Boost protection of your Linux estate with behavior monitoring, extended distro coverage, and more
Published Nov 02 2021 07:40 AM 10.3K Views

We are thrilled to share the latest news about Microsoft Defender for Endpoint on Linux next generation protection, endpoint detection and response (EDR), threat and vulnerability management (TVM). Microsoft protection for your Linux estate is getting an impressive boost across the full spectrum of the security suite. With recent Microsoft Defender for Endpoint on Linux integration into Azure Security Center, the benefits of our Linux EDR and TVM now extend to Azure Defender customers.


Now let us dive into the specifics.



1. Linux EDR live response is now in public preview


Just a few days ago we enhanced our Linux detection and response with live response [public preview].  Turn on the preview features to see this capability in action.



2. Additional Linux Server distributions are now supported


Many Microsoft Defender for Endpoint customers requested to broaden the supported Linux distribution matrix with Amazon Linux, Fedora, and down-level RHEL. In response to this feedback, today we are extending the supported matrix to include Amazon Linux 2 and Fedora 33+. Additionally, the public preview of RHEL6.7+, CentOS 6.7+ is now available.


What capabilities are available for Amazon Linux 2 and Fedora 33+

The complete set of the previously released AV and EDR capabilities now applies to these newly added Linux distributions.

TVM coverage will be expanded with Amazon Linux and Fedora in coming months.

The minimum product version is 101.45.13.

For more information on the deployment details for these new distros, see the Microsoft Defender for Endpoint (Linux) deployment documentation.


How to get started with public preview for Linux RHEL6.7+, CentOS 6.7+

You’ll need to have preview features turned on in the Microsoft Defender Security Center or in the Microsoft 365 security center.

Ensure that these prerequisites are met:

  • Review the system requirements documentation to see a detailed list of supported kernel versions
  • Devices must be in the InsiderFast channel 
  • The minimum required Microsoft Defender for Endpoint version number is (InsiderFast): 101.45.13

Expect the previously released AV and EDR capabilities to also apply to RHEL6.7+, CentOS 6.7+.



3. Threat and vulnerability management for Debian distro is now in public preview


We are further expanding our Linux threat and vulnerability management to support Debian Linux distribution. TVM for Debian 9+ is now in public preview. Turn on preview features to access this expanded TVM coverage.



4. Antivirus behavior monitoring is now generally available on Linux


This new preventive functionality complements our existing strong content-based capabilities with behavior monitoring and runtime process memory scanning. These enhancements bring immediate ability to closely monitor processes, file system activities, and process interactions within the system. The enhanced ability to correlate events and behaviors across multiple processes allows us to more generically detect and block malware based on their behavioral classification. These behavior-based signals will act as additional runtime signals for our cloud-powered machine learning models and for effective runtime protection. Effectiveness of this new enhanced capability was initially highlighted in the independent MITRE 2021 evaluation


With behavior monitoring, Microsoft Defender for Endpoint on Linux protection is expanded to generically intercept whole new classes of threats such as ransom, sensitive data collection, crypto mining, and others. Behavior monitoring alerts appear in the Microsoft 365 Defender alongside all other alerts and can be effectively investigated. The following screenshot captures several examples of the new threat types that can now be prevented:




Let us drill into specific examples of our new Linux behavior monitoring in action.


Runtime memory scanning

Deep Memory Scanning based detection is highly effective against threats that either unpack themselves during execution or have multiple stages, where some will be downloaded from the network and executed directly from memory. Microsoft Defender for Endpoint on Linux memory scanner in cooperation with behavior monitoring engine is effective in detecting Metasploit meterpreter payload:





Behavior monitoring provides effective measures against ransomware attacks which can be achieved using variety of legitimate tools (for example, gpg, openssl) while carrying similar patterns from OS behavior perspective. Many of such patterns can be picked up by the behavior monitoring engine in a generic way. Here is how a ransomware alert appears in the security center:




The newest behavior monitoring capability on Linux seamlessly integrates into the existing preventive experiences. Behavior monitoring details and artifacts can also be explored locally using the existing Microsoft Defender for Endpoint on Linux command line interface. Here is how ransomware threat history looks like in the command line:  




How to get started with Linux antivirus behavior monitoring and blocking?

In coming weeks the new behavior monitoring and blocking capability will be gradually enabled by default on all Linux clients protected by Microsoft Defender for Endpoint.


The newest behavior monitoring and blocking capability applies to all Linux distributions currently supported by Microsoft Defender for Endpoint on Linux (RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS, or higher LTS, SLES 12+, Debian 9+, Oracle Linux 7.2+, Amazon Linux 2, Fedora 33+).


  • The minimum required Microsoft Defender for Endpoint version number is 101.45.13
  • Cloud-delivered protection must be enabled on devices to take advantage of the newest behavior monitoring and blocking capabilities.

You can check that cloud-delivered protection is enabled on a device by running the following command:

$ mdatp health --field cloud_enabled # this should print “true”

  • You can explicitly control the behavior monitoring capability via behavior monitoring configuration instead of waiting for completion of the gradual rollout.
  • For the duration of the gradual rollout, the behavior monitoring capability can be locally controlled on an individual device as :

$ sudo mdatp config behavior-monitoring --value enabled

$ sudo mdatp config behavior-monitoring --value disabled

  •  Try the “Do It Yourself” scenarios to see this capability in action. You can find “Do It Yourself” scenarios at this location.




We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft Defender Security Center or through the Microsoft 365 security center.


Monitor the What's new in Microsoft Defender for Endpoint on Linux page for upcoming announcements. Keep an eye on our blog and Twitter channel to stay up to date on additional Microsoft Defender for Endpoint advancements.



Microsoft Defender for Endpoint is an industry leading, cloud ML powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today. 




Microsoft Defender for Endpoint team

Version history
Last update:
‎Nov 08 2021 09:27 AM
Updated by: