Enhanced antimalware engine capabilities for Linux and macOS

Published Apr 25 2022 09:02 AM 10.5K Views

Update: Enhanced antimalware engine for Linux and macOS is now generally available. 

The new engine will be gradually rolled out to all devices.

IMPORTANT: Ensure you are applying regular updates. Soon after general availability, app/platform versions older than 101.62.64 (released in February of 2022) will stop getting security intelligence updates. 

To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security/IT team must configure your network/proxy/internet settings to allow connections between your endpoints and certain Microsoft URLs. To support the new Microsoft Defender for Endpoint on Linux and macOS anti-malware engine enhancements, you must allow-list within the proxy ecosystem in your environment the following URL endpoints:

[How this will affect your organization:]

Starting July 31, 2022,  access to these URLs will be *required* to ensure uninterrupted cloud-delivered protection on your Linux and macOS systems behind a proxy. Organizations that have not allow-listed by July 31, 2022, access to the above mentioned URLs will be unable to download threat definition updates required for effective anti-malware protection.



We are announcing a significant upgrade to our next-generation protection on Linux and macOS with a new, enhanced engine. 


The Microsoft Defender Antivirus antimalware engine is a key component of next-generation protection. This protection brings machine learning, big-data analysis, in-depth threat research, and the Microsoft cloud infrastructure, to protect devices (or endpoints) in your organization.


The main benefits of this major update include performance and prevention improvements, as well as adding support for custom file indicators on macOS and Linux.


What to expect with this enhancement:

  • Better support for protection against known and unknown malware with client-side machine-learning models, heuristics, and correlation between static signals.
  • Enhanced cloud-delivered protection with support for metadata-based  machine-learning models, file classifications and reputation-based  machine-learning models, and more.
  • Emergency security intelligence updates are now available through cloud-delivered protection that can help protect against malware outbreaks.
  • Better support for false positive and false negative prevention.
  • IMPORTANT: Threat naming and definition version nomenclature will change for the purpose of consistency across all platforms and aligning to our overall naming conventions. For more information about how Microsoft names malware, see: Malware names | Microsoft Docs.
  • Reduced memory and CPU footprints
  • Improved behavior monitoring with lower resource consumption is now available to all our customers as a configurable component for Linux (if enabled).
  • Memory scanning, providing better coverage for fileless attacks (Linux).
  • Reduced overall package size, significantly reduced security intelligence update download sizes.
  • Custom file indicators are now available with “audit”, “allow”, “block & remediate” action . The certificate indicator type will be added at a later date.


As a preview entry prerequisite, ensure the following requirements are fulfilled:

  1. During general availability, the new engine will be gradually rolled out to all devices. The process of migration from the old engine to the new engine would last for 3 months
  2. The minimum Microsoft Defender for Endpoint version number must be 101.62.64 [Feb 2022 build]
  3. Soon after migration begins, versions older than 101.62.64 will stop getting protection updates
  4. Organizations which have all devices on a version greater than 101.62.64 would get first preference for the rollout

Key changes to look out for


Custom file indicators

A key feature of the new antimalware engine is the ability to create custom file indicators. You may already have experience with custom file indicators on Windows. The existing three indicator response actions are “allow,” “alert only,” and “alert and block & remediate.” These actions are now supported on macOS and Linux.


Note that warn and block only (block without remediation) indicator types are currently not supported for Linux & macOS. This is visually indicated in the Microsoft 365 Defender portal. In addition, if you have previously created non-scoped custom file indicators (targeted to all devices) in your environment, the indicators will also start applying to any device that is running the new antimalware engine.


Threat nomenclature

The change in threat / malware name is changing to ensure consistency with the standard naming scheme followed across all platforms, including Windows. This is part of the effort for aligning our nomenclature across all platforms and having a standardized naming mechanism.


Threat names will now follow this format:

<Category>.<Platform>.<Family>.<Variant> ---> [Threat Type]:[Platform]/[Malware Family].[Variant]?![Suffixes]?



Previous engine syntax

New engine syntax


























Microsoft Defender for Endpoint threat list output


Some examples of the updated threat names when displayed through command line:

Screenshot of a detected Linux threat with new naming conventionScreenshot of a detected Linux threat with new naming convention


Screenshot of a Trojan detected with new threat naming conventionScreenshot of a Trojan detected with new threat naming convention


User Interface (macOS)

The following screenshot shows alerts will use the updated threat names in the user interface:


Screenshot from macOS UI showing new threat nameScreenshot from macOS UI showing new threat name


Microsoft 365 Defender portal

Alerts will use the updated threat names in the Microsoft 365 Defender portal.

For example:

Screenshot showing an alert in the portal with the new naming conventionScreenshot showing an alert in the portal with the new naming convention


Screenshot showing an alert example in the portal with the new naming conventionScreenshot showing an alert example in the portal with the new naming convention


Version numbers

The format of ‘Security intelligence version’ under the About tab and Virus and threat protection updates in the macOS Microsoft Defender interface and using the Linux command line interface will now display a different version numbering scheme.

Security Intelligence/definitions version example: 1.355.2459.0

Engine version example: 1.1.18900.3


Comparison of old version name vs new version name displayComparison of old version name vs new version name display


Comparison of old client version name vs new version name on macOS UIComparison of old client version name vs new version name on macOS UI



Comparison of old engine version name vs new version name on Linux agentComparison of old engine version name vs new version name on Linux agent


Exceptions / Rules configured based on threat names

In the previous engine capability, if any rule has been configured (using “mdatp threat allowed” command) to allow threats based on the threat family name, those rules will not be in effect with the new engine. New rules will have to be created with the corresponding new threat family names. For example, in case of EICAR threats:


Screenshot of threat exclusion command changesScreenshot of threat exclusion command changes


IMPORTANT: Action might be needed

  • Ensure your proxy solution allows access to security intelligence and cloud protection locations. Some of these locations were previously listed as "optional" and applied primarily to Windows, at Configure device proxy and Internet connection settings | Microsoft Docs.
  • Threat exclusions defined using the old naming convention will need to be updated. In addition, if you have any scheduled queries based on the threat name, you may need to revise them.

Note: In addition to setting exclusions for files that may no longer be covered by allowed threat configuration, you can now also use custom file indicators with the “Allow" action type as a mitigation.


We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft 365 security center.

Version history
Last update:
‎Jul 05 2022 09:18 AM
Updated by: