适用于 Windows 的 Microsoft 反恶意软件扩展Microsoft Antimalware Extension for Windows

概述Overview

现代云环境的威胁局势非常多变,企业 IT 云订阅者为了遵循法规和达到安全要求,在维护有效保护机制方面承受着许多压力。The modern threat landscape for cloud environments is extremely dynamic, increasing the pressure on business IT cloud subscribers to maintain effective protection in order to meet compliance and security requirements. 适用于 Azure 的 Microsoft 反恶意软件是一种免费的实时保护功能,当已知恶意软件或不需要的软件试图在 Azure 系统上安装自身或运行时,它可使用可配置的警报帮助识别和删除病毒、间谍软件和其他恶意软件。Microsoft Antimalware for Azure is free real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems. 该解决方案构建于 Microsoft Security Essentials (MSE)、Microsoft Forefront Endpoint Protection、Microsoft System Center Endpoint Protection、Windows Intune 和适用于 Windows 8.0 及更高版本的 Windows Defender 所用的同一个反恶意软件平台基础之上。The solution is built on the same antimalware platform as Microsoft Security Essentials (MSE), Microsoft Forefront Endpoint Protection, Microsoft System Center Endpoint Protection, Windows Intune, and Windows Defender for Windows 8.0 and higher. 适用于 Azure 的 Microsoft 反恶意软件是一个针对应用程序和租户环境所提供的单一代理解决方案,可在在后台运行而无需人工干预。Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. 可以根据应用程序工作负荷的需求,选择默认的基本安全性或高级的自定义配置(包括反恶意软件监视)来部署保护。You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.

先决条件Prerequisites

操作系统Operating system

适用于 Azure 的 Microsoft 反恶意软件解决方案包含 Microsoft 反恶意软件客户端和服务、反恶意软件经典部署模型、反恶意软件 PowerShell cmdlet 和 Azure 诊断扩展。The Microsoft Antimalware for Azure solution includes the Microsoft Antimalware Client, and Service, Antimalware classic deployment model, Antimalware PowerShell cmdlets, and Azure Diagnostics Extension. Windows Server 2008 R2、Windows Server 2012 和 Windows Server 2012 R2 操作系统系列支持 Microsoft 反恶意软件解决方案。The Microsoft Antimalware solution is supported on Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 operating system families. Windows Server 2008 操作系统不支持此解决方案,Linux 中也不支持此解决方案。It is not supported on the Windows Server 2008 operating system, and also is not supported in Linux.

Windows Defender 是 Windows Server 2016 中启用的内置反恶意软件。Windows Defender is the built-in Antimalware enabled in Windows Server 2016. 一些 Windows Server 2016 SKU 上也默认启用了 Windows Defender 界面。The Windows Defender Interface is also enabled by default on some Windows Server 2016 SKU's. Azure VM 反恶意软件扩展仍可添加到带 Windows Defender 的 Windows Server 2016 Azure VM,但在此情况下,该扩展会应用 Windows Defender 要使用的任何可选配置策略,该扩展不会部署任何其他反恶意软件服务。The Azure VM Antimalware extension can still be added to a Windows Server 2016 Azure VM with Windows Defender, but in this scenario the extension will apply any optional configuration policies to be used by Windows Defender, the extension will not deploy any additional antimalware service. 可在此处阅读有关此更新的详细信息。You can read more about this update here.

Internet 连接Internet connectivity

适用于 Windows 的 Microsoft 反恶意软件要求目标虚拟机已连接到 Internet,以便定期接收引擎及签名更新。The Microsoft Antimalware for Windows requires that the target virtual machine is connected to the internet to receive regular engine and signature updates.

模板部署Template deployment

可使用 Azure Resource Manager 模板部署 Azure VM 扩展。Azure VM extensions can be deployed with Azure Resource Manager templates. 部署需要部署后配置(例如,载入 Azure 反恶意软件)的一个或多个虚拟机时,模板是理想选择。Templates are ideal when deploying one or more virtual machines that require post deployment configuration such as onboarding to Azure Antimalware.

虚拟机扩展的 JSON 配置可以嵌套在虚拟机资源内,或放置在资源管理器 JSON 模板的根级别或顶级别。The JSON configuration for a virtual machine extension can be nested inside the virtual machine resource, or placed at the root or top level of a Resource Manager JSON template. JSON 的位置会影响资源名称和类型的值。The placement of the JSON configuration affects the value of the resource name and type. 有关详细信息,请参阅设置子资源的名称和类型For more information, see Set name and type for child resources.

以下示例假定 VM 扩展嵌套在虚拟机资源内。The following example assumes the VM extension is nested inside the virtual machine resource. 嵌套扩展资源时,JSON 放置在虚拟机的 "resources": [] 对象中。When nesting the extension resource, the JSON is placed in the "resources": [] object of the virtual machine.

{
      "type": "Microsoft.Compute/virtualMachines/extensions",
      "name": "[concat(parameters('vmName'),'/', parameters('vmExtensionName'))]",
      "apiVersion": "2019-07-01",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
      ],

      "properties": {
        "publisher": "Microsoft.Azure.Security",
        "type": "IaaSAntimalware",
        "typeHandlerVersion": "1.3",
        "autoUpgradeMinorVersion": true,
        "settings": {
          "AntimalwareEnabled": "true",
          "Exclusions": {
            "Extensions": ".log;.ldf",
            "Paths": "D:\\IISlogs;D:\\DatabaseLogs",
            "Processes": "mssence.svc"
          },

          "RealtimeProtectionEnabled": "true",
          "ScheduledScanSettings": {
            "isEnabled": "true",
            "scanType": "Quick",
            "day": "7",
            "time": "120"
          }
        },
        "protectedSettings": null
      }
}

PowerShell 部署PowerShell deployment

根据部署的类型,使用相应的命令将 Azure 反恶意软件虚拟机扩展部署到现有虚拟机。Depends on your type of deployment, use the corresponding commands to deploy the Azure Antimalware virtual machine extension to an existing virtual machine.

故障排除和支持Troubleshoot and support

故障排除Troubleshoot

%Systemdrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)\1.5.5.x(version#)\CommandExecution.log 中提供了 Microsoft 反恶意软件扩展日志Microsoft Antimalware extension logs are available at - %Systemdrive%\WindowsAzure\Logs\Plugins\Microsoft.Azure.Security.IaaSAntimalware(Or PaaSAntimalware)\1.5.5.x(version#)\CommandExecution.log

错误代码及其含义Error codes and their meanings

错误代码Error code 含义Meaning 可能的操作Possible action
-2147156224-2147156224 MSI 正忙于处理其他安装MSI is busy with different installation 请尝试稍后运行安装Try running installation latter
-2147156221-2147156221 MSE 安装程序正在运行MSE setup already running 一次只运行一个实例Run only one instance at a time
-2147156208-2147156208 磁盘空间不足 < 200 MBLow disk space < 200 MB 删除未使用的文件,然后重试安装Delete unused files, and retry installation
-2147156187-2147156187 上次安装、升级、更新或卸载请求重启Last installation, upgrade, update, or uninstall requested reboot 重启,然后重试安装Reboot, and retry installation
-2147156121-2147156121 安装程序尝试删除竞争对手产品。Setup tried to remove competitor product. 但竞争对手产品卸载失败But competitor product uninstall failed 尝试手动删除竞争对手产品,然后重启并重试安装Try to remove the competitor product manually, reboot, and retry installation
-2147156116-2147156116 策略文件验证失败Policy file validation failed 确保向安装文件传递有效的策略 XML 文件Make sure you pass a valid policy XML file to setup
-2147156095-2147156095 安装程序无法启动反恶意软件服务Setup couldn't start the Antimalware service 验证是否对所有二进制文件进行了正确签名,以及是否已安装正确的许可文件Verify all binaries are correctly signed, and right licensing file is installed
-2147023293-2147023293 安装期间出错。A fatal error occurred during installation. 在大多数情况下,会出现错误。In most cases, it will. Epp.msi 无法注册\启动\停止 AM 服务或迷你筛选器驱动程序Epp.msi, can't register\start\stop AM service or mini filter driver 此处需要 EPP.msi 中的 MSI 日志以便进一步调查MSI logs from EPP.msi are required here for future investigation
-2147023277-2147023277 无法打开安装包Installation package could not be opened 验证该安装包是否存在且可访问,或者与应用程序供应商联系,验证该包是否是有效的 Windows Installer 包Verify that the package exists, and is accessible, or contact the application vendor to verify that this is a valid Windows Installer package
-2147156109-2147156109 Defender 是必备项Defender is required as a prerequisite
-2147205073-2147205073 不支持 websso 颁发者The websso issuer is not supported
-2147024893-2147024893 系统无法找到指定路径The system cannot find the path specified
-2146885619-2146885619 不是加密消息或加密消息的格式不正确Not a cryptographic message or the cryptographic message is not formatted correctly
-1073741819-1073741819 0x%p 处的指令引用了 0x%p 处的内存。The instruction at 0x%p referenced memory at 0x%p. 内存不能是 %sThe memory could not be %s
11 函数不正确Incorrect Function

支持Support

如果对本文中的任何观点存在疑问,可以联系 Azure 支持上的 Azure 专家。If you need more help at any point in this article, you can contact the Azure experts on the Azure support. 或者,也可以提出 Azure 支持事件。Alternatively, you can file an Azure support incident. 请转到 Azure 支持站点提交请求。Go to the Azure support site and submit your request. 有关使用 Azure 支持的信息,请阅读 Azure 支持常见问题For information about using Azure Support, read the Azure support FAQ.