Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a new cloud service that detects and remove viruses, spyware, and other malicious software. Administrators can configure alerts to detect when malicious software attempts to install or run on a Microsoft Azure workload. The service is currently in preview.
I was really excited when I heard this new service announced at TechEd North America. Microsoft Antimalware for Azure addresses a major gap in the market. There is a legitimate need to protect IaaS and PaaS workloads running on Azure from viruses and other malware. So it is great to see that Microsoft has recognized that this is an issue and that they are trying to address it.
For those of you who are familiar with Microsoft’s portfolio of security solutions, Microsoft has four offerings for consumers and businesses:
1) Microsoft Security Essentials (MSE)
2) Windows Defender (for Windows 8 and higher)
3) System Center Endpoint Protection
4) Windows Intune Endpoint Protection
Microsoft Antimalware for Azure is built on the same engine as the existing solutions from Microsoft. But it is a distinctly different service. It is single-agent solution for PaaS applications and virtual machines. It is designed to run in the background without human intervention. The service has a default configuration which is appropriate for most workloads. But it also offers the option for advanced custom configuration, including antimalware monitoring.
The following core features are available in the preview release:
Real-time protection – monitors activity in Azure Cloud Services and on Virtual Machines to detect and block malware execution.
Scheduled scanning – periodically performs targeted scanning to detect malware, including actively running programs.
Malware remediation – automatically takes action on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.
Signature updates – automatically installs the latest protection signatures (virus definitions) to ensure protection is up-to-date on a pre-determined frequency.
Antimalware Engine updates – automatically updates the Microsoft Antimalware engine.
Antimalware Platform updates – automatically updates the Microsoft Antimalware platform.
Active protection – reports telemetry metadata about detected threats and suspicious resources to Microsoft Azure to ensure rapid response to the evolving threat landscape, as well as enabling real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS).
Samples reporting – provides and reports samples to the Microsoft Antimalware service to help refine the service and enable troubleshooting.
Exclusions – allows application and service administrators to configure certain files, processes, and drives to exclude them from protection and scanning for performance and/or other reasons.
Antimalware monitoring – records the antimalware service health, suspicious activities and remediation actions taken in the operating system event log and collects them into the customer’s Azure Storage account. The antimalware monitoring is enabled via the Azure Diagnostics Service extension as an advanced configuration.
The capabilities of Microsoft Antimalware are somewhat similar to other antimalware products available from Microsoft. Unfortunately, the current release of Microsoft Antimalware for Azure is extremely difficult to deploy, configure, and manage. The main reason for this is the lack of any UI for the administrator or end user. To do any type of meaningful administration of the service requires the use of Powershell. I do not believe it is an exaggeration to say that Microsoft Antimalware for Azure is the most difficult to use antimalware solution on the market today. I realize that the product is in preview and that it will mature over time.
Another major limitation of Microsoft Antimalware for Azure is that it cannot be deployed to an existing Azure VM. There is no way to deploy the agent to a VM that has already been created. You have to create a brand new VM and choose the option to add the Microsoft Antimalware security extension by checking the box in the create virtual machine wizard. This is the one and only configuration option which has a user interface at the present time. The fact that you cannot deploy Microsoft Antimalware for Azure to an existing VM is a major limitation. It means that you will need to delete and recreate any VMs which you have already deployed in order to start using the solution. This is a major undertaking which makes deployment extremely difficult and cumbersome.
I am frankly surprised that Microsoft has taken the approach of building an entirely new service to provide antimalware to Microsoft Azure VMs. This seems like an enormous engineering effort for an organization that already have four different antimalware solutions. Instead of creating a fifth service to protect against antimalware, it would seem far more logical to take one of the existing services and adapt it to protect Azure VMs. I would have thought that extending Windows Intune Endpoint Protection (WIEP) to run on Azure VMs was the most sensible approach. One of the nice benefits of WIEP is that it has a very simple UI which is ideal for businesses that lack the technical expertise to run System Center Endpoint Protection. But Microsoft chose to build an entirely new antimalware product instead which make System Center Endpoint Protection look simple by comparison.
I sincerely hope that Microsoft will take this feedback in the spirit in which it is intended. The concept behind Microsoft Antimalware for Azure is terrific. It is a fantastic idea whose time has come. But Microsoft needs to prioritize their investment in a user interface so that the major of administrators can deploy and use the product successfully. Otherwise, it offers no real benefit to customers.