Can a Worker Role process call Antimalware for Azure Cloud Services programmatically?

5
votes

I'm trying to find a solution that I can use to perform virus scanning on files that have been uploaded to Azure blob storage. I wanted to know if it is possible to copy the file to local storage on a Worker Role instance, call Antimalware for Azure Cloud Services to perform the scan on that specific file, and then depending on whether the file is clean, process the file accordingly.

If the Worker Role cannot call the scan programmatically, is there a definitive way to check if a file has been scanned and whether it is clean or not once it has been copied to local storage (I don't know if the service does a real-time scan when new files are added, or only runs on a schedule)?

2
azureazure-worker-roles

2 Answers

2
votes

There isn't a direct API that we've found, but the anti-malware services conform to the standards used by Windows desktop virus checkers in that they implement the IAttachmentExecute COM API.

So we ended up implementing a file upload service that writes the uploaded file to a Quarantine local resource, then calling the IAttachmentExecute API. If the file is infected then, depending on the anti-malware service in use, it will either throw an exception, silently delete the file or mark it as inaccessible. So by attempting to read the first byte of the file, we can test if the file remains accessible.

var type = Type.GetTypeFromCLSID(new Guid("4125DD96-E03A-4103-8F70-E0597D803B9C"));
var svc = (IAttachmentExecute)Activator.CreateInstance(type);
try {
    svc.SetClientGuid(ref clientGuid);
    svc.SetLocalPath(path);
    svc.Save();
}
finally
{
    svc.ClearClientState();
}

using (var fileStream = File.OpenRead(path))
{
    fileStream.ReadByte();
}

[Guid("73DB1241-1E85-4581-8E4F-A81E1D0F8C57")]
[InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
public interface IAttachmentExecute
{
    void SetClientGuid(ref Guid guid);

    void SetLocalPath(string pszLocalPath);

    void Save();

    void ClearClientState();
}
0
votes

I think the best way for you to know is simply take an Azure VM (IaaS) and activate Microsoft Antimalware extension. Then you may log into it and do all the necessary check and tests against the service. Later, you will apply all this into the Worker Role (there is a similar PaaS extension available for that, calles PaaSAntimalware).

See the next excerpt from https://msdn.microsoft.com/en-us/library/azure/dn832621.aspx:

"In PaaS, the VM agent is called GuestAgent, and is always available on Web and Worker Role VMs. (For more information, see Azure Role Architecture.) The VM agent for Role VMs can now add extensions to the cloud service VMs in the same way that it does for persistent Virtual Machines. The biggest difference between VM Extensions on role VMs and persistent VMs is that with role VMs, extensions are added to the cloud service first and then to the deployments within that cloud service.

Use the Get-AzureServiceAvailableExtension cmdlet to list all available role VM extensions."