适用于 Azure 云服务和虚拟机的 Microsoft 反恶意软件Microsoft Antimalware for Azure Cloud Services and Virtual Machines

适用于 Azure 的 Microsoft 反恶意软件是一种免费实时保护,可帮助识别并删除病毒、间谍软件和其他恶意软件。Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. 当已知恶意软件或不需要的软件试图在 Azure 系统上安装自己或运行时,该服务会生成警报。It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems.

该解决方案构建于 Microsoft Security Essentials [MSE]、Microsoft Forefront Endpoint Protection、Microsoft System Center Endpoint Protection、Windows Intune 和 Windows Defender 所用的同一个反恶意软件平台基础之上。The solution is built on the same antimalware platform as Microsoft Security Essentials [MSE], Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune, and Windows Defender. 适用于 Azure 的 Microsoft 反恶意软件是一个针对应用程序和租户环境所提供的单一代理解决方案,可在在后台运行而无需人工干预。Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. 可以根据应用程序工作负荷的需求,选择默认的基本安全性或高级的自定义配置(包括反恶意软件监视)来部署保护。Protection may be deployed based on the needs of application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.

为应用程序部署并启用适用于 Azure 的 Microsoft 反恶意软件后,便可以使用以下几项核心功能:When you deploy and enable Microsoft Antimalware for Azure for your applications, the following core features are available:

  • 实时保护 - 监视云服务和虚拟机上的活动,以检测和阻止恶意软件的执行。Real-time protection - monitors activity in Cloud Services and on Virtual Machines to detect and block malware execution.
  • 计划的扫描 - 定期扫描以检测恶意软件(包括主动运行的程序)。Scheduled scanning - Scans periodically to detect malware, including actively running programs.
  • 恶意软件消除 - 自动针对检测到的恶意软件采取措施,例如删除或隔离恶意文件以及清除恶意注册表项。Malware remediation - automatically takes action on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.
  • 签名更新 - 自动安装最新的保护签名(病毒定义)以确保按预定的频率保持最新保护状态。Signature updates - automatically installs the latest protection signatures (virus definitions) to ensure protection is up-to-date on a pre-determined frequency.
  • 反恶意软件引擎更新 - 自动更新 Microsoft 反恶意软件引擎。Antimalware Engine updates – automatically updates the Microsoft Antimalware engine.
  • 反恶意软件平台更新 – 自动更新 Microsoft 反恶意软件平台。Antimalware Platform updates – automatically updates the Microsoft Antimalware platform.
  • 主动保护 - 将检测到的威胁和可疑资源的遥测元数据报告给 Microsoft Azure,以确保针对不断演变的威胁局势做出快速响应,并通过 Microsoft Active Protection System (MAPS) 启用实时同步签名传送。Active protection - reports telemetry metadata about detected threats and suspicious resources to Microsoft Azure to ensure rapid response to the evolving threat landscape, as well as enabling real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS).
  • 示例报告 - 将示例提供并报告给 Microsoftt 反恶意软件服务,以帮助改善服务并实现故障排除。Samples reporting - provides and reports samples to the Microsoft Antimalware service to help refine the service and enable troubleshooting.
  • 排除项 - 允许应用程序和服务管理员配置文件、进程和驱动器的排除项。Exclusions – allows application and service administrators to configure exclusions for files, processes, and drives.
  • 恶意软件事件收集 -在操作系统事件日志中记录反恶意软件服务的运行状况、可疑活动及采取的补救措施,并将这些数据收集到客户的 Azure 存储帐户。Antimalware event collection - records the antimalware service health, suspicious activities, and remediation actions taken in the operating system event log and collects them into the customer’s Azure Storage account.

备注

此外可以使用 Azure 安全中心部署 Microsoft 反恶意软件。Microsoft Antimalware can also be deployed using Azure Security Center.

体系结构Architecture

适用于 Azure 的 Microsoft 反恶意软件包含 Microsoft 反恶意软件客户端和服务、反恶意软件经典部署模型、反恶意软件 PowerShell cmdlet 和 Azure 诊断扩展。Microsoft Antimalware for Azure includes the Microsoft Antimalware Client and Service, Antimalware classic deployment model, Antimalware PowerShell cmdlets, and Azure Diagnostics Extension. Windows Server 2008 R2、Windows Server 2012 和 Windows Server 2012 R2 操作系统系列支持 Microsoft 反恶意软件。Microsoft Antimalware is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families. Windows Server 2008 操作系统不支持此解决方案,Linux 中也不支持此解决方案。It is not supported on the Windows Server 2008 operating system, and also is not supported in Linux.

默认情况下,Microsoft 反恶意软件客户端和服务以禁用状态安装在云服务平台中所有受支持的 Azure 来宾操作系统系列上。The Microsoft Antimalware Client and Service is installed by default in a disabled state in all supported Azure guest operating system families in the Cloud Services platform. 默认情况下,Microsoft 反恶意软件客户端和服务未安装在虚拟机平台中,而是通过 Azure 门户和 Visual Studio 虚拟机配置中的“安全扩展”作为一个可选功能来提供。The Microsoft Antimalware Client and Service is not installed by default in the Virtual Machines platform and is available as an optional feature through the Azure portal and Visual Studio Virtual Machine configuration under Security Extensions.

使用 Azure 应用服务时,托管 Web 应用的基础服务在 Web 应用上启用了 Microsoft 反恶意软件。When using Azure App Service, the underlying service that hosts the web app has Microsoft Antimalware enabled on it. 它用于保护 Azure 应用服务基础结构,不会对客户内容运行。This is used to protect Azure App Service infrastructure and does not run on customer content.

备注

Windows Defender 是 Windows Server 2016 中启用的内置反恶意软件。Windows Defender is the built-in Antimalware enabled in Windows Server 2016. 一些 Windows Server 2016 SKU 上也默认启用了 Windows Defender 界面,有关详细信息,请参阅此处The Windows Defender Interface is also enabled by default on some Windows Server 2016 SKU's see here for more information. Azure VM 反恶意软件扩展仍可添加到带 Windows Defender 的 Windows Server 2016 Azure VM,但在此情况下,该扩展会应用 Windows Defender 要使用的任何可选配置策略,该扩展不会部署任何其他反恶意软件服务。The Azure VM Antimalware extension can still be added to a Windows Server 2016 Azure VM with Windows Defender, but in this scenario the extension will apply any optional configuration policies to be used by Windows Defender, the extension will not deploy any additional antimalware services.

Microsoft 反恶意软件工作流Microsoft antimalware workflow

Azure 服务管理员可以使用以下选项,针对虚拟机和云服务通过默认或自定义配置来启用 Azure 的反恶意软件:The Azure service administrator can enable Antimalware for Azure with a default or custom configuration for your Virtual Machines and Cloud Services using the following options:

  • 虚拟机 – 在Azure 门户中的“安全扩展”下Virtual Machines – In the Azure portal, under Security Extensions
  • 虚拟机 – 在服务器资源管理器中使用 Visual Studio 虚拟机配置Virtual Machines – Using the Visual Studio virtual machines configuration in Server Explorer
  • 虚拟机和云服务 – 使用反恶意软件 经典部署模型Virtual Machines and Cloud Services – Using the Antimalware classic deployment model
  • 虚拟机和云服务 – 使用反恶意软件 PowerShell cmdletVirtual Machines and Cloud Services – Using Antimalware PowerShell cmdlets

Azure 门户或 PowerShell cmdlet 将反恶意软件扩展包文件推送到 Azure 系统中的预定固定位置。The Azure portal or PowerShell cmdlets push the Antimalware extension package file to the Azure system at a pre-determined fixed location. Azure 来宾代理(或结构代理)启动反恶意软件扩展,并将提供的反恶意软件配置设置应用为输入。The Azure Guest Agent (or the Fabric Agent) launches the Antimalware Extension, applying the Antimalware configuration settings supplied as input. 此步骤以默认或自定义配置设置来启用反恶意软件服务。This step enables the Antimalware service with either default or custom configuration settings. 若未提供任何自定义配置,则以默认配置设置来启用反恶意软件服务。If no custom configuration is provided, then the antimalware service is enabled with the default configuration settings. 有关更多详细信息,请参阅 Microsoft Antimalware for Azure - 代码示例中的“反恶意软件配置” 部分。Refer to the Antimalware configuration section in the Microsoft Antimalware for Azure – Code Samples for more details.

运行后,Microsoft 反恶意软件客户端将从 Internet 下载最新的保护引擎和签名定义,并将其加载到 Azure 系统上。Once running, the Microsoft Antimalware client downloads the latest protection engine and signature definitions from the Internet and loads them on the Azure system. Microsoft 反恶意软件服务会将服务相关的事件写入“Microsoft 反恶意软件”事件源下的系统 OS 事件日志中。The Microsoft Antimalware service writes service-related events to the system OS events log under the “Microsoft Antimalware” event source. 事件包括反恶意软件客户端运行状况、保护和补救状态、新的和旧的配置设置、引擎更新和签名定义及其他信息。Events include the Antimalware client health state, protection and remediation status, new and old configuration settings, engine updates and signature definitions, and others.

可以为云服务或虚拟机启用反恶意软件监视,以便将生成的反恶意软件事件日志事件写入 Azure 存储帐户。You can enable Antimalware monitoring for your Cloud Service or Virtual Machine to have the Antimalware event log events written as they are produced to your Azure storage account. 反恶意软件服务使用 Azure 诊断扩展将 Azure 系统中的反恶意软件事件收集到客户 Azure 存储帐户中的表内。The Antimalware Service uses the Azure Diagnostics extension to collect Antimalware events from the Azure system into tables in the customer’s Azure Storage account.

本文档的 反恶意软件部署方案 部分介绍了上述方案支持的部署工作流,包括配置步骤和选项。The deployment workflow including configuration steps and options supported for the above scenarios are documented in Antimalware deployment scenarios section of this document.

Azure 中的 Microsoft Antimalware

备注

但是,用户可以使用 Powershell/API 和 Azure Resource Manager 模板,将虚拟机规模集与 Microsoft 反恶意软件扩展部署在一起。You can however use Powershell/APIs and Azure Resource Manager templates to deploy Virtual Machine Scale Sets with the Microsoft Anti-Malware extension. 若要在已运行的虚拟机上安装扩展,可以使用示例 python 脚本 vmssextn.pyFor installing an extension on an already running Virtual Machine, you can use the sample python script vmssextn.py. 此脚本获取规模集上的现有扩展配置,并向 VM 规模集上的现有扩展的列表添加扩展。This script gets the existing extension config on the Scale Set and adds an extension to the list of existing extensions on the VM Scale Sets.

默认和自定义的反恶意软件配置Default and Custom Antimalware Configuration

如果未提供自定义配置设置,会应用默认的配置设置以启用适用于 Azure 云服务或虚拟机的反恶意软件。The default configuration settings are applied to enable Antimalware for Azure Cloud Services or Virtual Machines when you do not provide custom configuration settings. 默认配置设置已预先经过优化,可在 Azure 环境中运行。The default configuration settings have been pre-optimized for running in the Azure environment. 或者,可以根据 Azure 应用程序或服务部署的需要自定义这些默认配置设置,并将其应用到其他部署方案。Optionally, you can customize these default configuration settings as required for your Azure application or service deployment and apply them for other deployment scenarios.

下表汇总了反恶意软件服务可用的配置设置。The following table summarizes the configuration settings available for the Antimalware service. 标有“默认”的列下面标记了默认的配置设置。The default configuration settings are marked under the column labeled “Default” below.

表 1

反恶意软件部署方案Antimalware Deployment Scenarios

本部分介绍启用和配置反恶意软件的方案,包括监视 Azure 云服务和虚拟机。The scenarios to enable and configure antimalware, including monitoring for Azure Cloud Services and Virtual Machines, are discussed in this section.

虚拟机 - 启用和配置反恶意软件Virtual machines - enable and configure antimalware

使用 Azure 门户创建 VM 时进行部署Deployment While creating a VM using the Azure portal

若要在预配虚拟机时使用 Azure 门户来启用和配置适用于 Azure 虚拟机的 Microsoft 反恶意软件,请执行以下步骤:To enable and configure Microsoft Antimalware for Azure Virtual Machines using the Azure portal while provisioning a Virtual Machine, follow the steps below:

  1. 通过 https://portal.azure.com 登录到 Azure 门户。Sign in to the Azure portal at https://portal.azure.com.
  2. 若要创建新的虚拟机,请导航到“虚拟机”,选择“添加”,然后选择“Windows Server”。 To create a new virtual machine, navigate to Virtual machines, select Add, and choose Windows Server.
  3. 选择要使用的 Windows Server 版本。Select the version of Windows server that you would like to use.
  4. 选择“创建” 。Select Create. 创建虚拟机Create virtual machine
  5. 提供“名称”、“用户名”和“密码”,然后创建新资源组或选择现有的资源组。 Provide a Name, Username, Password, and create a new resource group or choose an existing resource group.
  6. 选择“确定” 。Select Ok.
  7. 选择 VM 大小。Choose a vm size.
  8. 在下一部分,根据需要做出相应的选择,然后选择“扩展”部分。 In the next section, make the appropriate choices for your needs select the Extensions section.
  9. 选择“添加扩展” Select Add extension
  10. 在“新建资源”下,选择“Microsoft 反恶意软件”。 Under New resource, choose Microsoft Antimalware.
  11. 选择“创建” Select Create
  12. 在“安装扩展”部分,可以配置文件、位置和进程排除项,及其他扫描选项。 In the Install extension section file, locations, and process exclusions can be configured as well as other scan options. 选择“确定” 。Choose Ok.
  13. 选择“确定” 。Choose Ok.
  14. 返回“设置” 部分,选择“确定” 。Back in the Settings section, choose Ok.
  15. 在“创建”屏幕中选择“确定”。 In the Create screen, choose Ok.

使用 Visual Studio 虚拟机配置进行部署Deployment using the Visual Studio virtual machine configuration

若要使用 Visual Studio 启用和配置 Microsoft 反恶意软件服务,请执行以下操作:To enable and configure the Microsoft Antimalware service using Visual Studio:

  1. 在 Visual Studio 中连接到 Microsoft Azure。Connect to Microsoft Azure in Visual Studio.

  2. 在“服务器资源管理器”的“虚拟机”节点中选择自己的虚拟机。 Choose your Virtual Machine in the Virtual Machines node in Server Explorer

    Visual Studio 中的虚拟机配置

  3. 右键单击“配置”查看虚拟机配置页 Right-click configure to view the Virtual Machine configuration page

  4. 从“已安装的扩展”下的下拉列表中选择“Microsoft 反恶意软件”扩展,并单击“添加”以使用默认反恶意软件配置进行配置。 Select Microsoft Antimalware extension from the dropdown list under Installed Extensions and click Add to configure with default antimalware configuration. 已安装的扩展Installed extensions

  5. 若要自定义默认反恶意软件配置,请在“已安装的扩展”列表中选择(突出显示)“反恶意软件”扩展,并单击“配置”。 To customize the default Antimalware configuration, select (highlight) the Antimalware extension in the installed extensions list and click Configure.

  6. 将“公共配置”文本框中的默认反恶意软件配置替换为受支持的 JSON 格式的自定义配置,然后单击“确定”。 Replace the default Antimalware configuration with your custom configuration in supported JSON format in the public configuration textbox and click OK.

  7. 单击“更新”按钮,将配置更新推送到虚拟机。 Click the Update button to push the configuration updates to your Virtual Machine.

    虚拟机配置扩展

备注

反恶意软件的 Visual Studio 虚拟机配置仅支持 JSON 格式配置。The Visual Studio Virtual Machines configuration for Antimalware supports only JSON format configuration. 适用于 Azure 的 Microsoft 反恶意软件 - 代码示例中包含了反恶意软件 JSON 配置设置模板,其中显示了支持的反恶意软件配置设置。The Antimalware JSON configuration settings template is included in the Microsoft Antimalware For Azure - Code Samples, showing the supported Antimalware configuration settings.

使用 PowerShell cmdlet 进行部署Deployment Using PowerShell cmdlets

Azure 应用程序或服务可以使用 PowerShell cmdlet 来启用和配置适用于 Azure 虚拟机的 Microsoft 反恶意软件。An Azure application or service can enable and configure Microsoft Antimalware for Azure Virtual Machines using PowerShell cmdlets.

若要使用反恶意软件 PowerShell cmdlet 来启用和配置 Microsoft 反恶意软件,请执行以下操作:To enable and configure Microsoft antimalware using antimalware PowerShell cmdlets:

  1. 设置 PowerShell 环境 - 请参考 https://github.com/Azure/azure-powershell 处的文档Set up your PowerShell environment - Refer to the documentation at https://github.com/Azure/azure-powershell
  2. 使用 Set-AzureVMMicrosoftAntimalwareExtension Antimalware cmdlet 来启用和配置适用于虚拟机的 Microsoft 反恶意软件。Use the Set-AzureVMMicrosoftAntimalwareExtension Antimalware cmdlet to enable and configure Microsoft Antimalware for your Virtual Machine.

备注

反恶意软件的 Azure 虚拟机配置仅支持 JSON 格式配置。The Azure Virtual Machines configuration for Antimalware supports only JSON format configuration. 适用于 Azure 的 Microsoft 反恶意软件 - 代码示例中包含了反恶意软件 JSON 配置设置模板,其中显示了支持的反恶意软件配置设置。The Antimalware JSON configuration settings template is included in the Microsoft Antimalware For Azure - Code Samples, showing the supported Antimalware configuration settings.

使用 PowerShell cmdlet 来启用和配置反恶意软件Enable and Configure Antimalware Using PowerShell cmdlets

Azure 应用程序或服务可以使用 PowerShell cmdlet 来启用和配置适用于 Azure 云服务的 Microsoft 反恶意软件。An Azure application or service can enable and configure Microsoft Antimalware for Azure Cloud Services using PowerShell cmdlets. 请注意,Microsoft 反恶意软件以禁用状态安装在云服务平台中,需要 Azure 应用程序执行某个操作来启用它。Note that Microsoft Antimalware is installed in a disabled state in the Cloud Services platform and requires an action by an Azure application to enable it.

若要使用 PowerShell cmdlet 来启用和配置 Microsoft 反恶意软件,请执行以下操作:To enable and configure Microsoft Antimalware using PowerShell cmdlets:

  1. 设置 PowerShell 环境 - 请参考 https://github.com/Azure/azure-powershell 处的文档Set up your PowerShell environment - Refer to the documentation at https://github.com/Azure/azure-powershell
  2. 使用 Set-AzureServiceAntimalwareExtension Antimalware cmdlet 来启用和配置适用于云服务的 Microsoft 反恶意软件。Use the Set-AzureServiceAntimalwareExtension Antimalware cmdlet to enable and configure Microsoft Antimalware for your Cloud Service.

适用于 Azure 的 Microsoft 反恶意软件 - 代码示例中包含了反恶意软件 XML 配置设置模板,其中显示了支持的反恶意软件配置设置。The Antimalware XML configuration settings template is included in the Microsoft Antimalware For Azure - Code Samples, showing the supported Antimalware configuration settings.

云服务和虚拟机 - 使用 PowerShell cmdlet 进行配置Cloud Services and Virtual Machines - Configuration Using PowerShell cmdlets

Azure 应用程序或服务可以使用 PowerShell cmdlet 来检索适用于云服务和虚拟机的 Microsoft 反恶意软件配置。An Azure application or service can retrieve the Microsoft Antimalware configuration for Cloud Services and Virtual Machines using PowerShell cmdlets.

若要使用 PowerShell cmdlet 来检索 Microsoft 反恶意软件配置,请执行以下操作:To retrieve the Microsoft Antimalware configuration using PowerShell cmdlets:

  1. 设置 PowerShell 环境 - 请参考 https://github.com/Azure/azure-powershell 处的文档Set up your PowerShell environment - Refer to the documentation at https://github.com/Azure/azure-powershell
  2. 对于虚拟机:使用 Get-AzureVMMicrosoftAntimalwareExtension Antimalware cmdlet 来获取反恶意软件配置。For Virtual Machines: Use the Get-AzureVMMicrosoftAntimalwareExtension Antimalware cmdlet to get the antimalware configuration.
  3. 对于云服务:使用 Get-AzureServiceAntimalwareConfig Antimalware cmdlet 来获取反恶意软件配置。For Cloud Services: Use the Get-AzureServiceAntimalwareConfig Antimalware cmdlet to get the Antimalware configuration.

使用 PowerShell cmdlet 删除 Microsoft 反恶意软件配置Remove Antimalware Configuration Using PowerShell cmdlets

Azure 应用程序或服务可从相关的 Azure 反恶意软件以及与云服务或虚拟机关联的诊断服务扩展中,删除反恶意软件配置和任何关联的反恶意软件监视。An Azure application or service can remove the Antimalware configuration and any associated Antimalware monitoring configuration from the relevant Azure Antimalware and diagnostics service extensions associated with the Cloud Service or Virtual Machine.

若要使用 PowerShell cmdlet 删除 Microsoft 反恶意软件,请执行以下操作:To remove Microsoft Antimalware using PowerShell cmdlets:

  1. 设置 PowerShell 环境 - 请参考 https://github.com/Azure/azure-powershell 处的文档Set up your PowerShell environment - Refer to the documentation at https://github.com/Azure/azure-powershell
  2. 对于虚拟机:使用 Remove-AzureVMMicrosoftAntimalwareExtension Antimalware cmdletFor Virtual Machines: Use the Remove-AzureVMMicrosoftAntimalwareExtension Antimalware cmdlet.
  3. 对于云服务: 使用 Remove-AzureServiceAntimalwareExtension Antimalware cmdletFor Cloud Services: Use the Remove-AzureServiceAntimalwareExtension Antimalware cmdlet.

若要使用 Azure 预览门户来启用适用于虚拟机的反恶意软件事件收集,请执行以下操作:To enable antimalware event collection for a virtual machine using the Azure Preview Portal:

  1. 在“虚拟机”边栏选项卡中单击“监视”透镜的任何部位Click any part of the Monitoring lens in the Virtual Machine blade
  2. 在“度量值”边栏选项卡中单击“诊断”命令Click the Diagnostics command on Metric blade
  3. 为“状态”选择“打开”,并选中 Windows 事件系统日志的对应选项Select Status ON and check the option for Windows event system
  4. 上获取。. 可以取消选中列表中的所有其他选项,或者根据应用程序服务的需要将它们保持启用状态。You can choose to uncheck all other options in the list, or leave them enabled per your application service needs.
  5. 将在 Azure 存储帐户中捕获“错误”、“警告”、“信息”等反恶意软件事件类别。The Antimalware event categories “Error”, “Warning”, “Informational”, etc., are captured in your Azure Storage account.

反恶意软件事件将从 Windows 事件系统日志收集到 Azure 存储帐户中。Antimalware events are collected from the Windows event system logs to your Azure Storage account. 可以通过选择相应的存储帐户,为虚拟机配置存储帐户以收集反恶意软件事件。You can configure the Storage Account for your Virtual Machine to collect Antimalware events by selecting the appropriate storage account.

度量值和诊断

备注

有关 Azure 反恶意软件的诊断日志记录的详细信息,请参阅启用 Azure 反恶意软件的诊断日志记录For more information on how to Diagnostics Logging for Azure Antimalware, read Enabling Diagnostics Logging for Azure Antimalware.

使用 PowerShell cmdlet 来启用和配置反恶意软件监视Enable and configure antimalware monitoring using powerShell cmdlets

可以通过反恶意软件 PowerShell cmdlet,使用 Azure 诊断来为云服务或虚拟机启用 Microsoft 反恶意软件事件收集。You can enable collection of Microsoft Antimalware events for your Cloud Service or Virtual Machine using Azure Diagnostics through Antimalware PowerShell cmdlets. 可以配置 Azure 诊断扩展,以将事件从系统事件日志源“Microsoft 反恶意软件”捕获到 Azure 存储帐户。The Azure Diagnostics extension can be configured to capture events from the System event log source “Microsoft Antimalware” to your Azure Storage account. 将在 Azure 存储帐户中捕获“错误”、“警告”、“信息”等反恶意软件事件类别。The Antimalware event categories “Error”, “Warning”, “Informational”, etc., are captured in your Azure Storage account.

若要使用 PowerShell cmdlet 在 Azure 存储帐户中启用反恶意软件事件收集,请执行以下操作:To enable Antimalware event collection to your Azure Storage account using PowerShell cmdlets:

  1. 设置 PowerShell 环境 - 请参考 https://github.com/Azure/azure-powershellSet up your PowerShell environment - Refer to https://github.com/Azure/azure-powershell
  2. 对于虚拟机 - 使用带有 Monitoring ON 选项的 Set-AzureVMMicrosoftAntimalwareExtension Antimalware cmdletFor Virtual Machines - Use the Set-AzureVMMicrosoftAntimalwareExtension Antimalware cmdlet with the Monitoring ON option.
  3. 对于云服务 - 使用带有 Monitoring ON 选项的 Set-AzureServiceAntimalwareExtension Antimalware cmdletFor Cloud Services - Use the Set-AzureServiceAntimalwareExtension Antimalware cmdlet with the Monitoring ON option.

可以通过在为了启用反恶意软件监视而配置的 Azure 存储帐户中查看 WADWindowsEventLogsTable 表,来查看反恶意软件原始事件。You can view the Antimalware raw events by looking at the WADWindowsEventLogsTable table in your Azure Storage account that you configured to enable Antimalware monitoring. 这样便可以有效地验证反恶意软件事件收集是否正常运行,包括深入了解反恶意软件服务的运行状况。This can be useful to validate that Antimalware event collection is working, including getting insight into the Antimalware service’s health. 有关详细信息,包括有关如何从存储帐户提取反恶意软件事件的示例代码,请参阅适用于 Azure 的 Microsoft 反恶意软件 - 代码示例For more information, including sample code on how to extract Antimalware events from your storage account, see Microsoft Antimalware For Azure - Code Samples.