Installing Microsoft Anti Virus Extension to Azure Resource Manager VM using Set-AzureRmVMExtension

Hi  ! In this article I will show how to install the MS AV extension into an Azure Resource Manager (ARM) based Virtual Machine using PowerShell.  This is because the feature to add it in the portal is not yet available for ARM VMs.  Using a script and a config file also gives us the option to customise the application configuration.

Why Install the Microsoft Anti Virus Extension ?

This extension has been made available from Microsoft for free to protect your virtual machines running in Azure, so there is one good reason to start  with !  As it is a free tool  there is no central management server or console. However with the use of Operations Management Suite (OMS) which also has a free tier you can quickly get a view on all your Azure VM infrastructure and see VM protection status including whether they are up to date or not.

The tool itself is a version of the enterprise class Microsoft System Center suite of products and so it is not just a basic tool and I have known it to behave and work very well.  It also has some good configuration options for a free tool such as specifying exclusion file types and paths, schedules and real-time protection.  I may do another article on the integration with OMS and the business value of the tool in the near future..  For now I will get on with the implementation as there is little documentation out there currently (Feb 2016).

Configuration Options for MSAV Extension

As mentioned above the client can be installed with some configurations options.  The default scripts available just switch it on with default settings and real-time protection.    I have provided a method where you can point to a customised JSON file to configure your settings as required and apply these.   Such as specific exclusions and file paths etc.

For a rundown on the configuration options and a good overview of the product, head here:-

https://azure.microsoft.com/en-us/documentation/articles/azure-security-antimalware/

Requirements

The VM must be a Resource Manager type VM and be associated to a Resource Group.  Your Azure PowerShell module needs to be version 1.0 or above.  Note the RM on the xxx-AzureRm cmdlets.  The VM also needs to be a Windows Server.

 

Microsoft Azure VM Anti Malware Agent Install Script

 

# Install Microsoft AntiMalware client on an ARM based Azure VM

# Check note at the end to be able to open up the SCEP antimalware console on the server if there are problems.

# Author – Mitesh Chauhan – miteshc.wordpress.com

# For Powershell 1.0.1 and above

 

# Log in with credentials for subscription

Login-AzureRmAccount

 

# Select your subscription if required (or default will be used)

Select-AzureRmSubscription -SubscriptionId “Your Sub ID here”

 

$resourceGroupName= “RG NAME”

$location= “North Europe”

$vmName= “VM NAME”

 

# Use this (-SettingString ) for simple setup

$SettingsString = ‘{ “AntimalwareEnabled”: true,”RealtimeProtectionEnabled”: true}’;

 

# Use this (-SettingString ) to configure from json file

$MSAVConfigfile = Get-Content ‘C:\Scripts\MSavConfig.json’ -Raw

 

$allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName “Microsoft.Azure.Security” -Type “IaaSAntimalware”).Version

$typeHandlerVer = $allVersions[($allVersions.count)1]

$typeHandlerVerMjandMn = $typeHandlerVer.split(“.”)

$typeHandlerVerMjandMn = $typeHandlerVerMjandMn[0] + “.” + $typeHandlerVerMjandMn[1]

$SettingsString = ‘{ “AntimalwareEnabled”: true}’;

 

# Specify for -SettingString parameter here which option you want, simple $settingsstring or $MSAVConfigfile to sue json file.

Set-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name “IaaSAntimalware” -Publisher “Microsoft.Azure.Security” -ExtensionType “IaaSAntimalware” -TypeHandlerVersion $typeHandlerVerMjandMn -SettingString $SettingsString -Location $location

 

# To remove the ANti malware extension

# Remove-AzureRmVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name “IaaSAntimalware”

 

 

# If you have error saying Admin has restricted this app, Navigate to “C:\Program Files\Microsoft Security Client”

# Run “C:\Program Files\Microsoft Security Client\ConfigSecurityPolicy.exe cleanuppolicy.xml”

# Or simply drag the cleanuppolicy.xml file above onto the ConfigSecurityPolicy.exe to sort it and you should be in.

 

MSAV Config JSON File

Copy the text below into a file and name it MSavConfig.json for example.  the script above used c:\Scripts folder.

{

“AntimalwareEnabled”: true, 

RealtimeProtectionEnabled“: true, 

ScheduledScanSettings“: {        

       “isEnabled”: true, 

       “day”: 1, 

       “time”: 120, 

       “scanType”: “Quick”  

       },        

       Exclusions“: {

             “Extensions”: “.mdf;.ldf”,

             Paths“: “D:\\;E:\\”,

             “Processes”: “excludedproc1.exe;excludedproc2.exe”    

             }

       }

 

Unsupported Workaround for those who try and open the console

If you try and open the console you can see and change the settings but by default Microsoft have disabled the use of the UI as it should only be managed through the extension (scripting).  The following steps are provided to be able to see the console for testing / dev only.  The solution to do this may not be a supported configuration.

Check Install and fix “Administrator has Restricted access to this app” Message

Once the agent is installed you will see it identified in the extensions section in the Azure portal.

image

log into the machine and search for the System Center Endpoint Protection Tool.

You may (and probably will) get this error saying “Your system administrator has restricted access to this app.”

Simply navigate to the “c:\programfiles\Microsoft Security client” folder drag the cleanup.xml file to the configureSecurityPolicy.exe file.

The next time you click on the application the console will open. Remember this may not a supported “fix”.

image

Here are some further screen shots to show setting.

clip_image002

clip_image004

clip_image006

 

Thanks for visiting and I hope you found this useful !

 

 

 

 

 

 

Mitesh

Advertisements

About Mitesh Chauhan
Mitesh Chauhan, Azure Cloud Solutions Architect. This is my blog where I share articles and thoughts on IT Infrastructure and architecture. The topics I am most passionate about are Implementation and architecture of rock solid Cloud Infrastructure based around SQL Server and Windows Server mainly using Microsoft Azure. MCTS - Azure Architecture MCTS - Azure Implementation MCSE Server Infrastructure (Windows Server 2012) , MCITP SQL Server 2008, Togaf Certified, Prince 2 Practitioner.

6 Responses to Installing Microsoft Anti Virus Extension to Azure Resource Manager VM using Set-AzureRmVMExtension

  1. 101v says:

    Very well explain Mitesh. Thank you. It helped a lot.

  2. Clinton says:

    Hi Mitesh thanks for the article, especially the unsupport error fix, question how do I monitor the endpoints through the azure portal as described in another article the machines are unattended so would like to have an overall management view

    • Hi Clinton

      Thanks for visiting. Yes you can use Operations Management Suite (OMS) for tracking AV extension status. Mainly for telling you which servers are not protected or up to date rather than details stats at this time I think. Make sure you have the latest extension or newer 1.4 + on the VMs for it to show up properly in OMS. As older ones just report unprotected ! Best Regards and thanks again for visiting and posting..

  3. Catherine says:

    hello, is there any way to reverse configsecuritypolicy cleanuppolicy.xml. I have enabled it on a server but I would like to restrict it again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: