Q: Does Azure run malware protection?
A: Microsoft doesn't disclose specifics regarding the protection the company uses as part of the various Azure services. Publishing details would help attackers who are trying to bypass the protection. However, the fact that Azure has an attestation of PCI-DSS compliance means that virus scanning and malware detection systems are deployed on the platform, which would include the hypervisors and other systems. Remember that for IaaS workloads it's important to deploy your own malware protecion within the virtual machines (e.g., Microsoft Endpoint Protection, which is free, or any other protection). Always think "defense in depth"; key points for using Azure IaaS include the following:
- Run malware protection
- Ensure the firewall is enabled within the virtual machine
- Minimize endpoints enabled for virtual machines and only have endpoints that are absolutely necessary
- Patch the OS and applications
- Deploy policies to help lock down the environment
- Monitor the services