Get Malicious file name(s) within Zipped file from Azure Defender scan results for Storage

Singh, Rahul 16 Reputation points
2025-08-28T14:53:25.0133333+00:00

I am using on-upload malware scanning feature of Defender for Azure storage. When I upload a zipped file to blob, I can see in the scan results the following response:-

{

"malwareNamesFound": [

"Virus:DOS/EICAR_Test_File"

],

"sha256": "55ACA31E55CF8019BC7D135FC2B1B1AA8D91052C4F1EC2E94FB4A5405B907C45",

"pathHints": [

"->MTest/eicar.com.txt",

"->MTest/eicar2.com",

"->MTest/footestfromp.com"

]

}

As per the documentation, the scanResultDetails json doesn't contain any **pathHints** field. Could you please let us know if this is an internal field and shouldn't be used in our automation? Or only the documentation is missing?

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Michele Ariis 4,590 Reputation points MVP
    2025-08-28T15:04:24.0833333+00:00

    Hi, when Defender for Storage scans an uploaded archive, the documented schema only guarantees fields like scanResultType, malwareNamesFound, and sha256. The pathHints you’re seeing is an undocumented internal field that lists inner files in a zip. Since it’s not in the official event contract, Microsoft can change or remove it anytime, so you shouldn’t rely on it in automation. Use only the documented fields for enforcement and treat pathHints as optional/context info; if you want it formally supported, submit feedback to Microsoft docs.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.