Azure Anti-Malware File Scanner is a must-have when clients/users upload files to the system. With this solution, you can enable an anti-malware scan for the uploaded files and take appropriate actions. In this entry, you will find the complete Terraform code for infrastructure setup and an Azure Function for handling the scan results.
Azure Defender for Storage – Terraform setup
Some time ago, Azure Defender for Storage was difficult to set up with Terraform due to the lack of configuration for Event Grid. However, starting from release 3.116, there is an option to set an Event Grid Topic ID in the azurerm_security_center_storage_defender resource.
The image below presents the flow of events, with all resources and dependencies created by Terraform.
You can find the complete code for the solution here: https://github.com/azure-way/azure-malware-scanner.
Terraform code is simple, most crucial part you can see below:
How to deploy applications?
For this demo of Azure Anti-Malware File Scanner, I used a simple .NET Azure Function. For testing, you can use the simplest deployment method—via Visual Studio Code. You can find the complete tutorial here.
If you would like to deploy an Azure Function using a pipeline, please follow my article: Deploy Azure Function and expose it using API Management.
Azure Storage Defender – test file
I’ve created the sample file to check if the scanner is working properly. It is located in the repo at /malware_file/malware_1.com. If you have antivirus installed, you must probably add this file to the whitelist.
Azure anti-malware scanner – pricing
The Azure Anti-Malware Scanner costs $10 per storage account and $0.15 per scanned GB. If you modify the file, you will need to pay for a full file scan.
Azure Storage Defender – scan result
The scan result can be sent to:
- Blob index tags
- Azure Event Grid
- Defender for Cloud – security alert
- Azure Log Analytics Workspace
In this solution, the scan result is sent to Azure Event Grid. The file scan status can have two values:
- MaliciousVerdict – when the file is infected
- CleanVerdict – when the file is clean
If the file is infected, it will be moved to the maliciousfiles container. If the file is clean, it will be moved to the cleanfiles container. When you upload a new file, it must be placed in the unscannedcontent container.
All containers are created by the Terraform script.
Summary
In this post, I walk you through how I implemented an Azure Anti-Malware File Scanner using Terraform and Azure Functions. You’ll see how I set up Azure Defender for Storage with Event Grid integration and automated the file scanning process. I also share complete code examples that show how scan results are handled, and how infected or clean files are moved to the appropriate containers. All resources, including the containers, are created using Terraform for an easy and seamless deployment process.
I truly hope you found it enjoyable, and if that’s the case, I would be grateful for a Like or a Comment on my LinkedIn profile.