Azure App Services Antimalware? - azure

Having read
"The Microsoft Antimalware Client and Service is installed by default in a disabled state in all supported Azure guest operating system families in the Cloud Services platform.
...
When using Azure Websites, the underlying service that hosts the web app has Microsoft Antimalware enabled on it. This is used to protect Azure Websites infrastructure and does not run on customer content."
here: https://learn.microsoft.com/en-us/azure/security/azure-security-antimalware
it appears that although the underlying execution environment is scanned and protected, nothing prevents the deployment of infected files (contrary to the response given here: https://stackoverflow.com/a/44805995/8354791).
And therefore the service needs to enabled.
It also appears this can only be done so via powershell, using the Set-AzureServiceAntimalwareExtension command, as per https://stackoverflow.com/a/25847270/8354791 and Powershell: Add Diagnostics/Antimalware to Azure PaaS Cloud Service using ExtensionConfiguration Parameter
Q: the link is a bit old (2015). Is powershell still the only way to turn on debugging for an App Service?
Q: is the analysis of the above text correct that MS is scanning its own environment, but exclude the scanning of files deployed to their services?
Q: is there a cost to enabling this service?
Q: What is the relationship to Malware Assessment (https://learn.microsoft.com/en-us/azure/log-analytics/log-analytics-malware)? Is that a more current way of scanning Web Apps?
Q: this is a manual approach, using Powershell. Is there a link to understanding how to enable this service using an CI/CD deployed ARM template?
Q: I see this service is mentioned as a solution for scanning deployed code files -- but can this service be used to scan Blobs where uploaded media would be stored?
I know I've asked a lot of questions...but hopefully you agree they are all tightly related...
Thanks immensely!

Azure App Service is a managed platform. Microsoft Antimalware Client and Service is enabled by default on app service instances, there is no user action that allows enabling/disabling this feature for apps hosted in App Service.
All of the documentation you are referencing is about "Azure Cloud Services" and "Azure VM's" and not Azure App Service. Here is the security documentation for Azure App Service: https://learn.microsoft.com/en-us/azure/app-service/app-service-security-readme
Malware Assessment is part of OMS suite and its an additional tool for managing large deployments and detecting instances that might be affected by malicious code.

Related

Antivirus for Azure App Services

If a malicious user tamper with the file placed in AppServices and incorporate the virus, is there a way to know that? For example, installing antivirus software on a virtual machine and keep it in the same way.
http://stackoverflow.com/questions/38387004/antimalware-for-azure-app-services
I am looking at this URL for reference and I understand that using Tinfoil Security meets the requirements. However, Tinfoil Security can not be used because the license I use is Japanese CSP.
https://www.microsoft.com/en-us/TrustCenter/Security/ThreatManagement
I also saw this URL, but my English skill is not adequate, so my understanding may be less than enough. Therefore, I need some details. Was "Azure cloud service" written as "Azure cloud service and virtual machine's Microsoft antimalware" include AppService? I thought that only the cloud service was covered. For example: https://azure.microsoft.com/en-us/services/cloud-services/
I am checking whether the file size and timestamp has been changed in the AppServices web job, but please let me know if there are things that can be covered with the functions provided as a service of Microsoft.
Azure App Service uses the Anti-malware solution used by Azure Cloud Services and Virtual Machines.
This is mentioned here: App Service Security
This further points to the following article: Microsoft Antimalware for Azure Cloud Services and Virtual Machines
For extended scenarios Tinfoil was provided as an additional option. If that is not available to you, then using Azure Cloud Services (Web Roles) is more inline with your requirement.

Web app onboarding to Azure Web Marketplace

We checked this documentation - https://blogs.msdn.microsoft.com/appserviceteam/2016/08/26/onboarding-to-azure-web-marketplace on how to onboard our web apps in the Azure marketplace and also the GitHub link - https://github.com/SunBuild/web-app-marketplace
We have contacted MSFT on how to host our application which has an API and WCF applications as sub-applications.
MSFT replied that sub applications are not currently supported in through this onboarding model.
So, we are trying to onboard the three applications individually and link them in the Azure marketplace. We are not sure whether this will work or if this is possible.
In the sample applications in the GitHub link - https://github.com/SunBuild/web-app-marketplace, they have a hosting plan JSON file for the web app resource. Can we link the applications using this hosting plan JSON file?
We could not find any information or definition related to this hosting plan file - https://github.com/SunBuild/web-app-marketplace/blob/master/WebApp-SQLDatabase/DeploymentTemplates/Website_NewHostingPlan_SQL_NewDB-Default.json
Does anyone tried this before or know how to do this?
sub applications are not currently supported in through this onboarding model.
From the documentation, we could know if web app need Virtual application setting to be configured for web app, we will not be able to on board the application.
we are trying to onboard the three applications individually and link them in the Azure marketplace. We are not sure whether this will work or if this is possible.
In my view, if you on board these application individually, it may not enable us to bundle multi individual applications to make them link with each other. You could contact with Azure marketplace support team.
We could not find any information or definition related to this hosting plan file - https://github.com/SunBuild/web-app-marketplace/blob/master/WebApp-SQLDatabase/DeploymentTemplates/Website_NewHostingPlan_SQL_NewDB-Default.json
In the link you posted, we could find that it is an Azure Resource Manager (ARM) template that is used to define resources you want to deploy. This article explained about the Azure Resource Manager template, please refer to it.

Azure Mobile Service deployed to Azure Websites

Because of the limited region availability of deploying Azure Mobile Services, I am investigating deploying the service to Azure Websites. I can deploy the service to a website using the deployment profile easy enough and everything seems to work.
I was just wondering if anyone has had any experience in doing so? Limitations compared to the official Mobile Service hosted deployment? And any specific required changes to typical code?
Having implemented this and using it for the past few months, these are the results I found.
Minimal changes are needed except manually specifying config values as app settings vs the mobile services configuration. I am using Azure AD authentication and the required keys to be configured in Azure websites app settings were
MS_MobileServiceName
MS_MobileServiceDomainSuffix
MS_MasterKey
MS_ApplicationKey
MS_AadClientId
MS_AadTenants
MS_AadAudience
I wrote about the changes here https://pontifex.azurewebsites.net/azure-mobile-services-hosted-in-azure-websites/

Window Azure vs Citrix Xenapp

Current my company delivers our software to our customers through a Citrix Xenapp Server. As administrators we are able to launch instances of the servers and our customers are only able to launch their specific application
My Question is does Windows Azure also offer this type of environment. I am looking to deploy a new version of our application and I am leaning towards Azure, but if that is the direction we go in I would like to migrate all of our existing system to Azure and not maintain both Azure and Citrix.
Greg,
In principle yes you can do this, but you can't just plug in Azure as a direct replacement for XenApp (with zero/minimal effort). Azure effectively has it's own runtime. While it is Windows based and there is certainly potential to reuse code in an existing app in an Azure equivalent, you would need to re-write your app to make it run in Azure.
Given your app is running on XenApp it is likely it is a fat client app, i.e. most of its logic lives in the main executable that you run on XenApp, with potentially some other back end services being utilised. In comparison you should think of Azure as a platform for providing web apps. So you would re-architect the app as an Azure hosted web app, then you could deploy it via Azure in a multi-tenanted manner to your customers who would then access it through a browser rather than a Citrix Receiver.
Regards,
Donovan

Accessing Azure Storage Services from Azure Websites?

I'm curious to know if this is possible, and if so, is it a good or bad idea?
We are developing an Azure application that is largely centered around worker roles that receive their work on a CloudQueue, and put the results in a CloudBlob, that the client then downloads. The web interface itself is a dead-simple ASP.NET MVC site that throws jobs in the CloudQueue, and builds URLs to download CloudBlobs.
Currently we accomplish this by having a Azure Cloud Project in our solution, which has a Web Role with the UI, and Worker Roles with the actual work.
Could we use Azure Websites to publish and host the UI, which calls back to our Worker Roles? The Azure DLLs are just regular old .NET libraries, I'm assuming Azure Websites won't have a problem with them. So, when we want to update the UI, we just publish with Visual Studio. And when we want to update the Worker Role - which is 300MB+ and has a bunch of nasty dependencies like Crystal Reports - we can build the cloud bundle and update the Cloud Service through the Azure management portal.
This seems to me like doing this would make it easier to update the UI. I think it would also be cheaper to host it, as we won't have to buy a bunch of instances for the Web Role.
If your question is "Could we use Windows Azure Websites*", based on your application architecture, you sure can use Azure Website to deploy your front end and configure all the networking connection properly so you can continue access other Azure Storage services. As you are using mostly Blob and Queue, you can continue use HTTP/HTTPS settings in the Azure websites. You can keep worker role by as it is however if it is very complex to deploy, using Windows Azure VM may be another direction to go.
I could say website deployment could be easier if your web app does not have something complex to configure in web server as websites may not be able to match web server level configuration compare to webrole and Azure VM. Answering "Easier and cheap" could be very subjective as this is all depend on load and distribution so you would have to try and evaluate it.

Resources