September 25, 2023

In June, Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for Linux for general use. Now, Microsoft has improved the Linux version of Defender, by adding a public preview of EDR capabilities.

This is still not a version of Microsoft Defender you can run on a standalone Linux desktop. Its primary job remains to protect Linux servers from server and network threats. If you want protection for your standalone desktop, use such programs

With these new EDR capabilities, Linux Defender users can detect advanced attacks that involve Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventive antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.

Rich investigation experience, which includes machine timeline, process creation, file creation, network connections, login events, and advanced hunting.Optimized performance-enhanced CPU utilization in compilation procedures and large software deployments.In-context AV detection. Just like with the Windows edition, you’ll get insight into where a threat came from and how the malicious process or activity was created.

To run the updated program, you’ll need one of the following Linux servers: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian or higher; or Oracle Linux 7.2.

Make sure you’re running version 101.12.99 or higher. You can find out which version you’re running with the command: 

mdatp health

You shouldn’t switch all your servers running Microsoft Defender for Endpoint on Linux to the preview in any case. Instead, Microsoft recommends you configure only some of your Linux servers to Preview mode, with the following command:

$ sudo mdatp edr early-preview enable 

Once that’s done, if you’re feeling brave and want to see for yourself if it works, Microsoft is offering a way to run a simulated attack. To do this, follow the steps below to simulate a detection on your Linux server and investigate the case. 

Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.

Download and extract the script file from here aka.ms/LinuxDIY to an onboarded Linux server and run the following command:

./mde_linux_edr_diy.sh

After a few minutes, it should be raised in Microsoft Defender Security Center.

Tags:

Leave a Reply

Related Post

Powerful Encryption Tool !

July 27, 2021

Misconfigured Argoflows targets Kubernetes

July 26, 2021

You may have missed

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023

Air Canada Reveals Data Exposure due to a Cyberattack

September 23, 2023

SandMan APT Group in action against Telcos

September 22, 2023
%d bloggers like this: