Microsoft Defender for Linux adds new security feature

Microsoft's server-based Linux protection program is now offering a public preview of improved endpoint detection and response features.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

I know it's still hard for some of you to wrap your minds around it, but Microsoft really does support Linux these days. A case in point: Back in June, Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for Linux for general use. Now, Microsoft has improved the Linux version of Defender, by adding a public preview of endpoint detection and response (EDR) capabilities.

This is still not a version of Microsoft Defender you can run on a standalone Linux desktop. Its primary job remains to protect Linux servers from server and network threats. If you want protection for your standalone desktop, use such programs as ClamAV or Sophos Antivirus for Linux.

For businesses, though, with workers from home now using their Macs and Windows PCs here, there, and everywhere, it's a different story. While based on Linux servers, you'll be able to use it to protect PCs running macOS, Windows 8.1, and Windows 10

With these new EDR capabilities, Linux Defender users can detect advanced attacks that involve Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventative antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.

Specifically, it includes:

  • Rich investigation experience, which includes machine timeline, process creation, file creation, network connections, login events, and advanced hunting.
  • Optimized performance-enhanced CPU utilization in compilation procedures and large software deployments.
  • In-context AV detection. Just like with the Windows edition, you'll get insight into where a threat came from and how the malicious process or activity was created.

To run the updated program, you'll need one of the following Linux servers: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian or higher; or Oracle Linux 7.2.

Next, to try these public preview capabilities, you'll need to turn on the preview features in Microsoft Defender Security Center. Before you do this, make sure you're running version 101.12.99 or higher. You can find out which version you're running with the command: 

mdatp health

You shouldn't switch all your servers running Microsoft Defender for Endpoint on Linux to the preview in any case. Instead, Microsoft recommends you configure only some of your Linux servers to Preview mode, with the following command:

$ sudo mdatp edr early-preview enable 

Once that's done, if you're feeling brave and want to see for yourself if it works, Microsoft is offering a way to run a simulated attack. To do this, follow the steps below to simulate a detection on your Linux server and investigate the case. 

  1. Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears. 

  2. Download and extract the script file from here aka.ms/LinuxDIY to an onboarded Linux server and run the following command:


  3. After a few minutes, it should be raised in Microsoft Defender Security Center.

  4. Look at the alert details, machine timeline, and perform your typical investigation steps.

 Good luck! 

Related Stories:

Editorial standards