update

msmbaldwin · msmbaldwin · commit 2258ffcb4137 · 2025-04-24T10:35:08.000-07:00
diff --git a/articles/security/fundamentals/antimalware-code-samples.md b/articles/security/fundamentals/antimalware-code-samples.md
@@ -13,8 +13,17 @@ ms.date: 09/25/2024
 ms.author: mbaldwin 
 ms.custom: devx-track-azurepowershell, devx-track-arm-template
 ---
-# Enable and configure Microsoft Antimalware for Azure Resource Manager VMs
-You can enable and configure Microsoft Antimalware for Azure Resource Manager VMs. This article provides code samples using PowerShell cmdlets.
+
+# Code samples to enable and configure Microsoft Antimalware for Azure
+
+This article provides PowerShell code samples to enable and configure Microsoft Antimalware for different Azure services including:
+
+- Azure Resource Manager VMs
+- Azure Service Fabric Clusters
+- Azure Cloud Services using Extended Support
+- Azure Arc-enabled servers
+
+You can use these samples to deploy and configure the Microsoft Antimalware extension across your Azure environments.
 
 ## Deploy Microsoft Antimalware on Azure Resource Manager VMs
 
@@ -220,4 +229,7 @@ New-AzConnectedMachineExtension -Name "IaaSAntimalware" -ResourceGroupName $reso
 ```
 
 ## Next steps
-Learn more about [Microsoft Antimalware](antimalware.md) for Azure.
+
+- [Microsoft Antimalware for Azure Cloud Services and Virtual Machines](antimalware.md)
+- [Microsoft Defender for Cloud](/azure/defender-for-cloud/)
+- [Microsoft Defender for Cloud - Microsoft Antimalware](/azure/defender-for-cloud/antimalware)
diff --git a/articles/security/fundamentals/antimalware.md b/articles/security/fundamentals/antimalware.md
@@ -1,6 +1,6 @@
 ---
 title: Microsoft Antimalware for Azure | Microsoft Docs
-description: Learn about Microsoft Antimalware for Azure Cloud Services and Virtual Machines. See information about topics like architecture and deployment scenarios.
+description: Learn about Microsoft Antimalware for Azure Cloud Services and Virtual Machines. See information about architecture and deployment scenarios.
 services: security
 author: msmbaldwin
 manager: rkarlin
@@ -12,11 +12,12 @@ ms.topic: article
 ms.date: 04/24/2025
 ms.author: mbaldwin
 ---
-# Microsoft Antimalware for Azure Cloud Services and Virtual Machines
+
+# Microsoft Antimalware for Azure Cloud Services and Virtual Machines (VMs)
 
 Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems.
 
-The solution is built on the same antimalware platform as Microsoft Security Essentials (MSE), Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Microsoft Intune, and Microsoft Defender for Cloud. Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. Protection may be deployed based on the needs of application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.
+The solution is built on the same antimalware platform as Microsoft Security Essentials (MSE), Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Microsoft Intune, and Microsoft Defender for Cloud. Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. Protection can be deployed based on the needs of application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.
 
 When you deploy and enable Microsoft Antimalware for Azure for your applications, the following core features are available:
 
@@ -36,16 +37,35 @@ When you deploy and enable Microsoft Antimalware for Azure for your applications
 
 ## Architecture
 
-Microsoft Antimalware for Azure includes the Microsoft Antimalware Client and Service, Antimalware classic deployment model, Antimalware PowerShell cmdlets, and Azure Diagnostics Extension. Microsoft Antimalware is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families. It isn't supported on the Windows Server 2008 operating system, and also isn't supported in Linux.
+## Architecture
+
+Microsoft Antimalware for Azure consists of several components:
+- The Microsoft Antimalware Client and Service
+- Antimalware classic deployment model
+- Antimalware PowerShell cmdlets
+- Azure Diagnostics Extension
+
+### Platform Support and Deployment
+
+**Virtual Machines:**
+- Not installed by default
+- Available as an optional security extension through the Azure portal or Visual Studio Virtual Machine configuration
+- Supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2
+- Not supported on Windows Server 2008 and Linux operating systems
 
-The Microsoft Antimalware Client and Service is installed by default in a disabled state in all supported Azure guest operating system families in the Cloud Services platform. The Microsoft Antimalware Client and Service isn't installed by default in the Virtual Machines platform and is available as an optional feature through the Azure portal and Visual Studio Virtual Machine configuration under Security Extensions.
+**Cloud Services:**
+- Installed by default in a disabled state on all supported Azure guest operating systems
+- Requires explicit activation to protect your cloud service
 
-When using Azure App Service on Windows, the underlying service that hosts the web app has Microsoft Antimalware enabled on it. This is used to protect Azure App Service infrastructure and does not run on customer content.
+**Azure App Service:**
+- Enabled on the underlying service hosting Windows-based web apps
+- Limited to protecting Azure App Service infrastructure only, not customer content
+- Not sufficient for complete web application security (implement more security controls as outlined in the [Azure Web Application Security Best Practices](/azure/app-service/security-baseline))
 
 > [!NOTE]
 > Microsoft Defender Antivirus is the built-in Antimalware enabled in Windows Server 2016 and above.
-> The Azure VM Antimalware extension can still be added to a Windows Server 2016 and above Azure VM with Microsoft Defender Antivirus. In this scenario, the extension applies any optional [configuration policies](antimalware.md#default-and-custom-antimalware-configuration) to be used by Microsoft Defender Antivirus The extension does not deploy any other antimalware services.
-> For more information, see the [Samples](antimalware.md#samples) section of this article for more details.
+> The Azure VM Antimalware extension can still be added to a Windows Server 2016 and above Azure VM with Microsoft Defender Antivirus. In this scenario, the extension applies any optional [configuration policies](antimalware.md#default-and-custom-antimalware-configuration) to be used by Microsoft Defender Antivirus. The extension does not deploy any other antimalware services.
+> For more information about Microsoft Defender Antivirus, see [Code samples to enable and configure Microsoft Antimalware for Azure](antimalware-code-samples.md).
 
 ### Microsoft antimalware workflow
 
@@ -56,9 +76,15 @@ The Azure service administrator can enable Antimalware for Azure with a default
 * Virtual Machines and Cloud Services - Using the Antimalware [classic deployment model](/previous-versions/azure/ee460799(v=azure.100))
 * Virtual Machines and Cloud Services - Using Antimalware PowerShell cmdlets
 
-The Azure portal or PowerShell cmdlets push the Antimalware extension package file to the Azure system at a predetermined fixed location. The Azure Guest Agent (or the Fabric Agent) launches the Antimalware Extension, applying the Antimalware configuration settings supplied as input. This step enables the Antimalware service with either default or custom configuration settings. If no custom configuration is provided, then the antimalware service is enabled with the default configuration settings. For more information, see the [Samples](antimalware.md#samples) section of this article for more details..
+The Azure portal or PowerShell cmdlets push the Antimalware extension package file to the Azure system at a predetermined fixed location. The Azure Guest Agent (or the Fabric Agent) launches the Antimalware Extension, applying the Antimalware configuration settings supplied as input. This step enables the Antimalware service with either default or custom configuration settings. If no custom configuration is provided, then the antimalware service is enabled with the default configuration settings. For more information about Antimalware configuration, see [Code samples to enable and configure Microsoft Antimalware for Azure](antimalware-code-samples.md).
 
-Once running, the Microsoft Antimalware client downloads the latest protection engine and signature definitions from the Internet and loads them on the Azure system. The Microsoft Antimalware service writes service-related events to the system OS events log under the "Microsoft Antimalware" event source. Events include the Antimalware client health state, protection and remediation status, new and old configuration settings, engine updates and signature definitions, and others.
+After initialization, the Microsoft Antimalware client automatically retrieves the latest protection engine and signature definitions from the Internet and applies them to your Azure system. The service logs all activity to the operating system event log under the "Microsoft Antimalware" event source. These logs include information about:
+
+* Client health status
+* Protection and remediation activities
+* Configuration changes
+* Engine and signature definition updates
+* Other operational events
 
 You can enable Antimalware monitoring for your Cloud Service or Virtual Machine to have the Antimalware event log events written as they're produced to your Azure storage account. The Antimalware Service uses the Azure Diagnostics extension to collect Antimalware events from the Azure system into tables in the customer's Azure Storage account.
 
@@ -67,13 +93,11 @@ The deployment workflow including configuration steps and options supported for
 ![Microsoft Antimalware in Azure](./media/antimalware/sec-azantimal-fig1.PNG)
 
 > [!NOTE]
-> You can however use PowerShell/APIs and Azure Resource Manager templates to deploy Virtual Machine Scale Sets with the Microsoft Anti-Malware extension.  For installing an extension on an already running Virtual Machine, you can use the sample Python script [vmssextn.py](https://github.com/gbowerman/vmsstools#vmssextn). This script gets the existing extension config on the Scale Set and adds an extension to the list of existing extensions on the VM Scale Sets.
->
->
+> You can however use PowerShell/APIs and Azure Resource Manager templates to deploy Virtual Machine Scale Sets with the Microsoft Anti-Malware extension. For installing an extension on an already running Virtual Machine, you can use the sample Python script [vmssextn.py](https://github.com/gbowerman/vmsstools#vmssextn). This script gets the existing extension config on the Scale Set and adds an extension to the list of existing extensions on the Azure Virtual Machines Scale Sets.
 
 ### Default and Custom Antimalware Configuration
 
-The default configuration settings are applied to enable Antimalware for Azure Cloud Services or Virtual Machines when you don't provide custom configuration settings. The default configuration settings have been pre-optimized for running in the Azure environment. Optionally, you can customize these default configuration settings as required for your Azure application or service deployment and apply them for other deployment scenarios.
+The default configuration settings are applied to enable Antimalware for Azure Cloud Services or Virtual Machines when you don't provide custom configuration settings. The default configuration settings are preoptimized for running in the Azure environment. Optionally, you can customize these default configuration settings as required for your Azure application or service deployment and apply them for other deployment scenarios.
 
 The following table summarizes the configuration settings available for the Antimalware service. The default configuration settings are marked under the column labeled "Default."
 
@@ -120,18 +144,18 @@ To enable and configure the Microsoft Antimalware service using Visual Studio:
 
 3. Right-click **configure** to view the Virtual Machine configuration page
 
-4. Select **Microsoft Antimalware** extension from the dropdown list under **Installed Extensions** and click **Add** to configure with default antimalware configuration.
+4. Select **Microsoft Antimalware** extension from the dropdown list under **Installed Extensions** and select **Add** to configure with default antimalware configuration.
     ![Installed extensions](./media/antimalware/sec-azantimal-fig6.PNG)
-5. To customize the default Antimalware configuration, select (highlight) the Antimalware extension in the installed extensions list and click **Configure**.
+5. To customize the default Antimalware configuration, select (highlight) the Antimalware extension in the installed extensions list and select **Configure**.
 
-6. Replace the default Antimalware configuration with your custom configuration in supported JSON format in the **public configuration** textbox and click OK.
+6. Replace the default Antimalware configuration with your custom configuration in supported JSON format in the **public configuration** textbox and select OK.
 
-7. Click the **Update** button to push the configuration updates to your Virtual Machine.
+7. Select the **Update** button to push the configuration updates to your Virtual Machine.
 
     ![Virtual Machine configuration extension](./media/antimalware/sec-azantimal-fig7.PNG)
 
 > [!NOTE]
->The Visual Studio Virtual Machines configuration for Antimalware supports only JSON format configuration. For more information, see the [Samples](antimalware.md#samples) section of this article for more details.
+> The Visual Studio Virtual Machines configuration for Antimalware supports only JSON format configuration. For more information about sample configurations, see [Code samples to enable and configure Microsoft Antimalware for Azure](antimalware-code-samples.md).
 
 #### Deployment Using PowerShell cmdlets
 
@@ -143,7 +167,7 @@ To enable and configure Microsoft Antimalware using PowerShell cmdlets:
 2. Use the [Set-AzureVMMicrosoftAntimalwareExtension](/powershell/module/servicemanagement/azure/set-azurevmmicrosoftantimalwareextension) cmdlet to enable and configure Microsoft Antimalware for your Virtual Machine.
 
 > [!NOTE]
->The Azure Virtual Machines configuration for Antimalware supports only JSON format configuration. For more information, see the [Samples](antimalware.md#samples) section of this article for more details.
+>The Azure Virtual Machines configuration for Antimalware supports only JSON format configuration. For more information about sample configurations, see [Code samples to enable and configure Microsoft Antimalware for Azure](antimalware-code-samples.md).
 
 ### Enable and Configure Antimalware Using PowerShell cmdlets
 
@@ -154,7 +178,7 @@ To enable and configure Microsoft Antimalware using PowerShell cmdlets:
 1. Set up your PowerShell environment - Refer to the documentation at <https://github.com/Azure/azure-powershell>
 2. Use the [Set-AzureServiceExtension](/powershell/module/servicemanagement/azure/set-azureserviceextension) cmdlet to enable and configure Microsoft Antimalware for your Cloud Service.
 
-For more information, see the [Samples](antimalware.md#samples) section of this article for more details.
+For more information about sample PowerShell commands, see [Code samples to enable and configure Microsoft Antimalware for Azure](antimalware-code-samples.md).
 
 ### Cloud Services and Virtual Machines - Configuration Using PowerShell cmdlets
 
@@ -170,7 +194,7 @@ To retrieve the Microsoft Antimalware configuration using PowerShell cmdlets:
 
 ### Remove Antimalware Configuration Using PowerShell cmdlets
 
-An Azure application or service can remove the Antimalware configuration and any associated Antimalware monitoring configuration from the relevant Azure Antimalware and diagnostics service extensions associated with the Cloud Service or Virtual Machine.
+An Azure application or service can completely remove Microsoft Antimalware protection by uninstalling the relevant extensions from your Cloud Services or Virtual Machines. This process removes both the antimalware protection and associated monitoring settings, completely discontinuing malware protection and event collection for the specified resources.
 
 To remove Microsoft Antimalware using PowerShell cmdlets:
 
@@ -180,28 +204,30 @@ To remove Microsoft Antimalware using PowerShell cmdlets:
 
 To **enable** antimalware event collection for a virtual machine using the Azure Preview Portal:
 
-1. Click any part of the Monitoring lens in the Virtual Machine blade
-2. Click the Diagnostics command on Metric blade
+1. Select any part of the Monitoring section in the Virtual Machine details page
+2. Select the Diagnostics command in the Metrics section
 3. Select **Status** ON and check the option for Windows event system
-4. . You can choose to uncheck all other options in the list, or leave them enabled per your application service needs.
+4. You can choose to uncheck all other options in the list, or leave them enabled per your application service needs.
 5. The Antimalware event categories "Error", "Warning", "Informational", etc., are captured in your Azure Storage account.
 
 Antimalware events are collected from the Windows event system logs to your Azure Storage account. You can configure the Storage Account for your Virtual Machine to collect Antimalware events by selecting the appropriate storage account.
 
 ![Metrics and diagnostics](./media/antimalware/sec-azantimal-fig8.PNG)
 
 ### Enable and configure Antimalware using PowerShell cmdlets for Azure Resource Manager VMs
+
 To enable and configure Microsoft Antimalware for Azure Resource Manager VMs using PowerShell cmdlets:
 
 1. Set up your PowerShell environment using this [documentation](https://github.com/Azure/azure-powershell) on GitHub.
 2. Use the [Set-AzVMExtension](/powershell/module/az.compute/set-azvmextension) cmdlet to enable and configure Microsoft Antimalware for your VM.
 
 The following code samples are available:
 
-- [Deploy Microsoft Antimalware on ARM VMs](antimalware-code-samples.md#enable-and-configure-microsoft-antimalware-for-azure-resource-manager-vms)
+- [Deploy Microsoft Antimalware on ARM template VMs](antimalware-code-samples.md#enable-and-configure-microsoft-antimalware-for-azure-resource-manager-vms)
 - [Add Microsoft Antimalware to Azure Service Fabric Clusters](antimalware-code-samples.md#add-microsoft-antimalware-to-azure-service-fabric-clusters)
 
 ### Enable and configure Antimalware to Azure Cloud Service Extended Support (CS-ES) using PowerShell cmdlets
+
 To enable and configure Microsoft Antimalware using PowerShell cmdlets:
 
 1. Set up your PowerShell environment - Refer to the documentation at <https://github.com/Azure/azure-powershell>
@@ -212,6 +238,7 @@ The following code sample is available:
 - [Add Microsoft Antimalware to Azure Cloud Service using Extended Support(CS-ES)](antimalware-code-samples.md#add-microsoft-antimalware-to-azure-cloud-service-using-extended-support)
 
 ### Enable and configure Antimalware using PowerShell cmdlets for Azure Arc-enabled servers
+
 To enable and configure Microsoft Antimalware for Azure Arc-enabled servers using PowerShell cmdlets:
 
 1. Set up your PowerShell environment using this [documentation](https://github.com/Azure/azure-powershell) on GitHub.
@@ -222,4 +249,7 @@ The following code samples are available:
 - [Add Microsoft Antimalware for Azure Arc-enabled servers](antimalware-code-samples.md#add-microsoft-antimalware-for-azure-arc-enabled-servers)
 
 ## Next steps
-See [code samples](antimalware-code-samples.md) to enable and configure Microsoft Antimalware for Azure Resource Manager (ARM) virtual machines.
+
+- [Code samples to enable and configure Microsoft Antimalware for Azure](antimalware-code-samples.md)
+- [Microsoft Defender for Cloud](/azure/defender-for-cloud/)
+- [Microsoft Defender for Cloud - Microsoft Antimalware](/azure/defender-for-cloud/antimalware)
