|
1 | 1 | --- |
2 | | -title: Kubernetes Nodes Malware Detection |
3 | | -description: Learn about Defender for Containers malware detection for Kubernetes nodes. |
4 | | -ms.date: 03/02/2026 |
5 | | -ms.topic: concept-article |
| 2 | +title: Review and remediate malware alerts for Kubernetes nodes |
| 3 | +description: Learn how to review and remediate malware alerts for Kubernetes nodes in Defender for Containers. |
| 4 | +ms.date: 04/09/2026 |
| 5 | +ms.topic: how-to |
6 | 6 | ms.custom: sfi-image-nochange |
7 | 7 | --- |
8 | 8 |
|
9 | | -# Kubernetes node malware detection |
10 | | - |
11 | | -Defender for Containers uses the Microsoft Defender Antivirus anti-malware engine to scan and detect malicious files in Kubernetes nodes. When threats are detected, security alerts are directed into Defender for Cloud and Defender XDR, where they can be investigated and remediated. |
| 9 | +# Review and remediate malware alerts for Kubernetes nodes |
12 | 10 |
|
| 11 | +Defender for Containers uses the Microsoft Defender Antivirus anti-malware engine to scan Kubernetes nodes for malicious files. When malware is detected, Defender for Cloud generates security alerts that can be investigated and remediated in Defender for Cloud and Defender XDR. |
13 | 12 |
|
14 | 13 | ## Prerequisites |
15 | | -Malware detection in Kubernetes nodes must be [enabled by turning on the **Agentless scanning for machines**](./kubernetes-nodes-overview.md#enable-agentless-scanning-for-machines) option in the Defender for Containers or Defender for Servers P2 plan. |
16 | 14 |
|
17 | | -> [!NOTE] |
18 | | -> Malware detection is **not** performed on Kubernetes nodes if agentless scanning for machines is enabled through the Defender Cloud Security Posture Management Plan. Agentless scanning for machines must be enabled through Defender for Containers or Defender for Servers P2 plan. |
| 15 | +Before you begin, make sure that: |
| 16 | + |
| 17 | +- You have an Azure subscription. If you don’t have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn) before you begin. |
19 | 18 |
|
20 | | -## Review and remediate the Kubernetes node malware security alerts |
| 19 | +- [Microsoft Defender for Cloud is enabled on your subscription](connect-azure-subscription.md) with one of the following plans: |
| 20 | + - Defender for Containers |
| 21 | + - Defender for Servers P2 |
21 | 22 |
|
22 | | -If malware is found in Kubernetes nodes, a malware security alert is generated for the customer to review. To review a Kubernetes node malware security alert in the Azure portal: |
| 23 | +- [Agentless scanning for machines](kubernetes-nodes-overview.md#enable-agentless-scanning-for-machines) is enabled. |
| 24 | + |
| 25 | +## Review and remediate Kubernetes node malware alerts |
23 | 26 |
|
24 | 27 | 1. Sign in to the [Azure portal](https://portal.azure.com). |
25 | 28 |
|
26 | | -1. Go to **Microsoft Defender for Cloud** > **General** > **Security alerts**. |
| 29 | +1. Go to **Microsoft Defender for Cloud** > **Security alerts**. |
| 30 | + |
| 31 | +1. Select the relevant malware alert for the Kubernetes node. |
27 | 32 |
|
28 | | -1. Select the relevant malware security alert for the Kubernetes node. |
29 | 33 | :::image type="content" source="media/kubernetes-nodes-malware/security-alerts-list-select.png" alt-text="Screenshot of selecting the line showing the malware security alert for the Kubernetes node." lightbox="media/kubernetes-nodes-malware/security-alerts-list-select.png"::: |
30 | 34 |
|
31 | | -1. Select the **View full details** button. |
| 35 | +1. Select **View full details** to review the detected malware, including affected node pools and malware files. |
| 36 | + |
32 | 37 | :::image type="content" source="media/kubernetes-nodes-malware/security-alert-detail.png" alt-text="Screenshot of selecting the view full details button to view the full details." lightbox="media/kubernetes-nodes-malware/security-alert-detail.png"::: |
33 | 38 |
|
34 | | -1. The security alert details describe the malware found, including the affected node pools and malware files found. Select the **Next: Take Action** button to view the instructions to remediate the threat. |
| 39 | +1. Select **Next: Take Action >>** to open the remediation guidance. |
| 40 | + |
35 | 41 | :::image type="content" source="media/kubernetes-nodes-malware/security-alert-detail-full.png" alt-text="Screenshot of selecting the take action tab to see the instructions to remediate the threat." lightbox="media/kubernetes-nodes-malware/security-alert-detail-full.png"::: |
36 | 42 |
|
37 | | -1. Follow the instructions to remediate the threat. |
38 | | - :::image type="content" source="media/kubernetes-nodes-malware/security-alert-detail-take-action.png" alt-text="Screenshot showing the instructions to remediate the threat." lightbox="media/kubernetes-nodes-malware/security-alert-detail-take-action.png"::: |
| 43 | +1. Follow the recommended steps to remediate the threat. |
| 44 | + |
| 45 | + :::image type="content" source="media/kubernetes-nodes-malware/security-alert-detail-take-action.png" alt-text="Screenshot showing the instructions to remediate the threat." lightbox="media/kubernetes-nodes-malware/security-alert-detail-take-action.png"::: |
0 commit comments