Having read
"The Microsoft Antimalware Client and Service is installed by default in a disabled state in all supported Azure guest operating system families in the Cloud Services platform. ... When using Azure Websites, the underlying service that hosts the web app has Microsoft Antimalware enabled on it. This is used to protect Azure Websites infrastructure and does not run on customer content."
here: https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware
it appears that although the underlying execution environment is scanned and protected, nothing prevents the deployment of infected files (contrary to the response given here: https://stackoverflow.com/a/44805995/8354791).
And therefore the service needs to enabled.
It also appears this can only be done so via powershell, using the Set-AzureServiceAntimalwareExtension command, as per https://stackoverflow.com/a/25847270/8354791 and Powershell: Add Diagnostics/Antimalware to Azure PaaS Cloud Service using ExtensionConfiguration Parameter
- Q: the link is a bit old (2015). Is powershell still the only way to turn on debugging for an App Service?
- Q: is the analysis of the above text correct that MS is scanning its own environment, but exclude the scanning of files deployed to their services?
- Q: is there a cost to enabling this service?
- Q: What is the relationship to Malware Assessment (https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-malware)? Is that a more current way of scanning Web Apps?
- Q: this is a manual approach, using Powershell. Is there a link to understanding how to enable this service using an CI/CD deployed ARM template?
- Q: I see this service is mentioned as a solution for scanning deployed code files -- but can this service be used to scan Blobs where uploaded media would be stored?
I know I've asked a lot of questions...but hopefully you agree they are all tightly related...
Thanks immensely!
