How to Protect Against Malware on Windows Azure

Most IT administrators will install some sort of virus scanner on your precious servers. Since the cloud, from a technical perspective, is just a server, why not follow that security best practice on Windows Azure too? It has gone by almost unnoticed, but last week Microsoft released the Microsoft Endpoint Protection for Windows Azure Customer Technology Preview. For the sake of bandwidth, I’ll be referring to it as EP.

EP offers real-time protection, scheduled scanning, malware remediation (a fancy word for quarantining), active protection and automatic signature updates. Sounds a lot like Microsoft Endpoint Protection or Windows Security Essentials? That’s no coincidence: EP is a Windows Azurified version of it.

Enabling anti-malware on Windows Azure

After installing the Microsoft Endpoint Protection for Windows Azure Customer Technology Preview, sorry, EP, a new Windows Azure import will be available. As with remote desktop or diagnostics, EP can be enabled by a simple XML one liner:

<Import moduleName="Antimalware" />

Here’s a sample web role ServiceDefinition.csdef file containing this new import:

<?xml version="1.0" encoding="utf-8"?>
  <ServiceDefinition name="ChuckProject" 
                     xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceDefinition">
    <WebRole name="ChuckNorris" vmsize="Small">
      <Sites>
        <Site name="Web">
          <Bindings>
            <Binding name="Endpoint1" endpointName="Endpoint1" />
          </Bindings>
       </Site>
     </Sites>
     <Endpoints>
       <InputEndpoint name="Endpoint1" protocol="http" port="80" />
     </Endpoints>
     <Imports>
       <Import moduleName="Antimalware" />
       <Import moduleName="Diagnostics" />
     </Imports>
   </WebRole>
 </ServiceDefinition>

That’s it! When you now deploy your Windows Azure solution, Microsoft Endpoint Protection will be installed, enabled and configured on your Windows Azure virtual machines.

Now since I started this blog post with “IT administrators”, chances are you want to fine-tune this plugin a little. No problem! The ServiceConfiguration.cscfg file has some options waiting to be eh, touched. And since these are in the service configuration, you can also modify them through the management portal, the management API, or sysadmin-style using PowerShell. Anyway, the following options are available:

• Microsoft.WindowsAzure.Plugins.Antimalware.ServiceLocation – Specify the datacenter region where your application is deployed, for example “West Europe” or “East Asia”. This will speed up deployment time.
• Microsoft.WindowsAzure.Plugins.Antimalware.EnableAntimalware – Should EP be enabled or not?
• Microsoft.WindowsAzure.Plugins.Antimalware.EnableRealtimeProtection – Should real-time protection be enabled?
• Microsoft.WindowsAzure.Plugins.Antimalware.EnableWeeklyScheduledScans – Weekly scheduled scans enabled?
• Microsoft.WindowsAzure.Plugins.Antimalware.DayForWeeklyScheduledScans – Which day of the week (0 – 7 where 0 means daily)
• Microsoft.WindowsAzure.Plugins.Antimalware.TimeForWeeklyScheduledScans – What time should the scheduled scan run?
• Microsoft.WindowsAzure.Plugins.Antimalware.ExcludedExtensions – Specify file extensions to exclude from scanning (pip-delimited)
• Microsoft.WindowsAzure.Plugins.Antimalware.ExcludedPaths – Specify paths to exclude from scanning (pip-delimited)
• Microsoft.WindowsAzure.Plugins.Antimalware.ExcludedProcesses – Specify processes to exclude from scanning (pip-delimited)

Monitoring anti-malware on Windows Azure

How will you know if a threat has been detected? Well, luckily for us, Windows Endpoint Protection writes its logs to the System event log. Which means that you can simply add a specific data source in your diagnostics monitor and you’re done:

var configuration = DiagnosticMonitor.GetDefaultInitialConfiguration();
  
  // Note: if you need informational / verbose, also subscribe to levels 4 and 5
  configuration.WindowsEventLog.DataSources.Add(
      "System!*[System[Provider[@Name='Microsoft Antimalware'] and (Level=1 or Level=2 or Level=3)]]");
  
  configuration.WindowsEventLog.ScheduledTransferPeriod 
      = System.TimeSpan.FromMinutes(1);
      
 DiagnosticMonitor.Start(
     "Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString",
     configuration);

In addition, EP also logs its inner workings to its installation folders. You can also include these in your diagnostics configuration:

var configuration = DiagnosticMonitor.GetDefaultInitialConfiguration(); 

  
  // ...add the event logs like in the previous code sample...
  
  var mep1 = new DirectoryConfiguration();
  mep1.Container = "wad-endpointprotection-container";
  mep1.DirectoryQuotaInMB = 5;
  mep1.Path = "%programdata%\Microsoft Endpoint Protection";
  
 var mep2 = new DirectoryConfiguration();
 mep2.Container = "wad-endpointprotection-container";
 mep2.DirectoryQuotaInMB = 5;
 mep2.Path = "%programdata%\Microsoft\Microsoft Security Client";
 
 configuration.Directories.ScheduledTransferPeriod = TimeSpan.FromMinutes(1.0);
 configuration.Directories.DataSources.Add(mep1);
 configuration.Directories.DataSources.Add(mep2);
     
 DiagnosticMonitor.Start(
     "Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString",
     configuration);

From this moment one, you can use a tool like Cerebrata’s Diagnostics Monitor to check the event logs of all your Windows Azure instances that have anti-malware enabled.