MS Antimalware on Azure

Microsoft has made System Center Endpoint Protection a free extension for all Azure virtual machines.   This is great news for folks who just need basic AV protection on their VMs, as it’s a license they don’t have to pay for (or it’s at least “included”.)   Another kind-of-nice feature is that this add-on automatically downloads updates from download.microsoft.com and you don’t have to do anything to manage the clients.

That last part is awesome in some ways, but has drawbacks, too.   I cannot find any way to log into the GUI on the machines to configure things like exclusions, real time protection, or anything else on there.   What you can do for this, though, is to deploy the add-on using PowerShell with the command Set-AzureVMMicrosoftAntimalwareExtension and by providing a configuration file.   The config file can be either an XML or a JSON-formatted file, like the following JSON example:

{ “AntimalwareEnabled”: true, “RealtimeProtectionEnabled”: true, “ScheduledScanSettings”: { “isEnabled”: true, “day”: 1, “time”: 120, “scanType”: “Full” }, “Exclusions”: { “Extensions”: “.ext1;.ext2”, “Paths”: “c:\excluded-path-1;c:\excluded-path-2”, “Processes”: “excludedproc1.exe;excludedproc2.exe” } }

Having tried both XML and JSON, I found the JSON file to be easier to deal with, because the “Paths” and “Processes” are all on one line, as opposed to having separate <path> and <process> parts for each and every one.   You do need to use double backslashes in the JSON file, but that’s easy enough to deal with.

Each time you need to change this, you simply redeploy to the client(s) with the values in here you need.   I was able to use a few pages from Microsoft to figure out a “standard” exclusion list, including things for domain controllers, SQL Servers, and their standard server exclusions.   These can be found at http://support.microsoft.com/kb/822158.   Fortunately, even if the files and paths are not actually on a client, the list works anyway, as it just drops the values as DWORDs under “HKLM\Software\Microsoft\Microsoft Antimalware” in the registry.

The only other real issue with this AV solution is the lack of a central reporting tool to check on things.   You can enable some monitoring that drops log files to blob storage, but that’s really it, and it is disabled by default.   Unless your security compliance manager gets really antsy when he can’t get a report in his email everyday, though, this is probably still sufficient.   I cannot say that I’ve actually used any AV GUIs in the past 15 years anyway, as I’ve just assumed that things were going along fine until an error has popped up.

Written on March 5, 2015