Microsoft Defender for Storage — Malware Scanning for Azure Blob Storage

Use Case: SaaS solution that accepts document uploads via API to Azure Blob Storage, requiring antivirus scanning and network isolation with private networking.

Table of Contents

• Overview
• Solution: Microsoft Defender for Storage
• Malware Scanning Capabilities
• On-Upload Malware Scanning
• On-Demand Malware Scanning
• Hash Reputation Analysis
• Scan Results and Automation
• Blob Index Tags
• Security Alerts
• Event Grid Events
• Log Analytics
• Automated Remediation
• Built-in Soft Delete of Malicious Blobs
• Custom Remediation with Event Grid and Function Apps
• Logic App Based on Security Alerts
• Attribute-Based Access Control (ABAC)
• DMZ Architecture Pattern
• Network Isolation and Private Networking
• Private Endpoint Configuration
• How Malware Scanning Works with Private Endpoints
• Data Privacy and Regional Processing
• Supported Content and Limitations
• Pricing and Cost Controls
• HIPAA Compliance
• Deployment Methods
• Recommended Architecture
• References

---

Overview

Microsoft Defender for Storage is an Azure-native security layer within Microsoft Defender for Cloud that detects and mitigates threats to Azure Storage accounts. It protects Azure Blob Storage, Azure Files, and Azure Data Lake Storage services through activity monitoring, malware scanning, and sensitive data threat detection.

For SaaS solutions that accept untrusted document uploads, Defender for Storage provides built-in malware scanning using the Microsoft Defender Antivirus (MDAV) engine — eliminating the need for custom antivirus infrastructure.

Source: What is Microsoft Defender for Storage

---

Solution: Microsoft Defender for Storage

Defender for Storage offers three core capabilities:

Feature	Description	Additional Cost
Activity Monitoring	Detects unusual and potentially harmful activities by analyzing access patterns and behaviors. Uses Microsoft Threat Intelligence, statistical, and machine-learning methods.	Included in plan
Malware Scanning	Scans blobs for malware using Microsoft Defender Antivirus (MDAV). Available as on-upload and on-demand scanning.	Per GB scanned
Sensitive Data Threat Detection	Identifies and protects sensitive data by detecting suspicious activities. Powered by Sensitive Data Discovery integrated with Microsoft Purview.	Included in plan

Malware scanning is an agentless SaaS solution — zero infrastructure to maintain, simple to enable at scale.

Source: Defender for Storage features

---

Malware Scanning Capabilities

On-Upload Malware Scanning

On-upload scanning automatically scans blobs when they are uploaded or modified, providing near real-time detection of malicious content.

Key characteristics:

• Trigger: Any operation resulting in a BlobCreated or BlobRenamed event (new blob uploads, overwrites, finalized operations like PutBlockList or FlushWithClose)
• Engine: Microsoft Defender Antivirus (MDAV) with up-to-date malware definitions
• File support: All file types including archives (ZIP, RAR) up to 50 GB per blob
• Process: Content is read in-memory within the same Azure region, scanned, and results are generated. Scanned content is not retained by the service.
• Throughput: Up to 50 GB per minute per storage account. If upload rate momentarily exceeds this, files are queued. Sustained overload may result in unscanned blobs.

Ideal for: Web applications, user-generated content uploads, third-party integrations, data pipelines, and compliance requirements (NIST, SWIFT, HIPAA, DORA).

Note: Incremental operations like AppendFile (ADLS Gen2) or PutBlock (Block Blob) do not independently trigger a scan. Scanning occurs only when these are finalized via commit operations.

Customizable scan filters: On-upload scanning supports exclusion rules to skip specific blobs based on path prefix, suffix, or blob size. Up to 24 filter values can be configured per storage account (OR logic — a blob is excluded if it meets any one criterion). This helps avoid unnecessary scans on logs, temporary files, or known-safe content and reduces costs.

Source: On-upload malware scanning

On-Demand Malware Scanning

On-demand scanning enables you to scan existing blobs at any time — manually or via automation.

Key characteristics:

• Use cases: Establish security baselines, respond to security incidents, compliance audits, scan data uploaded before on-upload scanning was enabled
• Engine: Same MDAV engine with latest malware definitions
• Initiation: Azure Portal, REST API, or automation (Logic Apps, Automation runbooks, PowerShell scripts)
• Single scan limitation: Only one on-demand scan can run per storage account at a time
• Cost model: Per GB scanned with no monthly cap (unlike on-upload scanning). Always review cost estimates in the Azure portal before initiating.

Source: On-demand malware scanning

Hash Reputation Analysis

Hash reputation analysis is a separate detection method that compares hash values of newly uploaded blobs and files against known malware hashes from Microsoft Defender Threat Intelligence. It is available in all Defender for Storage plans but has limitations:

• Does not perform deep file inspection
• Does not support all file protocols and operation types (e.g., SMB file shares, Put Block / Put Block List)
• Available for both Azure Blob Storage and Azure Files

Full malware scanning (MDAV-based) provides more comprehensive detection and is the recommended approach.

Source: Malware scanning vs hash reputation analysis

---

Scan Results and Automation

Scan results are available through four methods:

Blob Index Tags

By default, Defender for Storage writes scan results as blob index tags on every scanned blob:

Tag	Possible Values
Scan result	No threats found, Malicious, Error, Not scanned
Scan time (UTC)	Timestamp of the scan

Important: Blob index tags are not tamper-resistant. Users with permissions to modify tags can alter them. For security-sensitive workflows, use alerts, Event Grid events, or Log Analytics instead.

Note: Blob index tags are not supported for storage accounts with hierarchical namespaces enabled (Azure Data Lake Storage Gen2).

Security Alerts

When a malicious file is detected, Microsoft Defender for Cloud generates a security alert with:

• File details and type of malware detected
• Recommended investigation and remediation steps
• Integration with workflow automations and SIEM exports (e.g., Microsoft Sentinel)

Event Grid Events

Event Grid provides near-real-time delivery of scan results for event-driven automation. Supports Function Apps, Webhooks, Event Hubs, and Service Bus queues. This method requires additional configuration but offers the lowest latency for automated responses.

Event message structure includes:

{
  "eventType": "Microsoft.Security.MalwareScanningResult",
  "data": {
    "scanResultType": "Malicious | No threats found",
    "scanResultDetails": {
      "malwareNamesFound": ["..."],
      "sha256": "..."
    },
    "blobUri": "https://<account>.blob.core.windows.net/...",
    "scanFinishedTimeUtc": "..."
  }
}

Limitation: Event Grid topics with private endpoints (no public network access) are not supported for scan-result delivery.

Log Analytics

Stores every scan result in the StorageMalwareScanningResults table for compliance, auditing, and historical investigations. Requires additional configuration.

Source: Malware scan results

---

Automated Remediation

Built-in Soft Delete of Malicious Blobs

Defender for Storage has a built-in remediation capability that automatically soft-deletes malicious blobs when detected through on-upload or on-demand scanning.

• Off by default — must be explicitly enabled
• Can be enabled at subscription or storage account level
• If soft delete is not enabled on the storage account, the feature enables it automatically
• Default retention period: 7 days (configurable, 1–365 days)
• Soft-deleted blobs remain in the same container and can be restored within the retention period

Source: Built-in automated malware remediation

Custom Remediation with Event Grid and Function Apps

For high-performance, low-latency automated responses:

1. Create a Function App in the same resource group as the protected storage account
2. Assign the Function App's managed identity the Storage Blob Data Contributor role
3. Connect Event Grid events with the Function App as the endpoint
4. Implement logic to move clean files to internal storage and quarantine/delete malicious files

Microsoft provides a pre-built function sample: MoveMaliciousBlobEventTrigger

Logic App Based on Security Alerts

A no-code / low-code approach using Defender for Cloud workflow automations:

1. Deploy the DeleteBlobLogicApp ARM template
2. Assign the Logic App's managed identity the Storage Blob Data Contributor role
3. Create a workflow automation in Defender for Cloud triggered on "Malicious file uploaded to storage account" alerts

Note: Logic App responses are slower than Event Grid + Function App approaches.

Attribute-Based Access Control (ABAC)

Use Microsoft Entra ABAC authorization to block access to unscanned or malicious files. Set conditional access policies based on blob index tag scan results, allowing applications and users to access only blobs with No threats found results.

Source: Set up automated remediation

---

DMZ Architecture Pattern

Microsoft's recommended best-practice architecture for isolating untrusted uploads:

┌───────────────────┐     Upload      ┌─────────────────────────┐
│   External API    │ ──────────────► │  Quarantine / DMZ       │
│   (SaaS Clients)  │                 │  Storage Account        │
└───────────────────┘                 │  (Malware Scanning ON)  │
                                      └────────┬────────────────┘
                                               │
                                      Event Grid + Function App
                                               │
                                    ┌──────────┴──────────┐
                                    │                     │
                              Clean Files            Malicious Files
                                    │                     │
                                    ▼                     ▼
                          ┌─────────────────┐   ┌──────────────────┐
                          │  Internal        │   │  Quarantine /    │
                          │  Storage Account │   │  Soft Delete     │
                          │  (Private VNet)  │   │  + Alert         │
                          └─────────────────┘   └──────────────────┘

Pattern: Upload to an intermediary "DMZ" storage account with malware scanning enabled → Event Grid triggers a Function App → clean files are moved to the internal destination storage account → malicious files are quarantined/soft-deleted.

Source: Use an intermediary storage account as a DMZ

---

Network Isolation and Private Networking

Private Endpoint Configuration

Azure Storage supports private endpoints via Azure Private Link, providing maximum network isolation:

• Private endpoint assigns a private IP address from your VNet to the storage account
• Traffic routes over the Microsoft backbone network — never traverses the public internet
• A separate private endpoint is required for each storage sub-resource (Blob, Data Lake Storage, File, Queue, Table, Static Website)
• Disable public network access entirely once private endpoints are deployed
• Private DNS zones ensure FQDNs (e.g., mystorageaccount.blob.core.windows.net) resolve to private IPs within the VNet
• Supports connectivity from on-premises networks via VPN or ExpressRoute with private peering

Source: Use private endpoints for Azure Storage

How Malware Scanning Works with Private Endpoints

Microsoft Defender for Storage malware scanning is fully compatible with private networking:

1. When malware scanning is enabled, Azure automatically deploys a StorageDataScanner resource in your subscription with a system-assigned managed identity
2. This identity is granted the Storage Blob Data Owner role to read and scan blob data
3. If the storage account is configured to allow public network access only from selected virtual networks or IP addresses, the StorageDataScanner resource is added to the Resource instances section of the storage account networking configuration
4. This ensures the scanner can access data even when public network access is restricted, without requiring you to open any public access

No additional networking configuration is required — the scanner is automatically provisioned and configured.

Source: Data access requirements

---

Data Privacy and Regional Processing

• Regional processing: Malware scanning is performed in the same Azure region as your storage account, supporting data residency and compliance requirements
• Data handling: Scanned files are not stored by the service. In limited cases, file metadata such as the SHA-256 hash may be shared with Microsoft Defender for Endpoint for further analysis
• No data export: File contents are not exported outside your environment

Source: Data privacy and regional processing

---

Supported Content and Limitations

Supported

Capability	Detail
File types	All file types, including ZIP, RAR archives
Maximum blob size	50 GB per blob
Encryption at rest (CMK)	Supported — Azure handles decryption

Limitations

Limitation	Detail
Legacy v1 storage accounts	Not supported
Azure Files	Not supported for malware scanning
Append blobs and page blobs	Not supported
Client-side encrypted blobs	Not supported (service cannot decrypt)
NFS 3.0 protocol uploads	Not scanned
Blob index tags with HNS	Not supported for ADLS Gen2 (hierarchical namespaces)
Event Grid with private endpoints	Not supported for scan-result delivery
Metadata update timing	If a blob's metadata is updated soon after upload, on-upload scanning may fail. Specify metadata in BlobOpenWriteOptions or delay metadata updates until scanning completes
Regional availability	Not all Azure regions currently support malware scanning. See Defender for Cloud availability for the latest list
Scan time limits	30 minutes to 3 hours depending on blob size/structure; exceeded scans are marked as "Scan timed out"

Detection Limitations

Defender for Storage uses the same MDAV engine as Defender for Endpoint but lacks certain contextual metadata available on endpoints:

• Mark of the Web (MOTW): Not preserved when files are uploaded to Azure Storage
• File path context: Blob storage does not provide equivalent path-based evaluation
• Behavioral data: Static analysis and limited emulation only — no runtime behavior observation

This may result in a higher likelihood of missed detections (false negatives) compared to endpoint scanning.

Source: Supported content and limitations, Detection differences

---

Pricing and Cost Controls

Plan Pricing

• Defender for Storage plan: Per-storage-account pricing with the option to enable at subscription or resource level
• Malware scanning: Billed per GB scanned (add-on to the plan)
• Sensitive data threat detection: Included at no additional cost
• Malware scanning is NOT included in the free 30-day Defender for Cloud trial

Monthly Scan Cap (On-Upload Only)

• Default cap: 10,000 GB (10 TB) per month per storage account
• Configurable per subscription or per individual storage account
• When the cap is reached, scanning pauses for the remainder of the calendar month (with up to ~20 GB deviation)
• Cap resets at midnight UTC on the first of each month
• Set to -1 for unlimited scanning
• On-demand scanning has no monthly cap — costs are entirely usage-based

Cost Alerts

Alert	Trigger
Malware scanning will stop soon	75% of monthly cap reached
Malware scanning stopped	Monthly cap reached, scanning paused

Additional Costs

Malware scanning may incur additional charges from dependent Azure services:

• Azure Storage read operations
• Azure Storage blob indexing (if index tags are enabled)
• Azure Event Grid event notifications

Use the Defender for Storage Price Estimation Workbook or the Defender for Cloud Cost Calculator to estimate costs.

Source: Pricing and cost controls, Cost control for on-upload scanning, On-demand cost considerations

---

HIPAA Compliance

Microsoft Azure — including Azure Storage and Microsoft Defender for Cloud — is covered under the Microsoft HIPAA Business Associate Agreement (BAA):

• The HIPAA BAA is available via the Microsoft Product Terms by default to all customers who are covered entities or business associates under HIPAA
• No separate contract is required — execution of the customer's volume licensing agreement includes execution of the HIPAA BAA
• Azure has enabled the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act for in-scope Azure services
• For the full list of in-scope services, see Cloud services in audit scope

Key considerations for HIPAA compliance with this architecture:

• Malware scanning processes data in the same Azure region as the storage account, supporting data residency requirements
• Using a BAA with Microsoft does not automatically ensure HIPAA compliance — customers are responsible for ensuring their own compliance program, internal processes, and configuration align with HIPAA requirements
• Enable encryption at rest (default), encryption in transit (HTTPS enforced by default), private endpoints, and access logging

Source: Azure and HIPAA, HIPAA FAQ

---

Deployment Methods

Defender for Storage can be enabled using multiple methods:

Method	Scope	Recommendation
Azure built-in policy	Subscription / Management Group	Recommended — ensures consistent coverage at scale
Terraform	Subscription / Storage Account	IaC-friendly
Bicep	Subscription / Storage Account	IaC-friendly
ARM Template	Subscription / Storage Account	IaC-friendly
Azure Portal	Subscription / Storage Account	Manual
Azure PowerShell	Subscription / Storage Account	Scripted
REST API	Subscription / Storage Account	Programmatic

Subscription-level enablement automatically protects all existing and newly created storage accounts (may take up to 24 hours for full propagation). Specific storage accounts can be excluded or configured with overrides.

Source: Deploy Microsoft Defender for Storage

---

Recommended Architecture

For a SaaS solution accepting untrusted document uploads with private networking requirements:

1. Quarantine / DMZ Storage Account

• Create a dedicated quarantine storage account for incoming uploads
• Configure a private endpoint for the quarantine storage account within your VNet
• Disable all public network access
• Enable Defender for Storage with on-upload malware scanning
• Set a monthly scan cap appropriate to your expected upload volume
• Enable soft delete for malicious blobs for built-in remediation

2. Event-Driven File Processing

• Configure Event Grid with a custom topic for malware scanning results
• Deploy an Azure Function App (with managed identity and Storage Blob Data Contributor role) to react to scan results:
• No threats found → Move/copy blob to the internal storage account
• Malicious → Log alert, optionally move to quarantine container, or rely on built-in soft delete

3. Internal / Trusted Storage Account

• Separate storage account within the private VNet for clean, verified documents
• Private endpoint only, no public access
• Application services access documents from this storage account
• Consider enabling on-demand scanning for periodic compliance scans

4. Monitoring and Compliance

• Send scan results to Log Analytics for audit trails
• Configure Defender for Cloud security alerts forwarding to your SIEM (e.g., Microsoft Sentinel)
• Use the Defender for Cloud regulatory compliance dashboard with HIPAA built-in initiative
• Review the Defender for Storage Price Estimation Workbook to manage costs

---

References

All sources are from official Microsoft public documentation:

Topic	URL
What is Microsoft Defender for Storage	https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction
Introduction to Malware Scanning	https://learn.microsoft.com/azure/defender-for-cloud/introduction-malware-scanning
On-Upload Malware Scanning	https://learn.microsoft.com/azure/defender-for-cloud/on-upload-malware-scanning
On-Demand Malware Scanning	https://learn.microsoft.com/azure/defender-for-cloud/on-demand-malware-scanning
Set Up Automated Remediation	https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-configure-malware-scan
Deploy Microsoft Defender for Storage	https://learn.microsoft.com/azure/defender-for-cloud/tutorial-enable-storage-plan
Azure Storage Network Security	https://learn.microsoft.com/azure/storage/common/storage-network-security-overview
Use Private Endpoints for Azure Storage	https://learn.microsoft.com/azure/storage/common/storage-private-endpoints
Azure Best Practices for Network Security	https://learn.microsoft.com/azure/security/fundamentals/network-best-practices
Zero Trust Principles for Azure Storage	https://learn.microsoft.com/security/zero-trust/azure-infrastructure-storage
Azure HIPAA Compliance	https://learn.microsoft.com/azure/compliance/offerings/offering-hipaa-us
HIPAA/HITECH Compliance	https://learn.microsoft.com/compliance/regulatory/offering-hipaa-hitech
Advanced Configurations for Malware Scanning	https://learn.microsoft.com/azure/defender-for-cloud/advanced-configurations-for-malware-scanning
Defender for Storage FAQ	https://learn.microsoft.com/azure/defender-for-cloud/faq-defender-for-storage
Defender for Cloud Pricing	https://azure.microsoft.com/pricing/details/defender-for-cloud/