Cloud Storage Security (CSS) Malware Protection for Microsoft Azure Blob is a malware scanning solution designed to detect and remove threats within Azure Blob Storage environments. The solution deploys a lightweight serverless agent within the customer's Azure environment using Azure Container Apps, meaning files are never transmitted outside the customer's account for scanning. Scanning is handled by selectable threat detection agents, including ClamAV, Sophos, and CrowdStrike, with malware definitions updated daily. Core scanning capabilities include: - Continuous scanning of existing files already present in Blob Storage - Real-time scanning of new file uploads - Multiple scan models initiated without needing to move files between containers Upon scanning, files are tagged with user-defined metadata labels reflecting the scan verdict (e.g., clean or malicious), enabling downstream access control and permissions enforcement by DevOps teams. Infected files can be automatically moved to designated quarantine containers based on user-defined file handling policies. The solution is built on Azure Event Grid, Azure Storage Queues, and Azure Container Apps, and integrates with Azure Bicep for deployment. It supports Azure Blob and is available in Azure Commercial Regions. CSS originally built its platform for AWS and has expanded support to Microsoft Azure, positioning this product as part of a broader multi-cloud data security offering.