Many online malware scanners require that you upload your files to their servers, which increases security risks and can use a lot of bandwidth. They also tend to be limited in functionality and accuracy. For example, some modern malware strains are clever enough to avoid detection by signature-based scans and can only be detected by heuristic analysis of behavior.
Our malware scanning service uses ClamAV as its scan engine. It supports heuristic-based malware detection, as well as signature-based detection. This helps ensure that you don’t miss any threats. It also has a capping mechanism that lets you set a monthly scanning limit for an entire storage account, which acts as an effective cost control.
Digital Safeguard: How Malware Scanning Services Protect Your Online Presence
The public malware database for ClamAV is hosted on a Content Delivery Network (CDN). If multiple instances of malware scanning start up and attempt to download the full database, the CDN will apply rate-limiting. This can prevent your scanning instances from starting up, and also stop you from downloading the latest updates for the scanner. To mitigate this issue, the malware scanning service provides a cached local version of the malware database that is updated periodically in the background.
The malware scanning service supports response at scale — deleting or quarantining suspicious files — based on blob index tags and Event Grid security alerts. Detailed Microsoft Defender for Storage alerts are also generated when the malware scanning service detects a potentially harmful file. The blob index tag isn’t available for pages or tamper-resistant blobs (such as those encrypted at rest with a Customer Managed Key). Also, the malware scanning service doesn’t scan blobs that are already scanned by another service, such as Azure Files.