Merge pull request #274346 from Eitan-Shteinberg/docs-editor/defender-for-storage-malware-s-1714982001

ttorble · web-flow · commit 967784ba4892 · 2024-05-06T10:12:35.000+01:00
Update defender-for-storage-malware-scan.md
diff --git a/articles/defender-for-cloud/defender-for-storage-malware-scan.md b/articles/defender-for-cloud/defender-for-storage-malware-scan.md
@@ -64,8 +64,10 @@ You can [enable and configure Malware Scanning at scale](tutorial-enable-storage
 
 #### On-upload triggers
 
-When a blob is uploaded to a protected storage account - a malware scan is triggered. All upload methods trigger the scan. Modifying a blob is an upload operation and therefore the modified content is scanned after the update.
+Malware scans are triggered in a protected storage account by any operation that results in a `BlobCreated` event, as specified in the [Azure Blob Storage as an Event Grid source](/azure/event-grid/event-schema-blob-storage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=cloud-event-schema) page. These operations include the initial uploading of new blobs, overwriting existing blobs, and finalizing changes to blobs through specific operations. Finalizing operations might involve `PutBlockList`, which assembles block blobs from multiple blocks, or `FlushWithClose`, which commits data appended to a blob in Azure Data Lake Storage Gen2.
 
+> [!NOTE]
+> Incremental operations such as `AppendFile` in Azure Data Lake Storage Gen2 and `PutBlock` in Azure BlockBlob, which allow data to be added without immediate finalization, do not trigger a malware scan on their own. A malware scan is initiated only when these additions are officially committed: `FlushWithClose` commits and finalizes `AppendFile` operations, triggering a scan, and `PutBlockList` commits blocks in BlockBlob, initiating a scan. Understanding this distinction is critical for managing scanning costs effectively, as each commit can lead to a new scan and potentially increase expenses due to multiple scans of incrementally updated data.
 #### Scan regions and data retention
 
 The malware scanning service that uses Microsoft Defender Antivirus technologies reads the blob. Malware Scanning scans the content "in-memory" and deletes scanned files immediately after scanning. The content isn't retained. The scanning occurs within the same region of the storage account. In some cases, when a file is suspicious, and more data is required, Malware Scanning might share file metadata outside the scanning region, including metadata classified as customer data (for example, SHA-256 hash), with Microsoft Defender for Endpoint.
