Proposed Pull Request Change

📄 Document Links

View on GitHub View on Microsoft Learn

--- title: Microsoft Antimalware code samples for Azure | Microsoft Docs description: PowerShell code samples to enable and configure Microsoft Antimalware. services: security author: msmbaldwin ms.assetid: 265683c8-30d7-4f2b-b66c-5082a18f7a8b ms.service: security ms.subservice: security-fundamentals ms.topic: article ms.date: 12/03/2025 ms.author: mbaldwin ms.custom: devx-track-azurepowershell, devx-track-arm-template --- # Code samples to enable and configure Microsoft Antimalware for Azure This article provides PowerShell code samples to enable and configure Microsoft Antimalware for different Azure services including: - Azure Resource Manager VMs - Azure Service Fabric Clusters - Azure Cloud Services using Extended Support - Azure Arc-enabled servers You can use these samples to deploy and configure the Microsoft Antimalware extension across your Azure environments. ## Deploy Microsoft Antimalware on Azure Resource Manager VMs > [!NOTE] > Before executing this code sample, you must uncomment the variables and provide appropriate values. ```powershell # Script to add Microsoft Antimalware extension to Azure Resource Manager VMs # Specify your subscription ID $subscriptionId= " SUBSCRIPTION ID HERE " # specify location, resource group, and VM for the extension $location = " LOCATION HERE " # eg., “Southeast Asia” or “Central US” $resourceGroupName = " RESOURCE GROUP NAME HERE " $vmName = " VM NAME HERE " # Enable Antimalware with default policies $settingString = ‘{"AntimalwareEnabled": true}’; # Enable Antimalware with custom policies # $settingString = ‘{ # "AntimalwareEnabled": true, # "RealtimeProtectionEnabled": true, # "ScheduledScanSettings": { # "isEnabled": true, # "day": 0, # "time": 120, # "scanType": "Quick" # }, # "Exclusions": { # "Extensions": ".ext1,.ext2", # "Paths":"", # "Processes":"sampl1e1.exe, sample2.exe" # }, # "SignatureUpdates": { # "FileSharesSources": “”, # "FallbackOrder”: “”, # "ScheduleDay": 0, # "UpdateInterval": 0, # }, # "CloudProtection": true # # }’; # Login to your Azure Resource Manager Account and select the Subscription to use Login-AzureRmAccount Select-AzureRmSubscription -SubscriptionId $subscriptionId # retrieve the most recent version number of the extension $allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName “Microsoft.Azure.Security” -Type “IaaSAntimalware”).Version $versionString = $allVersions[($allVersions.count)-1].Split(“.”)[0] + “.” + $allVersions[($allVersions.count)-1].Split(“.”)[1] # set the extension using prepared values # ****—-Use this script till cmdlets address the -SettingsString format issue we observed ****—- Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -Location $location -VMName $vmName -Name "IaaSAntimalware" -Publisher “Microsoft.Azure.Security” -ExtensionType “IaaSAntimalware” -TypeHandlerVersion $versionString -SettingString $settingString ``` ## Add Microsoft Antimalware to Azure Service Fabric Clusters Azure Service Fabric uses Azure virtual machine scale sets to create the Service Fabric Clusters. Presently the virtual machine scale sets template used for creating the Service Fabric Clusters isn't enabled with the Antimalware extension. As such, Antimalware needs to be enabled separately on the scale sets. As you enable it on scale sets, all the nodes created under the virtual machine scale sets inherit and get the extension automatically. The code sample below shows how you can enable IaaS Antimalware extension using the AzureRmVmss PowerShell cmdlets. > [!NOTE] > Before executing this code sample, you must uncomment the variables and provide appropriate values. ```powershell # Script to add Microsoft Antimalware extension to VM Scale Set(VMSS) and Service Fabric Cluster(in turn it used VMSS) # Login to your Azure Resource Manager Account and select the Subscription to use Login-AzureRmAccount # Specify your subscription ID $subscriptionId="SUBSCRIPTION ID HERE" Select-AzureRmSubscription -SubscriptionId $subscriptionId # Specify location, resource group, and VM Scaleset for the extension $location = "LOCATION HERE" # eg., “West US or Southeast Asia” or “Central US” $resourceGroupName = "RESOURCE GROUP NAME HERE" $vmScaleSetName = "YOUR VM SCALE SET NAME" # Configuration.JSON configuration file can be customized as per MSDN documentation: https://msdn.microsoft.com/en-us/library/dn771716.aspx $settingString = ‘{"AntimalwareEnabled": true}’; # Enable Antimalware with custom policies # $settingString = ‘{ # "AntimalwareEnabled": true, # "RealtimeProtectionEnabled": true, # "ScheduledScanSettings": { # "isEnabled": true, # "day": 0, # "time": 120, # "scanType": "Quick" # }, # "Exclusions": { # "Extensions": ".ext1,.ext2", # "Paths":"", # "Processes":"sampl1e1.exe, sample2.exe" # } , # "SignatureUpdates": { # "FileSharesSources": “”, # "FallbackOrder”: “”, # "ScheduleDay": 0, # "UpdateInterval": 0, # }, # "CloudProtection": true # }’; # retrieve the most recent version number of the extension $allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName “Microsoft.Azure.Security” -Type “IaaSAntimalware”).Version $versionString = $allVersions[($allVersions.count)-1].Split(“.”)[0] + “.” + $allVersions[($allVersions.count)-1].Split(“.”)[1] $VMSS = Get-AzureRmVmss -ResourceGroupName $resourceGroupName -VMScaleSetName $vmScaleSetName Add-AzureRmVmssExtension -VirtualMachineScaleSet $VMSS -Name “IaaSAntimalware” -Publisher “Microsoft.Azure.Security” -Type “IaaSAntimalware” -TypeHandlerVersion $versionString Update-AzureRmVmss -ResourceGroupName $resourceGroupName -Name $vmScaleSetName -VirtualMachineScaleSet $VMSS ``` ## Add Microsoft Antimalware to Azure Cloud Service using Extended Support The code sample below shows how you can add or configure Microsoft Antimalware to Azure Cloud Service using extended support(CS-ES) via PowerShell cmdlets. > [!NOTE] > Before executing this code sample, you must uncomment the variables and provide appropriate values. ```powershell # Create Antimalware extension object, where file is the AntimalwareSettings $xmlconfig = [IO.File]::ReadAllText("C:\path\to\file.xml") $extension = New-AzCloudServiceExtensionObject -Name "AntimalwareExtension" -Type "PaaSAntimalware" -Publisher "Microsoft.Azure.Security" -Setting $xmlconfig -TypeHandlerVersion "1.5" -AutoUpgradeMinorVersion $true # Get existing Cloud Service $cloudService = Get-AzCloudService -ResourceGroup "ContosOrg" -CloudServiceName "ContosoCS" # Add Antimalware extension to existing Cloud Service extension object $cloudService.ExtensionProfile.Extension = $cloudService.ExtensionProfile.Extension + $extension # Update Cloud Service $cloudService | Update-AzCloudService ``` Here's an example of the private configuration XML file ``` <?xml version="1.0" encoding="utf-8"?> <AntimalwareConfig xmlns:i="http://www.w3.org/2001/XMLSchema-instance"> <AntimalwareEnabled>true</AntimalwareEnabled> <RealtimeProtectionEnabled>true</RealtimeProtectionEnabled> <ScheduledScanSettings isEnabled="true" day="1" time="120" scanType="Full" /> <Exclusions> <Extensions> <Extension>.ext1</Extension> <Extension>.ext2</Extension> </Extensions> <Paths> <Path>c:\excluded-path-1</Path> <Path>c:\excluded-path-2</Path> </Paths> <Processes> <Process>excludedproc1.exe</Process> <Process>excludedproc2.exe</Process> </Processes> </Exclusions> </AntimalwareConfig> ``` ## Add Microsoft Antimalware for Azure Arc-enabled servers The code sample below shows how you can add Microsoft Antimalware for Azure Arc-enabled servers via PowerShell cmdlets. > [!NOTE] > Before executing this code sample, you must uncomment the variables and provide appropriate values. ```powershell #Before using Azure PowerShell to manage VM extensions on your hybrid server managed by Azure Arc-enabled servers, you need to install the Az.ConnectedMachine module. Run the following command on your Azure Arc-enabled server: #If you have Az.ConnectedMachine installed, please make sure the version is at least 0.4.0 install-module -Name Az.ConnectedMachine Import-Module -name Az.ConnectedMachine # specify location, resource group, and VM for the extension $subscriptionid =" SUBSCRIPTION ID HERE " $location = " LOCATION HERE " # eg., “Southeast Asia” or “Central US” $resourceGroupName = " RESOURCE GROUP NAME HERE " $machineName = "MACHINE NAME HERE " # Enable Antimalware with default policies $setting = @{"AntimalwareEnabled"=$true} # Enable Antimalware with custom policies $setting2 = @{ "AntimalwareEnabled"=$true; "RealtimeProtectionEnabled"=$true; "ScheduledScanSettings"= @{ "isEnabled"=$true; "day"=0; "time"=120; "scanType"="Quick" }; "Exclusions"= @{ "Extensions"=".ext1, .ext2"; "Paths"=""; "Processes"="sampl1e1.exe, sample2.exe" }; "SignatureUpdates"= @{ "FileSharesSources"=“”; "FallbackOrder”=“”; "ScheduleDay"=0; "UpdateInterval"=0; }; "CloudProtection"=$true } # Will be prompted to login Connect-AzAccount # Enable Antimalware with the policies New-AzConnectedMachineExtension -Name "IaaSAntimalware" -ResourceGroupName $resourceGroupName -MachineName $machineName -Location $location -SubscriptionId $subscriptionid -Publisher “Microsoft.Azure.Security” -Settings $setting -ExtensionType “IaaSAntimalware” ``` ## Next steps - [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](antimalware.md) - [Microsoft Defender for Cloud](/azure/defender-for-cloud/) -