Reputation: 3435
Configure Windows Defender for VMs in Scaleset
I have an Azure Scaleset with 5 VMs in it. When I deploy my app (service fabric app) to the scaleset, Windows Defender Real Time Protection is causing the CPU/Memory to max out. I think this is because there are no appropriate exclusions set up in the Windows Defender software.
Can anyone tell me if I can configure the exclusions on each VM without having to RDP on to all of the VMs?
Upvotes: 0
Views: 1341
Answers (2)
Reputation: 2599
Generally this is VM level config and so is usually managed via a custom VM image that already has things set up or via a VM extension that configures Defender as a part of the machine coming up (this is similar to @jason-ye-msft 's answer). There's some similar guidance around setting up antimalware in a cluster here.
# Script to add Microsoft Antimalware extension to VM Scale Set(VMSS) and Service Fabric Cluster(in turn it used VMSS)
# Login to your Azure Resource Manager Account and select the Subscription to use
Login-AzureRmAccount
# Specify your subscription ID
#$subscriptionId="SUBSCRIPTION ID HERE"
Select-AzureRmSubscription -SubscriptionId $subscriptionId
# Specify location, resource group, and VM Scaleset for the extension
#$location = "LOCATION HERE" # eg., “West US or Southeast Asia” or “Central US”
#$resourceGroupName = "RESOURCE GROUP NAME HERE"
#$vmScaleSetName = "YOUR VM SCALE SET NAME"
# Configuration.JSON configuration file can be customized as per MSDN documentation: https://msdn.microsoft.com/en-us/library/dn771716.aspx
#$settingString = ‘{"AntimalwareEnabled": true}’;
# retrieve the most recent version number of the extension
$allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName “Microsoft.Azure.Security” -Type “IaaSAntimalware”).Version
$versionString = $allVersions[($allVersions.count)-1].Split(“.”)[0] + “.” + $allVersions[($allVersions.count)-1].Split(“.”)[1]
$VMSS = Get-AzureRmVmss -ResourceGroupName $resourceGroupName -VMScaleSetName $vmScaleSetName
Add-AzureRmVmssExtension -VirtualMachineScaleSet $VMSS -Name “IaaSAntimalware” -Publisher “Microsoft.Azure.Security” -Type “IaaSAntimalware” -TypeHandlerVersion $versionString
Update-AzureRmVmss -ResourceGroupName $resourceGroupName -Name $vmScaleSetName -VirtualMachineScaleSet $VMSS
The Service Fabric team does have guidance on how to configure your environment that includes the information about the exclusions you'd want to add. Those include:
Antivirus Excluded directories
Program Files\Microsoft Service Fabric
FabricDataRoot (from cluster configuration)
FabricLogRoot (from cluster configuration)
Antivirus Excluded processes
Fabric.exe
FabricHost.exe
FabricInstallerService.exe
FabricSetup.exe
FabricDeployer.exe
ImageBuilder.exe
FabricGateway.exe
FabricDCA.exe
FabricFAS.exe
FabricUOS.exe
FabricRM.exe
FileStoreService.exe
It's not clear if there's a good way to set up those exclusions at the same time that you're enabling antimalware scanning.
Upvotes: 1
Reputation: 13954
Can anyone tell me if I can configure the exclusions on each VM without having to RDP on to all of the VMs?
Based on my knowledge, you should configure the exclusion for your image, then upload this image to Azure, then use this image to create new VMSS, in this way, after your increase your VMSS instance, newly created vmss instances will not be affected by Windows Defender software.
Upvotes: 1
Related Questions
- Windows service does not start auto in azure Virtual Machine Scale Set instance
- Change windows registry of Azure Virtual Machine Scale Set
- Azure VMSS Deploy wpf
- VM Scaleset not scaling
- Cannot access Azure VM Scaleset ip address externally
- Error in Azure Service Fabric Explorer when scaling down the VM's using VM Scale Set
- Adding certificates to Azure VM Scale Set
- How to deploy Service Fabric application services to different Virtual machines scale sets
- How do I deploy an application in Azure Scale Set VMs?
- How to make ETW work with ARM Template for VM Scale Sets for Service Fabric using EtwProviders