Malware automated remediation in Defender for Storage (Preview)

Malware automated remediation in Defender for Storage (Preview)
September 16, 2025

Malware automated remediation in Defender for Storage malware scanning is now available in public preview.

With this new capability, malicious blobs detected during on-upload or on-demand scanning can be automatically soft-deleted. This ensures harmful content is quarantined while still recoverable for further investigation.
You can enable or disable malware automated remediation at either the subscription or storage account level from the Microsoft Defender for Cloud tab in the Azure portal, or by using the API.
For more information, see Built-in automated malware remediation for malicious blobs.

New refined attack paths
September 9, 2025
Attack paths now reflect real, externally driven and exploitable risks that adversaries could use to compromise your organization, helping you cut through the noise and act faster. The paths now focus on external entry points and how attackers could progress through your environment reaching business-critical targets. This experience brings greater clarity, focus, and prioritization empowering security teams to mitigate the most critical risks with confidence.

Read more about it in this blog: Refining Attack Paths: Prioritizing Real-World, Exploitable Threats

Trusted Exposure
September 14, 2025

Organizations can now define known safe IP ranges as part of the new Trusted IPs configuration via Azure DINE policy. When configure, internet-facing resources (Azure VM/VMSS, AWS EC2, GCP Compute Instances) exposed only to these trusted IPs are treated as trusted and no attack paths are generated. This reduces false positives and enhances the quality of attack path analysis and exposure findings in recommendations. Current support includes multi-cloud compute resources across Azure VM/VMSS, AWS EC2, and GCP Compute Instances.

Exposure Width
September 14, 2025

Defender for Cloud now includes Exposure Width (GA) that calculates how broadly or narrowly a resource is exposed to the public internet based on its networking rules. It helps security teams prioritize and remediate the most critical findings in attack paths and recommendations by factoring in the extent of exposure. Current support includes multi-cloud compute resources across Azure VM/VMSS, AWS EC2, and GCP Compute Instances.

Trivy dependency scanning for code repositories (Update)
September 11, 2025

• Defender for Cloud now includes open-source dependency vulnerability scanning powered by Trivy in filesystem Trivy in filesystem modemode. This helps you strengthen security by automatically detecting operating system and library vulnerabilities across GitHub and Azure DevOps repositories.

Where it applies:

• In-pipeline (CLI) scanning.
• Agentless code scanning (preview).

What to do:

• For Azure DevOps or GitHub, create or edit a connector.
• For in-pipeline scanning, add the Microsoft Security DevOps (MSDO) CLI tool to your pipeline definition.

Where results appear:

• Pipeline logs and SARIF files.
• Defender for Cloud recommendations:

1. Azure DevOps repositories should have dependency vulnerability scanning findings resolved
2. GitHub repositories should have dependency vulnerability scanning findings resolved

If you use GitHub Advanced Security dependency scanning, Defender for Cloud now enhances, not replaces those results.
Effective date: September 15, 2025.