225.png 600w" sizes="(max-width: 1217px) 100vw, 1217px" /></p>
<h2 style="text-align: justify;">Change the settings in an existing deployment</h2>
<p style="text-align: justify;">After the first deployment / installation, to change any settings of the WIndows Defender / Forefront Endpoint Protection, we need to run the same PowerShell after changing the required settings at the “#Antimalware extension settings, exclusions and schedules” section</p>
<p style="text-align: left;">Reference: https://docs.microso...are-windows</p>
<p><a class="a2a_button_email" href="https://www.addtoany...ion Management"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-vm-antimalware-extension-management%2F&amp;linkname=Azure%20VM%20Antimalware%20Extension%20Management" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure%2Fazure-vm-antimalware-extension-management%2F&title=Azure%20VM%20Antimalware%20Extension%20Management" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure/azure-vm-antimalware-extension-management/" data-a2a-title="Azure VM Antimalware Extension Management"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure/azure-vm-antimalware-extension-management/">Azure VM Antimalware Extension Management</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


<a href="https://www.e-aposto...on-management/"class='bbc_url' rel='nofollow external'>Source</a>