What causes the malware scan of a blob in a storage account to fail or timeout?

Question

What causes the malware scan of a blob in a storage account to fail or timeout?

Brian Hall - AgelessRx 40

We have Microsoft Defender for Cloud enabled and we are using the malware scanning feature for blobs in our storage account when they are uploaded. We have been seeing a small percentage of these scans fail outright due to an "internal service error" or a timeout error. We are trying to understand why these happen and if there's anything we can do to mitigate this or if there's a setting in Azure that forces blobs like this to retry automatically.

Nandamuri Pranay Teja 4,855 Reputation points Microsoft External Staff Moderator

2025-08-18T15:24:14.08+00:00
Hello Brian Hall

Thank you for posting the question!
To investigate further could you please provide me the below required information.

What is the typical size and type of blobs you are scanning? Have there been any recent changes to permissions or configurations within your storage account?

Are you receiving any specific error codes or messages along with the internal service error or timeout? Are you utilizing any specific upload mechanisms or tools that may affect blob performance?

However, in the meantime you can try the below steps.

Please be informed that the "internal service error" you're seeing corresponds to error code SAM259201. This is classified as "an unexpected internal system error occurred during the scan" and is described as "a transient error and subsequent upload of blobs that failed to be scanned with this error should succeed." azure-security-docs/articles/defender-for-cloud/introduction-malware-scanning.md at main · MicrosoftDocs/azure-security-docs

No charges are incurred for failed scans azure-security-docs/articles/defender-for-cloud/introduction-malware-scanning.md at main · MicrosoftDocs/azure-security-docs

Unfortunately, there is no built-in automatic retry setting in Azure for failed malware scans. Since there's no automatic retry, you can implement Event Grid-Based Monitoring or. Log Analytics for Monitoring

Event Grid custom topics to receive near-real-time scan results Enable Defender for Storage using the Azure portal - Microsoft Defender for Cloud | Microsoft Learn and build automation around failures:

Configure Event Grid to capture all scan results

Create an Azure Function that triggers on scan failure events

Implement retry logic that re-uploads or triggers re-scanning

Log Analytics for Monitoring

Log Analytics workspace to store scan results in a centralized repository Enable Defender for Storage using the Azure portal - Microsoft Defender for Cloud | Microsoft Learn:

Scan results are recorded in a table named StorageMalwareScanningResults Enable Defender for Storage using the Azure portal - Microsoft Defender for Cloud | Microsoft Learn

Let me know if you have any questions or concerns via comment I'm here to help.

Accepted answer

0 additional answers

Your answer

Answer 1

Hi, these are normal edge cases of Defender for Storage’s malware scanning. “Scan failed – internal service error” is a transient backend issue, retries usually succeed; “scan exceeded time limitation” happens when large/complex blobs (e.g., big or deeply nested archives) hit the per-blob time cap (roughly 30 minutes to 3 hours depending on size). You can also see failures when the rate/throughput limits are exceeded (≈2 GB/min and 2,000 files/min per storage account - requests get throttled/not scanned), or when blobs are unscannable (archive tier, client-side encryption, password-protected archives, excessive archive nesting, or oversize blobs, current docs note a 50 GB ceiling). Mitigate by smoothing uploads below the limits (batch/queue with backoff), splitting or avoiding heavily nested/passworded archives, ensuring the scanner’s permissions weren’t removed, and monitoring results via Log Analytics. There’s no built-in auto-retry for failed scans, implement it yourself: subscribe to the scan result events (or logs), and on error states trigger an on-demand rescan or re-ingest via a DMZ pattern (Event Grid - Function moves only “no threat found” blobs). Key refs: results/limits, timeouts, throttling/size/unsupported causes, and response patterns.

Brian Hall - AgelessRx 40 Reputation points

2025-08-19T21:36:11.3333333+00:00

Thank you Michele. Sorry for the delayed response. That all makes sense. Based on your explanation, I think our issue might be throughput. During peak times we are pretty chatty with our Blob storage account. I've marked your answer as the "Accepted Answer". Thanks again!

Share via

What causes the malware scan of a blob in a storage account to fail or timeout?

0 additional answers

Your answer