Description:
This check ensures that Endpoint Protection (such as antivirus or antimalware software) is installed and properly configured on all Azure Virtual Machines (VMs). Endpoint protection helps to secure VMs by detecting and preventing malware, viruses, and other types of threats from compromising the VM.
Rationale:
Endpoint protection is essential for securing virtual machines against malware, ransomware, and other threats. Without it, VMs are vulnerable to attacks that could result in data breaches, service disruptions, or unauthorized access. By ensuring that endpoint protection is installed and active, you reduce the risk of threats on your VMs and help meet security and compliance requirements.
Impact:
It provides real-time protection against malware, viruses, and other security threats while enhancing the overall security posture by reducing the risk of malicious software infections. Additionally, it supports organizations in meeting regulatory and compliance requirements such as HIPAA and PCI-DSS by ensuring stronger system protection and monitoring.
Default Value:
Endpoint protection is not enabled by default on Azure Virtual Machines. It must be manually configured and installed.
Pre-requisites:
Ensure that the endpoint protection software (e.g., Microsoft Defender for Endpoint, third-party antivirus solutions) is available and compatible with the VMs.
Ensure that appropriate permissions are in place to install and configure endpoint protection software on the VMs.
Test Plan:
Log in to the Microsoft Azure Portal https://portal.azure.com
Navigate to Microsoft Defender for Cloud.
Select Environment settings from the left menu.
Choose the appropriate Subscription.
Open Defender plans.
Verify Microsoft Defender for Servers is set to On.
Return to Microsoft Defender for Cloud.
Select Inventory.
Filter Resource type = Virtual machines.
Open the Recommendations tab.
Check for the recommendation “Endpoint protection should be installed on your virtual machines.”
Open any listed non-compliant VM and verify whether an endpoint protection agent (for example, Microsoft Defender for Endpoint) is installed and reporting as Healthy.
If endpoint protection is not configured, follow the Implementation Steps to remediate.
Implementation steps:
Log in to the Microsoft Azure Portal at https://portal.azure.com.
Navigate to Microsoft Defender for Cloud.
Under management, Select Environment settings from the left menu.
Choose the appropriate Subscription.
Open Defender plans.
Set Microsoft Defender for Servers to On and save the configuration.
Return to Microsoft Defender for Cloud.
Select Inventory.
Filter the inventory by setting Resource type to Virtual machines.
Select a virtual machine with an Unhealthy status.
Open the Recommendations tab.
Locate the recommendation “Endpoint protection should be installed on your virtual machines.”
Select the affected virtual machine.
Select Fix or Install agent if the option is available.
If automatic installation is not available, open the virtual machine, select Extensions + applications, and install Microsoft Defender for Endpoint or an approved antivirus agent.
Allow time for the endpoint protection agent to install and begin reporting.
Return to Microsoft Defender for Cloud and verify the virtual machine status changes to Healthy.
Backout Plan:
Log in to the Microsoft Azure Portal at https://portal.azure.com.
Navigate to Microsoft Defender for Cloud.
Select Environment settings.
Choose the affected Subscription.
Open Defender plans.
Set Microsoft Defender for Servers to Off if the service was recently enabled and is causing instability.
Save the configuration.
Return to Microsoft Defender for Cloud.
Select Inventory and identify the affected virtual machines.
Navigate to Virtual machines and open the impacted virtual machine.
Select Extensions + applications.
Locate the installed endpoint protection extension.
Select the extension and choose Uninstall.
Restart the virtual machine if required to complete the rollback.
References:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/
https://docs.microsoft.com/en-us/azure/security-center/overview
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/