Search for Antimalware and choose next

Define settings for the Extension.

And exclusion for files path or locations and use a semicolon to separate the entries in the text box. It's recommended to avoid the use of wildcard characters. For example: c:\excluded-path-1;c:\excluded-path-2

You can also input file extensions to exclude and use a semicolon to separate the entries in the text box. It's recommended avoid the use of wildcard characters. For example: .ext1;.ext2

And enter input processes to exclude and use a semicolon to separate the entries in the text box. No wildcard characters are permitted. For example: excludedproc1.exe;excludedproc2.exe

Adding a schedule and scan type for the extension.

Once done, hit create.

In the create screen You can download a template to deploy it with Azure Resource Manager.

{ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "vmName": { "type": "string" }, "location": { "type": "string" }, "ExclusionsPaths": { "type": "string", "defaultValue": "", "metadata": { "description": "Semicolon delimited list of file paths or locations to exclude from scanning" } }, "ExclusionsExtensions": { "type": "string", "defaultValue": "", "metadata": { "description": "Semicolon delimited list of file extensions to exclude from scanning" } }, "ExclusionsProcesses": { "type": "string", "defaultValue": "", "metadata": { "description": "Semicolon delimited list of process names to exclude from scanning" } }, "RealtimeProtectionEnabled": { "type": "string", "defaultValue": "true", "metadata": { "description": "Indicates whether or not real time protection is enabled (default is true)" } }, "ScheduledScanSettingsIsEnabled": { "type": "string", "defaultValue": "false", "metadata": { "description": "Indicates whether or not custom scheduled scan settings are enabled (default is false)" } }, "ScheduledScanSettingsScanType": { "type": "string", "defaultValue": "Quick", "metadata": { "description": "Indicates whether scheduled scan setting type is set to Quick or Full (default is Quick)" } }, "ScheduledScanSettingsDay": { "type": "string", "defaultValue": "7", "metadata": { "description": "Day of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)" } }, "ScheduledScanSettingsTime": { "type": "string", "defaultValue": "120", "metadata": { "description": "When to perform the scheduled scan, measured in minutes from midnight (0-1440). For example: 0 = 12AM, 60 = 1AM, 120 = 2AM." } } }, "resources": ", "type": "Microsoft.Compute/virtualMachines/extensions", "location": "", "apiVersion": "2015-06-15", "properties": { "publisher": "Microsoft.Azure.Security", "type": "IaaSAntimalware", "typeHandlerVersion": "1.3", "autoUpgradeMinorVersion": true, "settings": { "AntimalwareEnabled": true, "RealtimeProtectionEnabled": "", "ScheduledScanSettings": { "isEnabled": "", "day": "", "time": "", "scanType": "" }, "Exclusions": { "Extensions": "", "Paths": "", "Processes": "" } } } } ] }

Once installed You will see the extension under the VM

Installation inside VM

The location of logs depends on the extension version.

C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware\1.5.7.24

And there You will find the log files.

Implement and manage security updates for VMs

Update Management workflow

First You need Automation Account, it will be used to Update Management

Creating Automation account

And choose System assigned

And open guest + host update -> Update management

And enable

It takes some time

VM Agent if already deployed

You can see the Extensions inside Azure and under Virtual machine.

Looking good

Install VM agent if not installed

If now installed already You can download the install package from https://go.microsoft.com/fwlink/?LinkID=394789

Automation Account

You see the machines under the Automation account.

There can be many reasons why your machine isn't showing up as ready (healthy) during an Update Management deployment. You can check the health of a Windows Hybrid Runbook Worker agent to determine the underlying problem. The following are the three readiness states for a machine:

  • Ready: The Hybrid Runbook Worker is deployed and was last seen less than one hour ago.
  • Disconnected: The Hybrid Runbook Worker is deployed and was last seen over one hour ago.
  • Not configured: The Hybrid Runbook Worker isn't found or hasn't finished the deployment.

Troubleshooting Agent install

In the following there is some tips for troubleshooting.

Network connectivity to 168.63.129.16

What is IP address 168.63.129.16?

Learn about IP address 168.63.129.16, specifically that it’s used to facilitate a communication channel to Azure platform resources.

You can debug the install from Azure portal

Or offline with PowerShell

updatemanagement/UM_Windows_Troubleshooter_Offline.ps1 at main · Azure/updatemanagement

Contains troubleshooting tools & scripts of azure update management. Available as public. - updatemanagement/UM_Windows_Troubleshooter_Offline.ps1 at main · Azure/updatemanagement

The offline debugger will check all necessary services and connections.

Events for troubleshooting Windows Azure Guest Agent is recorded in the following log files:

  • C:\WindowsAzure\Logs\WaAppAgent.log
  • C:\WindowsAzure\Logs\TransparentInstaller.log

What else I can do?

Use Service tags

Do You know about Azure Service tags?

With Service tags Microsoft defines services and their addresses, no more manually adding addresses to multiple services thanks to Service tags. What tags are currently supported? Bare in mind that…

Secure privileged access

Use a least privilege approach and built-in Azure roles to enable users to access and set up VMs:

  • Virtual Machine Contributor: Can manage VMs, but not the virtual network or storage account to which they are connected.
  • Classic Virtual Machine Contributor: Can manage VMs created by using the classic deployment model, but not the virtual network or storage account to which the VMs are connected.
  • Security Admin: In Defender for Cloud only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations.
  • DevTest Labs User: Can view everything and connect, start, restart, and shut down VMs.

Enable encryption on VMs

Azure Disk Encryption helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks.

Azure Disk Encryption generates and writes the encryption keys to your key vault. Managing encryption keys in your key vault requires Azure AD authentication. Create an Azure AD application for this purpose. For authentication purposes, you can use either client secret-based authentication or client certificate-based Azure AD authentication.

Use key encryption key (KEK)

Use the Add-AzKeyVaultKey cmdlet to create a key encryption key in the key vault. You can also import a KEK from your on-premises hardware security module (HSM) for key management. For more information, see the Key Vault documentation. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault. Keeping an escrow copy of this key in an on-premises key management HSM offers additional protection against accidental deletion of keys.

Restrict direct internet connectivity

Use Microsoft Defender for Cloud

Defender for Cloud will recommend that you restrict access through internet-facing endpoints if any of your network security groups has one or more inbound rules that allow access from “any” source IP address. Defender for Cloud will recommend that you edit these inbound rules to restrict access to source IP addresses that actually need access.

Restrict management ports (RDP, SSH)

Just-in-time (JIT) VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. When JIT is enabled, Defender for Cloud locks down inbound traffic to your Azure VMs by creating a network security group rule. You select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the JIT solution.

Things to remember

Antimalware solution is built on the same antimalware platform as Microsoft Security Essentials , Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Microsoft Intune, and Microsoft Defender for Cloud.

You can deploy Antimalware with the following:

  • Virtual Machines – In the Azure portal, under Security Extensions
  • Virtual Machines – Using the Visual Studio virtual machines configuration in Server Explorer
  • Virtual Machines and Cloud Services – Using the Antimalware classic deployment model
  • Virtual Machines and Cloud Services – Using Antimalware PowerShell cmdlets

You have the following PowerShell command for Extensions:

For update management You Network connectivity to 168.63.129.16

And You also need and Log analytics workspace with Automation account and System managed identity to deploy updates.

Agent statuses inside Azure portal:

  • Ready: The Hybrid Runbook Worker is deployed and was last seen less than one hour ago.
  • Disconnected: The Hybrid Runbook Worker is deployed and was last seen over one hour ago.
  • Not configured: The Hybrid Runbook Worker isn’t found or hasn’t finished the deployment.

Link to main post

AZ-500 exam preparation series

When I studied to my own AZ-500, I decided that I will make my own Exam Cram, study guide or whatever you want to call it. The goal will be on passing the exam or just refreshing Your brain. I learned from the community and now it’s time to give something back to the community,

Archives