Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Hello Azure security community!
Yuri Diogenes (CSI Enterprise Mobility and Azure Security team) here. Recently we had a great discussion online about how to enable diagnostics logs for Antimalware in Azure. This is an important discussion because when you enable Antimalware through the Azure Portal, this action will not enable the diagnostics logs for Antimalware automatically. However, if you use Azure Antimalware PowerShell (Set-AzureServiceAntimalwareExtension) to enable Antimalware then you can leverage an option to enable diagnostics logs.
Below you have an example of how to enable diagnostics logging for Antimalware via PowerShell:
======================================
PS C:\> Add-AzureAccount
PS C:\> Select-AzureSubscription -SubscriptionName "<your subscription name>"
PS C:\> $StorageContext = New-AzureStorageContext -StorageAccountName "<your storage account name>" -StorageAccountKey (Get-AzureStorageKey -StorageAccountName "<your storage account name>").Primary
PS C:\> Set-AzureServiceAntimalwareExtension -ServiceName "<your azure cloud service name>" -Monitoring ON -StorageContext $StorageContext
======================================
Once you finish typing these commands, you should see an output similar to the one below:
If you go to the Worker Role, you can see the PaaSDiagnostics plug in:
Note:
You may not see events immediately as all events are not configured for collection. If you want to validate, you can try to copy an eicar.txt file (which is known for testing Antimalware) and see if the events 1116, 1117 are trigged and logged in WADWindowsEventLogsTable (shown below).
Note:
For more information see Microsoft Antimalware for Azure Cloud Services and Virtual Machines
Kudos to Rakesh Narayan and ASM Team for their contribution testing this solution.
- Anonymous
May 16, 2016
Hi Yuri,I am trying to deploy my cloud service (worker role) using new azure portal. I am not able use these commands for enabling End point protection. Mine is Rm account now so command don't work. Also I tried putting in my worker role config. Then also my deployments fails without giving any error. Please help, it's urgent.- Anonymous
May 24, 2016
Hi Shipra - sorry for the delay in the reply. Were you able to get this issue resolved? Thanks! -Tom.- Anonymous
September 08, 2016
Hi Thomas, I am still not able to enable anti-malware for my worker role. When I deploy it using new Resource manager Azure portal, it keeps on crashing. Can you please help me with commands that can work with Resource manager Azure portal cloud services ?
- Anonymous
- Anonymous