Suspicious activity

Defender for Cloud: Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine

Risk Level

Informational (4)



Real-time protection temporary disablement of the antimalware extension in parallel to code execution via custom script extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription. Attackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.
  • Recommended Mitigation

    It is recommended to review the permissions which were used to make this operation.