last sync: 2024-Nov-25 18:54:24 UTC

Microsoft Managed Control 1678 - Malicious Code Protection | Regulatory Compliance - System and Information Integrity

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1678 - Malicious Code Protection
Id dd533cb0-b416-4be7-8e86-4d154824dfd7
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Information Integrity control
Additional metadata Name/Id: ACF1678 / Microsoft Managed Control 1678
Category: System and Information Integrity
Title: Malicious Code Protection - Periodic And Real-Time Scans
Ownership: Customer, Microsoft
Description: The organization: Configures malicious code protection mechanisms to: Perform periodic scans of the information system weekly and real-time scans of files from external sources at all hosts as the files are downloaded, opened, or executed in accordance with organizational security policy; and block malicious code, quarantine malicious code, alert Microsoft Azure service team personnel, Microsoft Azure Security, and/or C+AI Security in response to malicious code detection; and
Requirements: Servers: The following functions are centrally managed by the appropriate anti-malware tool on each endpoint for each service team: * Periodic scans at least weekly * Real-time scans of files as they are downloaded, opened, or executed When Windows anti-malware tools detect malware, they block the malware and an alert is generated and sent to Azure service teams, Azure Security, and/or C+AI Security. The receiving personnel initiate the incident management process. Incidents, including false positives, are tracked and resolved, and post-mortem analysis is performed. Customers including government customers and US-CERT are notified as required by the incident management processes. For Linux operating systems, Azure uses ClamAV to identify the characteristics and behavior of malicious code. ClamAV does not auto-remediate the malware. Instead, Microsoft Threat Intelligence Center (MSTIC) detections are used to analyze commands generated as part of process activity to look for anomalous activity. Response to anti-malware detections are handled by a combination of the service teams for those detections that autoroute to the service owners and the Cyber Defense Operating Center (CDOC) who reviews detections for anomalous activity.The anti-malware protection software ClamAV for Linux servers is currently not configured with on-access scanning enabled. As such, real-time scanning and protections for Linux services are not provided. To mitigate against the risk of enabling malicious files to be permitted to be copied or installed on Linux servers and remain there until found by the weekly scans, Azure has implemented strong access management controls, traffic flow restrictions, and system-level monitoring that are in place for all Azure servers including Linux. Network Devices Network devices do not natively support anti-malware software, but are protected through a combination of the server-based anti-malware software and the secure coding practices required by the Security Development Lifecycle (SDL), configuration management and control, supply chain processes, and in-depth logging and monitoring.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC