Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Install Endpoint Protection

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: VirtualMachines-006

Ensure that all your Microsoft Azure virtual machines (VMs) have endpoint protection installed in order to help you identify and remove viruses, spyware and other malicious software. The Azure Security Center service monitors the status of anti-malware protection for Azure virtual machines (VMs) and highlights if there is insufficient protection, marking the virtual machines without endpoint protection as vulnerable to malware threats.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When endpoint protection software such as Microsoft Antimalware is installed on your Azure virtual machines (VMs), it provides real-time protection capability that helps you identify and eliminate viruses, malware and other malicious software. This type of endpoint protection is also used to generate alerts when known malicious or unwanted software tries to install itself or run on your Azure VMs.


Audit

To determine if endpoint protection is installed on your Azure virtual machines, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, under RESOURCE SECURITY HYGIENE, choose Recommendations to view the recommendations provided by Microsoft Azure Security Center for the cloud resources available in the current subscription. A recommendation represents an action for you to take in order to secure your Azure resources. Each Security Center recommendation consists of 1) a short description of what is being recommended, 2) the steps required to implement the recommendation, 3) the affected resource(s) that require the recommended actions and 4) the secure score impact if the recommendation is implemented.

04 On the Recommendations page, search for the Install endpoint protection solution on virtual machines recommendation. If there is no recommendation with that name, the Security Center did not find any virtual machines without endpoint protection. If Install endpoint protection solution on virtual machines is available as recommendation, one or more Microsoft Azure virtual machines (VMs), available in the current subscription, are missing endpoint protection (i.e. anti-malware protection).

05 Repeat steps no. 2 – 4 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine (VM) provisioned in the current Azure subscription:

az vm list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested virtual machine (VM) identifiers:

Name                       ResourceGroup
------------------------   ------------------------------
cc-ms-application-server   cloud-shell-storage-westeurope
cc-main-application-vm     cloud-shell-storage-westeurope

03 Run vm extension list command (Windows/macOS/Linux) using the name of the virtual machine that you want to examine and the associated resource group as identifier parameters to describe the names of the software extensions currently installed on the selected Azure VM:

az vm extension list
	--vm-name cc-ms-application-server
	--resource-group cloud-shell-storage-westeurope
	--query '[*].name'
cc-internal-app-server    cloud-shell-storage-westeurope
cc-warehouse-app-server   cloud-shell-storage-westeurope

04 The command output should return the names of the extensions installed on the specified virtual machine:

[
  "AzureNetworkWatcherExtension",
  "MicrosoftMonitoringAgent",
]

Verify the extensions list returned by the vm extension list command output for extension names that start, end or include the following keywords: "EndpointSecurity", "TrendMicroDSA", "Antimalware", "EndpointProtection", "SCWPAgent", "PortalProtectExtension" and "FileSecurity". If none of the installed VM extensions returned at the previous step contain the specified keywords, the selected Microsoft Azure virtual machine is missing anti-malware protection (also known as endpoint protection).

05 Repeat step no. 3 and 4 for each virtual machine (VM) provisioned in the current Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To install endpoint protection for your Microsoft Azure virtual machines using Azure Security Center and Azure API/CLI, perform the following actions:

Note: As an example, this section demonstrates how to install Microsoft Antimalware software extension as endpoint protection for Azure virtual machines (VMs). Alternatively, you can deploy your own endpoint protection software for your Azure VMs.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, under RESOURCE SECURITY HYGIENE, choose Recommendations to access the Azure Security Center recommendations provided for the cloud resources available in the current subscription.

04 On the Recommendations page, click on Install endpoint protection solution on virtual machines recommendation, to access the Security Center dashboard that lists the Azure virtual machines (VMs) that are missing endpoint protection.

05 On the Endpoint Protection not installed on Azure VMs dashboard, select all the virtual machines available, then click Install on <VMs number> VMs button to start the endpoint protection installation process.

06 On the Select Endpoint Protection dashboard, choose Microsoft Antimalware extension as endpoint protection software, then click Create to initiate the extension setup process.

07 On the Microsoft Antimalware dashboard, use the configuration settings available on the extension blade to configure the VMs anti-malware protection based on your requirements. Once the software extension is configured, click Ok to apply the changes and run the endpoint protection installation. The anti-malware software installation should take a few minutes.

08 Repeat steps no. 2 – 7 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm extension set command (Windows/macOS/Linux) using the name of the Azure virtual machine (VM) that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource) to apply endpoint protection by installing Microsoft Antimalware software extension (i.e. IaaSAntimalware extension), ver. 1.5.5.9, on the selected Azure VM (the command does not produce an output):

az vm extension set
	--publisher Microsoft.Azure.Security
	--name IaaSAntimalware
	--version 1.5.5.9
	--vm-name cc-ms-application-server
	--resource-group cloud-shell-storage-westeurope
	--no-wait

02 Repeat step no. 1 for all the Microsoft Azure virtual machines that are missing anti-malware protection, provisioned within the current subscription.

03 Repeat step no. 1 and 2 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019