Guide: Secure Service Fabric Cluster or VM Scale Sets using IaaSAntimalware

Posted by Nilay Parikh and last modified on Tue Jun 12, 2018.

Microsoft Antimalware provides free real-time protection against viruses, spyware and other malicious software. The solution is built on the same antimalware platform as Microsoft Security Essentials, Forefront Endpoint Protection, System Center Endpoint Protection, Windows Intune and Windows Defender. Microsoft Antimalware is a single-agent malware protection for tenant environments.

Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a detailed guide by Microsoft if you would like to explore about the Microsoft Antimalware. There are many ways to deploy Microsoft Antimalware to your Azure IaaS or Cloud Services infrastructure, but I would like to focus on following two,

IaaSAntimalware extension can be defined in resource manager template (virtualMachineScaleSets\properties\virtualMachineProfile\extensionProfile\extensions).

  • Using virtualMachineProfile ensures consistency across VM cluster.
  • Provisioning of new Virtual Machine or Service Fabric Node ensure the deployment and configuration of IaaSAntimalware.
  • You can roll-out configuration changes easily and consistently across a cluster.

Deploy Microsoft Antimalware (IaaSAntimalware) using Azure RM Templates

You can use following Resource Manager Template snippet to add a Microsoft Antimalware extension. You can use the extension with Microsoft.Compute/virtualMachineScaleSets resource, irrespective of IaaS (VMSS) or PaaS (Service Fabric).

"virtualMachineProfile": {
  "extensionProfile": {
    "extensions": [
      {
        "name": "[concat('IaaSAntimalwareVmExt', '_', variables('vmNodeType0Name'))]",
        "properties": {
          "publisher": "Microsoft.Azure.Security",
          "type": "IaaSAntimalware",
          "typeHandlerVersion": "1.5",
          "settings": {
            "AntimalwareEnabled": true,
            "RealtimeProtectionEnabled": true,
            "ScheduledScanSettings": {
              "isEnabled": true,
              "day": 1,
              "time": 120,
              "scanType": "Quick"
            }
          }
        }
      }
    ]
  },
  ...
  ...
}

You can deploy the Azure Service Fabric with IaaSAntimalware preconfigured from my GitHub template.

Deploy Microsoft Antimalware (IaaSAntimalware) using PowerShell

PowerShell would be very useful in following scenario,

  • Quick development or testing proof of concept.
  • Relying on Azure Portal and to outmaneuver the limitation of the Azure Portal.

However, I would recommend that managing Azure Resources and deployment using Resource Manager Template is the best practice. I have created a following PowerShell script to simplify Microsoft Antimalware deployment and configuration.

Initialise following values in order to setup IaaSAntimalware extensions on Virtual Machine Scale Sets. These parameters are self-explanatory. Please refer Default and Custom Antimalware Configuration for detail Microsoft Antimalware configuration options.

# Parameters
$ResourceGroupLocation = "westeurope";
$ResourceGroupName = "myrg";
$VMScaleSetName = "myvmss";
$Setting = [Newtonsoft.Json.Linq.JObject]::Parse("{ 'AntimalwareEnabled': true, 'RealtimeProtectionEnabled': true}"),
$VMExtentionName = "IaaSAntimalwareVmExt";

Retrieve latest VM extension image available at given Azure Region and the version. The format of TypeHandlerVersion is major.minor. The below code snippet retrieve the latest version and transform into supported format.

# Get latest TypeHandlerVersion
$allVersions= (Get-AzureRmVMExtensionImage -Location $ResourceGroupLocation -PublisherName "Microsoft.Azure.Security" -Type "IaaSAntimalware").Version
$typeHandlerVer = $allVersions[($allVersions.count) - 1]
$typeHandlerVerMjandMn = $typeHandlerVer.split(".")
$typeHandlerVerMjandMn = $typeHandlerVerMjandMn[0] + "." + $typeHandlerVerMjandMn[1]

Get the current state of Azure VM Scale Set instance.

# Get VM Scale Set instance
$scaleSet = Get-AzureRmVmss -ResourceGroupName $ResourceGroupName -VMScaleSetName $VMScaleSetName;

Add the IaaSAntimalware extension and update Azure VM Scale Set.

$scaleSet = Add-AzureRmVmssExtension -VirtualMachineScaleSet $scaleSet -Name $VMExtentionName -Publisher "Microsoft.Azure.Security" -Type "IaaSAntimalware" -TypeHandlerVersion $typeHandlerVerMjandMn -AutoUpgradeMinorVersion $autoUpgradeMV -Setting $Setting;
	Update-AzureRmVmss -ResourceGroupName $ResourceGroupName -Name $VMScaleSetName -VirtualMachineScaleSet $scaleSet

The complete PowerShell script is available at Github/NilayParikh/AzureScripts . Once Virtual Machine Scale Set is successfully update, you can verify the status from the Azure Portal.

Microsoft Antimalware Configuration

Please refer Microsoft Antimalware For Azure Cloud Services and VMs Code Samples , the document contains samples and templates for Microsoft Antimalware configuration using JSON templates.

{
   "AntimalwareEnabled":true,
   "RealtimeProtectionEnabled":true,
   "ScheduledScanSettings":{
      "isEnabled":true,
      "day":7,
      "time":120,
      "scanType":"Quick"
   },
   "Exclusions":{
      "Extensions":".ext1;.ext2",
      "Paths":"c:\\excluded-path-1;c:\\excluded-path-2",
      "Processes":"excludedproc1.exe;excludedproc2.exe"
   }
}
Disclaimer

Any views or opinions expressed are solely those of the author and do not represent any other person or organisation. THE ARTICLE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND. IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY.

References