We are thrilled to share the latest news about Microsoft Defender for Endpoint on Linux next generation protection, endpoint detection and response (EDR), threat and vulnerability management (TVM). Microsoft protection for your Linux estate is getting an impressive boost across the full spectrum of the security suite. With recent Microsoft Defender for Endpoint on Linux integration into Azure Security Center, the benefits of our Linux EDR and TVM now extend to Azure Defender customers.
Now let us dive into the specifics.
1. Linux EDR live response is now in public preview
2. Additional Linux Server distributions are now supported
Many Microsoft Defender for Endpoint customers requested to broaden the supported Linux distribution matrix with Amazon Linux, Fedora, and down-level RHEL. In response to this feedback, today we are extending the supported matrix to include Amazon Linux 2 and Fedora 33+. Additionally, the public preview of RHEL6.7+, CentOS 6.7+ is now available.
What capabilities are available for Amazon Linux 2 and Fedora 33+
The complete set of the previously released AV and EDR capabilities now applies to these newly added Linux distributions.
TVM coverage will be expanded with Amazon Linux and Fedora in coming months.
The minimum product version is 101.45.13.
For more information on the deployment details for these new distros, see the Microsoft Defender for Endpoint (Linux) deployment documentation.
How to get started with public preview for Linux RHEL6.7+, CentOS 6.7+
4. Antivirus behavior monitoring is now generally available on Linux
This new preventive functionality complements our existing strong content-based capabilities with behavior monitoring and runtime process memory scanning. These enhancements bring immediate ability to closely monitor processes, file system activities, and process interactions within the system. The enhanced ability to correlate events and behaviors across multiple processes allows us to more generically detect and block malware based on their behavioral classification. These behavior-based signals will act as additional runtime signals for our cloud-powered machine learning models and for effective runtime protection. Effectiveness of this new enhanced capability was initially highlighted in the independent MITRE 2021 evaluation.
With behavior monitoring, Microsoft Defender for Endpoint on Linux protection is expanded to generically intercept whole new classes of threats such as ransom, sensitive data collection, crypto mining, and others. Behavior monitoring alerts appear in the Microsoft 365 Defender alongside all other alerts and can be effectively investigated. The following screenshot captures several examples of the new threat types that can now be prevented:
Let us drill into specific examples of our new Linux behavior monitoring in action.
Runtime memory scanning
Deep Memory Scanning based detection is highly effective against threats that either unpack themselves during execution or have multiple stages, where some will be downloaded from the network and executed directly from memory. Microsoft Defender for Endpoint on Linux memory scanner in cooperation with behavior monitoring engine is effective in detecting Metasploit meterpreter payload:
Behavior monitoring provides effective measures against ransomware attacks which can be achieved using variety of legitimate tools (for example, gpg, openssl) while carrying similar patterns from OS behavior perspective. Many of such patterns can be picked up by the behavior monitoring engine in a generic way. Here is how a ransomware alert appears in the security center:
The newest behavior monitoring capability on Linux seamlessly integrates into the existing preventive experiences. Behavior monitoring details and artifacts can also be explored locally using the existing Microsoft Defender for Endpoint on Linux command line interface. Here is how ransomware threat history looks like in the command line:
How to get started with Linux antivirus behavior monitoring and blocking?
In coming weeks the new behavior monitoring and blocking capability will be gradually enabled by default on all Linux clients protected by Microsoft Defender for Endpoint.
The newest behavior monitoring and blocking capability applies to all Linux distributions currently supported by Microsoft Defender for Endpoint on Linux (RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or higher LTS, SLES 12+, Debian 9+, Oracle Linux 7.2+, Amazon Linux 2, Fedora 33+).
The minimum required Microsoft Defender for Endpoint version number is 101.45.13
Cloud-delivered protection must be enabled on devices to take advantage of the newest behavior monitoring and blocking capabilities.
You can check that cloud-delivered protection is enabled on a device by running the following command:
$ mdatp health --field cloud_enabled # this should print “true”
Microsoft Defender for Endpoint is an industry leading, cloud ML powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today.