In June, Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for Linux for general use. Now, Microsoft has improved the Linux version of Defender, by adding a public preview of EDR capabilities.
This is still not a version of Microsoft Defender you can run on a standalone Linux desktop. Its primary job remains to protect Linux servers from server and network threats. If you want protection for your standalone desktop, use such programs
With these new EDR capabilities, Linux Defender users can detect advanced attacks that involve Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventive antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.
Rich investigation experience, which includes machine timeline, process creation, file creation, network connections, login events, and advanced hunting.Optimized performance-enhanced CPU utilization in compilation procedures and large software deployments.In-context AV detection. Just like with the Windows edition, you’ll get insight into where a threat came from and how the malicious process or activity was created.
To run the updated program, you’ll need one of the following Linux servers: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian or higher; or Oracle Linux 7.2.
Make sure you’re running version 101.12.99 or higher. You can find out which version you’re running with the command:
You shouldn’t switch all your servers running Microsoft Defender for Endpoint on Linux to the preview in any case. Instead, Microsoft recommends you configure only some of your Linux servers to Preview mode, with the following command:
$ sudo mdatp edr early-preview enable
Once that’s done, if you’re feeling brave and want to see for yourself if it works, Microsoft is offering a way to run a simulated attack. To do this, follow the steps below to simulate a detection on your Linux server and investigate the case.
Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
Download and extract the script file from here aka.ms/LinuxDIY to an onboarded Linux server and run the following command:
After a few minutes, it should be raised in Microsoft Defender Security Center.