| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1678 - Malicious Code Protection | ||
| Id | dd533cb0-b416-4be7-8e86-4d154824dfd7 | ||
| Version | 1.0.0 Details on versioning |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Information Integrity control | ||
| Additional metadata |
Name/Id: ACF1678 / Microsoft Managed Control 1678 Category: System and Information Integrity Title: Malicious Code Protection - Periodic And Real-Time Scans Ownership: Customer, Microsoft Description: The organization: Configures malicious code protection mechanisms to: Perform periodic scans of the information system weekly and real-time scans of files from external sources at all hosts as the files are downloaded, opened, or executed in accordance with organizational security policy; and block malicious code, quarantine malicious code, alert Microsoft Azure service team personnel, Microsoft Azure Security, and/or C+AI Security in response to malicious code detection; and Requirements: Servers: The following functions are centrally managed by the appropriate anti-malware tool on each endpoint for each service team: * Periodic scans at least weekly * Real-time scans of files as they are downloaded, opened, or executed When Windows anti-malware tools detect malware, they block the malware and an alert is generated and sent to Azure service teams, Azure Security, and/or C+AI Security. The receiving personnel initiate the incident management process. Incidents, including false positives, are tracked and resolved, and post-mortem analysis is performed. Customers including government customers and US-CERT are notified as required by the incident management processes. For Linux operating systems, Azure uses ClamAV to identify the characteristics and behavior of malicious code. ClamAV does not auto-remediate the malware. Instead, Microsoft Threat Intelligence Center (MSTIC) detections are used to analyze commands generated as part of process activity to look for anomalous activity. Response to anti-malware detections are handled by a combination of the service teams for those detections that autoroute to the service owners and the Cyber Defense Operating Center (CDOC) who reviews detections for anomalous activity.The anti-malware protection software ClamAV for Linux servers is currently not configured with on-access scanning enabled. As such, real-time scanning and protections for Linux services are not provided. To mitigate against the risk of enabling malicious files to be permitted to be copied or installed on Linux servers and remain there until found by the weekly scans, Azure has implemented strong access management controls, traffic flow restrictions, and system-level monitoring that are in place for all Azure servers including Linux. Network Devices Network devices do not natively support anti-malware software, but are protected through a combination of the server-based anti-malware software and the secure coding practices required by the Security Development Lifecycle (SDL), configuration management and control, supply chain processes, and in-depth logging and monitoring. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|