|
| 1 | +--- |
| 2 | +title: Anti-malware detection and blocking |
| 3 | +description: Learn how to configure Container runtime anti-malware detection and blocking to block or alert on malware in Azure, Amazon Web Service (AWS), and Google Cloud Project (GCP) environments. |
| 4 | +#customer intent: As a security admin, I want to configure container runtime antimalware policies so that I can detect and prevent malware in my containerized workloads. |
| 5 | +author: ElazarK |
| 6 | +ms.author: elkrieger |
| 7 | +ms.date: 02/22/2026 |
| 8 | +ms.topic: how-to |
| 9 | +--- |
| 10 | + |
| 11 | +# Anti-malware detection and blocking |
| 12 | + |
| 13 | +Container runtime anti-malware detects and blocks malware when a container runs an executable that the system identifies as malicious software. |
| 14 | + |
| 15 | +This feature sends alerts when it identifies malware and lets you block malware. |
| 16 | + |
| 17 | +You can define anti-malware policies that set conditions for alerts and blocking. These policies help you distinguish legitimate activity from potential threats. |
| 18 | + |
| 19 | +Container runtime anti-malware detection and blocking is part of the Defender for Containers plan. This feature is available for Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE). |
| 20 | + |
| 21 | +## Prerequisites |
| 22 | + |
| 23 | +- To use container runtime anti-malware detection and blocking, you need to run the Defender for Container sensor, which is available for the AWS, GCP, and AKS clouds. Currently, this feature is in preview and is only supported for: |
| 24 | + - **AKS**: Helm provisioning with sensor version **0.10.2**. |
| 25 | + - **Multicloud**: Helm provisioning with sensor version **0.10.2** or the ARC extension using `release-train=preview`, with the command `--configuration-settings collectors.antimalwareCollector.enable='true`. |
| 26 | + |
| 27 | + For example: |
| 28 | + |
| 29 | + ```azurecli |
| 30 | + az k8s-extension create --name microsoft.azuredefender.kubernetes --extension-type microsoft.azuredefender.kubernetes --cluster-name <name> --resource-group <rg> --cluster-type connectedClusters --release-train preview --configuration-settings collectors.antimalwareCollector.enable='true' |
| 31 | + ``` |
| 32 | + |
| 33 | +- You must enable the Defender for Container sensor on the subscriptions and connectors. |
| 34 | +
|
| 35 | +- To create and modify anti-malware policies, you need Security Admin or higher permissions on the tenant. To view anti-malware policies, you need Security Reader or higher permissions on the tenant. |
| 36 | +
|
| 37 | +- In addition to the [core sensor memory and CPU requirements](/azure/defender-for-cloud/defender-for-containers-architecture?tabs=defender-for-container-arch-aks#defender-sensor-component-details), you need: |
| 38 | + |
| 39 | + | Component | Request | Limit | |
| 40 | + |--|--|--| |
| 41 | + | CPU | 50 m | 300 m | |
| 42 | + | Memory | 128Mi | 500Mi | |
| 43 | +
|
| 44 | +Learn more about [anti-malware detection and blocking availability](support-matrix-defender-for-containers.md#runtime-protection-features). |
| 45 | +
|
| 46 | +### Components |
| 47 | +
|
| 48 | +The following components are part of anti-malware detection and blocking: |
| 49 | +
|
| 50 | +- An enhanced sensor that detects and prevents malware. |
| 51 | +
|
| 52 | +- Anti-malware policy configuration options. |
| 53 | +
|
| 54 | +- Anti-malware alerts. |
| 55 | +
|
| 56 | +## Enable anti-malware detection and blocking |
| 57 | +
|
| 58 | +Anti-malware isn't enabled by default because it consumes extra cluster resources. |
| 59 | +
|
| 60 | +To install the sensor with anti-malware enabled, follow the instructions to [install Defender for Containers sensor by using Helm](deploy-helm.md) and include the `--antimalware` flag. |
| 61 | +
|
| 62 | +## Add anti-malware rules |
| 63 | +
|
| 64 | +When you install the sensor with anti-malware enabled, it configures three anti-malware rules by default. These rules include: |
| 65 | +
|
| 66 | +- `Malware alert on binaries not originated from original image`: a suggested rule for situations where the system detects a drifted binary. |
| 67 | +- `Default antimalware workload rule`. |
| 68 | +- `Default anitmalware host rule`. |
| 69 | +
|
| 70 | +The two default anti-malware rules (workload and host) apply to every potential situation if no other rule matches first. You can only modify the default rule's actions and set it to alert, block, or ignore. |
| 71 | +
|
| 72 | +You can create new anti-malware rules to define when alerts should be generated, blocked, or ignored. Each rule can define the conditions for generating alerts. This structure allows you to tailor the system to your specific needs and reduce false positives. You can create exclusions by setting higher priority rules for specific scopes or clusters, images, pods, Kubernetes labels, or namespaces. |
| 73 | +
|
| 74 | +1. Sign in to the [Azure portal](https://portal.azure.com/). |
| 75 | +
|
| 76 | +1. Go to **Defender for Cloud** > **Environment settings**. |
| 77 | +
|
| 78 | +1. Select **Security rules**. |
| 79 | +
|
| 80 | + :::image type="content" source="media/anti-malware/alert-on-malware-rule-screen.png" alt-text="Screenshot of Microsoft Defender for Cloud showing the anti-malware policy page with three rules: Alert on Malware, Default for workload, and Default for host." lightbox="media/anti-malware/alert-on-malware-rule-screen.png"::: |
| 81 | +
|
| 82 | +1. Select **Antimalware** > **+ Add rule**. |
| 83 | +
|
| 84 | + :::image type="content" source="media/anti-malware/configure-new-rule-screen.png" alt-text="Screenshot of the Add Rule side panel showing fields for rule name, conditions, and actions with options to alert, block, or ignore." lightbox="media/anti-malware/configure-new-rule-screen.png"::: |
| 85 | +
|
| 86 | +1. Enter a rule name. |
| 87 | + |
| 88 | +1. Select an available action: |
| 89 | + - **Ignore Malware**: Ignore the selected malware. |
| 90 | + - **Alert on Malware**: Generate an alert. For example, if a rule detects a drifted binary. |
| 91 | + - **Block Malware**: Block the malware from running. |
| 92 | +
|
| 93 | +1. Enter a scope name. |
| 94 | +
|
| 95 | +1. Select a cloud scope and (optional) specific subscription. |
| 96 | +
|
| 97 | +1. (Optional) Select a resource scope. |
| 98 | +
|
| 99 | +1. (Optional) Add conditions to the resource scope based on the following categories: **Container name**, **Image name**, **Namespace**, **Pod labels**, **Pod name**, or **Cluster name**. Then choose an operator: **Starts with**, **Ends with**, **Equals**, or **Contains**. Finally, enter the value to match. You can add as many conditions as needed by selecting **+Add condition**. |
| 100 | +
|
| 101 | +1. (Optional) Select the checkbox to exclude binaries from container image. |
| 102 | +
|
| 103 | +1. (Optional) Add **Allow list for processes**, a list of processes that are allowed to run in the container. If a process isn't on this list, an alert is generated. |
| 104 | +
|
| 105 | +1. Select **Apply**. |
| 106 | +
|
| 107 | +1. Select **Save**. |
| 108 | +
|
| 109 | +After 30 minutes, the sensors on the protected clusters are updated with the new rule. |
| 110 | +
|
| 111 | +## Manage anti-malware rules |
| 112 | +
|
| 113 | +Based on the alerts, you receive and review, you might need to adjust the rules in the anti-malware policy. This adjustment might include refining conditions, adding rules, or removing rules that generate many false positives. The goal is to balance security needs with operational efficiency by using effective anti-malware policies and rules. |
| 114 | +
|
| 115 | +Effective anti-malware detection relies on your active role in configuring, monitoring, and adjusting policies for your environment. |
| 116 | +
|
| 117 | +You can arrange rules by priority by selecting the up or down arrow. The rule with the highest priority (the lowest number) runs first. If a rule matches, the rule action runs and the evaluation ends. If no rule matches, the system evaluates the next rule. If no rule matches, the system applies the default rules. |
| 118 | +
|
| 119 | +You can manage each rule by using the toolbar controls. |
| 120 | +
|
| 121 | +:::image type="content" source="media/anti-malware/rule-toolbar.png" alt-text="Screenshot that shows the toolbar that can be used to manage the rules." lightbox="media/anti-malware/rule-toolbar.png"::: |
| 122 | +
|
| 123 | +The toolbar lets you edit, duplicate, delete, enable, and disable rules. Select a rule and an action. |
| 124 | +
|
| 125 | +Disabling a rule lets you keep the rule and its configuration without applying the rule. This option is useful if you want to stop a rule temporarily without losing its configuration. |
| 126 | +
|
| 127 | +After you configure your rules, select **Save** to apply the changes and create the policy. Within 30 minutes, the sensors on the protected clusters update with the new policy. |
| 128 | +
|
| 129 | +## Next step |
| 130 | +
|
| 131 | +> [!div class="nextstep"] |
| 132 | +> [Overview of Container security in Microsoft Defender for Containers](/azure/defender-for-cloud/defender-for-containers-introduction) |
0 commit comments