Make sure your Azure ARM VM’s are not a threat

The script below will deploy or un-deploy the Azure antimalware extension from all VM’s in a resource group. You need to ensure the anySettings and SqlSettings are correct for your world.

[cmdletbinding()]
param (
    $rgname="release4.11.0.1",
    [bool]$adding = $true
)
 
# Get-AzureVMAvailableExtension | fl -Property Publisher, ExtensionName
 
$location="north europe"
$extName="IaasAntimalware"
$extType="IaaSAntimalware"
$extPublisherName="Microsoft.Azure.Security"
 
 
$anySetting = @"
{
"AntimalwareEnabled": true, 
"RealtimeProtectionEnabled": true,
"ScheduledScanSettings": {
       "isEnabled": true,
       "day": 1,
       "time": 120,
       "scanType": "Quick"
       },
"Exclusions": {}
}
"@
 
$sqlSetting = @"
{
"AntimalwareEnabled": true, 
"RealtimeProtectionEnabled": true, 
"ScheduledScanSettings": {        
       "isEnabled": true, 
       "day": 1, 
       "time": 120, 
       "scanType": "Quick"  
       },        
       "Exclusions": {
             "Extensions": ".mdf;.ldf",
             "Paths": "D:\\;E:\\",
             "Processes": "excludedproc1.exe;excludedproc2.exe"    
             }
       }
"@
 
 
$allVersions= (Get-AzureRmVMExtensionImage -Location $location -PublisherName "$extPublisherName" -Type "$extType").Version
$versionString = $allVersions[($allVersions.count)-1].Split(".")[0] + "." + $allVersions[($allVersions.count)-1].Split(".")[1]
 
 
$vms = get-azurermvm -ResourceGroupName $rgname
 
$vms | % {
    $thisVm = $_
 
    $whichSetting="Any"
    $setting = $anySetting
 
    if($thisVm.Name -like "*-sql") {
        $setting = $sqlSetting
        $whichSetting="SQL"
    }
    if($adding) {
 
    write-host ("ADDING $whichsetting setting to " + $thisVm.Name)
 
    Set-AzureRmVMExtension `
            -ResourceGroupName $rgname `
            -VMName $thisVm.Name `
            -Name "$extName" `
            -Publisher "$extPublisherName" `
            -TypeHandlerVersion "$versionString" `
            -ExtensionType "$extType" `
            -Location "$location" `
            -SettingString "$setting"
    }
    else {
        write-host ("REMOVING FROM " + $thisVm.Name)
        Remove-AzureRmVMExtension -ResourceGroupName $rgname -VMName $thisVm.Name -Name "$extName"
    }
}

Leave a Reply

Your email address will not be published. Required fields are marked *