Learn Editor: Update defender-for-storage-malware-scan.md

Author: Eitan-Shteinberg

articles/defender-for-cloud/defender-for-storage-malware-scan.md

@@ -206,6 +206,18 @@ Upon uploading a blob to the storage account, the malware scanning initiates an
 
 Despite the scanning process, access to uploaded data remains unaffected, and the impact on storage Input/Output Operations Per Second (IOPS) is minimal.
 
+### Limitations compared to Microsoft Defender for Endpoint
+
+Defender for Storage utilizes the same antimalware engine and up-to-date signatures as Defender for Endpoint to scan for malware. However, when files are uploaded to Azure Storage, they lack certain metadata that the antimalware engine depends on. This lack of metadata can lead to a higher rate of missed detections, known as 'false negatives', in Azure Storage compared to those detected by Defender for Endpoint.
+
+The following are some examples of missing metadata:
+
+- **Mark of the Web (MOTW)**: MOTW is a Windows security feature that tracks files downloaded from the internet. However, when files are uploaded to Azure Storage, this metadata is not preserved.
+
+- **File path context**: On standard operating systems, the file path can provide additional context for threat detection. For example, a file trying to modify system locations (e.g., C:\Windows\System32) would be flagged as suspicious, and be subject to further analysis. In Azure Storage, the context of specific file paths within the blob cannot be utilized in the same way.
+
+- **Behavioral data**: Defender for Storage analyzes the contents of files without running them. It inspects the files and may emulate their execution to check for malware. However, this approach may not detect certain types of malware that reveal their malicious nature only during execution.
+
 ## Next steps
 
 Learn more on how to [set up response for malware scanning](defender-for-storage-configure-malware-scan.md#setting-up-response-to-malware-scanning) results.