Enabling Diagnostics Logging for Azure Antimalware

imageHello Azure security community!

Yuri Diogenes (CSI Enterprise Mobility and Azure Security team) here. Recently we had a great discussion online about how to enable diagnostics logs for Antimalware in Azure. This is an important discussion because when you enable Antimalware through the Azure Portal, this action will not enable the diagnostics logs for Antimalware automatically. However, if you use Azure Antimalware PowerShell (Set-AzureServiceAntimalwareExtension) to enable Antimalware then you can leverage an option to enable diagnostics logs.

Below you have an example of how to enable diagnostics logging for Antimalware via PowerShell:

======================================

PS C:\> Add-AzureAccount

PS C:\> Select-AzureSubscription -SubscriptionName "<your subscription name>"

PS C:\> $StorageContext = New-AzureStorageContext -StorageAccountName "<your storage account name>" -StorageAccountKey (Get-AzureStorageKey -StorageAccountName "<your storage account name>").Primary

PS C:\> Set-AzureServiceAntimalwareExtension -ServiceName "<your azure cloud service name>" -Monitoring ON -StorageContext $StorageContext

======================================

Once you finish typing these commands, you should see an output similar to the one below:

clip_image002

If you go to the Worker Role, you can see the PaaSDiagnostics plug in:

clip_image004

Note:
You may not see events immediately as all events are not configured for collection. If you want to validate, you can try to copy an eicar.txt file (which is known for testing Antimalware) and see if the events 1116, 1117 are trigged and logged in WADWindowsEventLogsTable (shown below).

clip_image006

Note:
For more information see Microsoft Antimalware for Azure Cloud Services and Virtual Machines

Kudos to Rakesh Narayan and ASM Team for their contribution testing this solution.

Comments

  • Anonymous
    May 16, 2016
    Hi Yuri,I am trying to deploy my cloud service (worker role) using new azure portal. I am not able use these commands for enabling End point protection. Mine is Rm account now so command don't work. Also I tried putting in my worker role config. Then also my deployments fails without giving any error. Please help, it's urgent.
    • Anonymous
      May 24, 2016
      Hi Shipra - sorry for the delay in the reply. Were you able to get this issue resolved? Thanks! -Tom.
      • Anonymous
        September 08, 2016
        Hi Thomas, I am still not able to enable anti-malware for my worker role. When I deploy it using new Resource manager Azure portal, it keeps on crashing. Can you please help me with commands that can work with Resource manager Azure portal cloud services ?