Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When a blob is scanned for malware, the scan result can be assessed in several ways:
- A blob index tag - an index tag with the key Malware scanning scan result (index tags are optional for usage. They aren't supported in storage accounts with hierarchical namespaces enabled).
- An Event Grid message - allows you to automate responses to scan results. It requires more configurations. Learn more about setting up Event Grid for malware scanning.
- A Log Analytics Workspace log entry - by utilizing this method, you can store all scan results in a centralized log repository. This repository is designed for easy querying, making it a powerful tool for tracking and analyzing scan results. Learn more about setting up logging for malware scanning and the Event Grid message structure.
- A security alert in Defender for Cloud (if malware was detected) - you can read more about Microsoft Defender for Cloud security alerts.
Whether you're looking to automate responses to specific scan outcomes or to keep a detailed record of all scans, these options can be tailored to meet your needs.
Scan results fall into two categories: successful states and error states. Understanding these states is important for interpreting the results of malware scanning and taking appropriate action.
Note
For storage accounts that exceed the throughput capacity and blob size limits for Defender for Storage malware scanning, some blobs won't be scanned and won't have a scan result.
Success states
When a blob is successfully scanned, the scan result indicates either:
No threats found - the scan found no malicious content.
Malicious - malicious content was found in the uploaded blob.
Not scanned – the blob couldn't be scanned due to unsupported type or encryption. Learn more here)
Error states
Malware scanning might fail to scan a blob. When this happens, the scan result indicates what the error was.
| Error Message | Cause of Error | Guidance | Charge incurred |
|---|---|---|---|
| SAM259201: Scan failed - internal service error. | An unexpected internal system error occurred during the scan. | This is a transient error and subsequent upload of blobs that failed to be scanned with this error should succeed. | No |
| SAM259203: Not scanned - could not access the blob. | The blob couldn't be accessed due to permission restrictions. This can happen if someone accidentally removed the malware scanner’s permission to read blobs. Permissions can also be removed by an Azure Policy. | Look at the storage account’s Activity Log to determine who or what removed the scanner’s permissions. Re-enable Malware scanning. | No |
| SAM259206: Not scanned - blob exceeded the maximum allowed size of 50GB. | The blob size exceeded the size limit, preventing the scan. For more information, see the malware scanning limitations documentation. | N/A | No |
| SAM259207: Scan failed - scan exceeded time limit. | The scan timed out before completion. This error can occur if downloading the blob for scanning takes too long. Blob size, type, complexity, and storage-account load all affect scan time. For example, a small blob might contain a compressed file with millions of entries. Defender scans each entry for malware, which can take a long time and cause a timeout. However, a large blob might be scanned quickly if Defender only analyzes the file header. | This issue is often temporary. Uploading the same blob again usually succeeds. | No |
| SAM259208: Not scanned - archive access tier is not supported. | Blobs in Azure's archive storage tier can't be scanned. For more information, see the malware scanning limitations documentation. | N/A | No |
| SAM259209: Not scanned - blobs encrypted with customer provided keys cannot be analyzed. | Client-side encrypted blobs can't be decrypted for scanning. For more information, see the malware scanning limitations documentation. | N/A | No |
| SAM259210: Scan failed - the requested blob is protected by password. | The blob is password-protected and can't be scanned. For more information, see the malware scanning limitations documentation. | N/A | Yes |
| SAM259211: Scan failed - maximum archive nesting depth exceeded. | The maximum archive nesting depth was exceeded. | Archive nesting is a known method for evading malware detection. Handle this blob with caution. | Yes |
| SAM259212: Scan failed - blob data is corrupt. | The blob is corrupted, and malware scanning was unable to scan it. | N/A | Yes |
| SAM259213: Not scanned - throttled by the service. | The scan request temporarily exceeded the service’s rate limit. This is a measure we take to manage server load and ensure optimal performance for all users. For more information, see the malware scanning limitations documentation. | To avoid this issue in the future, ensure your scan requests stay within the service’s rate limit. If your needs exceed the current rate limit, consider distributing your scan requests more evenly over time. | No |
| SAM259215: Not scanned - delayed by the service. | The scan has been delayed due to system load. It will be scanned when the load on the system subsides. | This is a transient state. Eventually the blob will be scanned. | No |
| SAM259220: Not scanned - immutability policy conflicted with another storage policy preventing blob access. | The scan could not be completed because the container has an immutability policy enabled and the storage account has Last Access Time (LAT) tracking enabled. These settings conflict and block read access to the blob. | Review your storage account configuration. To allow malware scanning, consider disabling LAT tracking or modifying the immutability policy to permit necessary access during scans. | No |
| SAM259221: Not scanned - the storage account is busy or not responsive. | Blob could not be scanned because the storage account was busy or did not respond. This can happen when the storage account experiences high load and read requests are throttled, or when network access to the blob is blocked. | The workload owner should consider reducing the load on the account or distribute the load across multiple account or upgrading it to a higher performance tier. Defender cannot effectively protect accounts that experience throttling issues as it cannot access the blobs in it. | No |
Next steps
- Learn about advanced configurations for malware scanning.