Microsoft Defender for Linux now has endpoint detection and response security

Microsoft's server-based Linux security program is ready to protect your Linux servers, Windows desktops, and Macs.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

After months in the making, Microsoft Defender for Endpoint on Linux server now has endpoint detection and response (EDR) abilities. I know. It's still startling but Microsoft now produces Linux security programs. Will miracles never cease?

Now, this is not Microsoft Defender for the Linux desktop. Some miracles haven't happened yet. In this version of Defender, its No. 1 job is to protect Linux servers from server and network threats. If you want protection for your standalone Linux desktop, use such programs as ClamAV or Sophos Antivirus for Linux. With the new EDR features, you can also use it to protect PCs running macOS, Windows 8.1, and Windows 10

With these new EDR capabilities, Linux Defender users can detect advanced attacks that involve Macs and Windows desktops, Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventative antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.

Specifically, it includes:

  • Rich investigation experience, including machine timeline, process creation, file creation, network connections, login events, and advanced hunting.
  • Optimized performance-enhanced CPU utilization in compilation procedures and large software deployments.
  • In-context AV detections, just like with Windows, you'll get insight into where a threat came from and how the malicious process or activity was created.
  • It also comes with custom detections on top of its other threat-hunting capabilities.

To run the updated program, you'll need one of the following Linux servers: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian 9 or newer; or Oracle Linux 7.2 or higher.

To run Microsoft Defender for Endpoint on Linux, you'll need a Servers license. If you're already testing the public preview, update the agent to a released version 101.18.53 or higher. If you are already running it in production, your devices will seamlessly receive the new EDR capability as soon as you update the agent to version 101.18.53 or higher.

Microsoft thinks well of this latest program. "The release is an amazing milestone providing us a 360 view on all our platforms for our threat hunting strategy," said Guy Fridman, Microsoft head of Security Operation and Response.  If you want to see if it's right, you can sign up for a free trial of Microsoft Defender for Endpoint Linux today.

Related Stories:

Editorial standards