Microsoft just expanded its malware protection for Linux servers

Microsoft brings more security tools to Linux operating systems for the cloud.
Written by Liam Tung, Contributing Writer

Microsoft has announced it's adding even more security features to the protection it offers to open-source operating systems.

Defender for Endpoint on Linux server gained endpoint detection and response (EDR) abilities a few months ago and now has extra capabilities for Azure Defender customers. It makes sense for Microsoft to develop security products for Linux, given that Linux distributions dominate virtual machine OSes on its Azure cloud.  

One key change is that Linux EDR detection and live response is now in public preview. The live response allows for in-depth investigations and quick threat containment by giving security teams forensic data, the ability to run scripts, share suspicious entities, and hunt for possible threats. 

See also: A winning strategy for cybersecurity (ZDNet special report).

Microsoft also has extended support for Amazon Linux 2 and Fedora 33+. And it now has a public preview of RHEL6.7+, CentOS 6.7+. Previously, EDR was available for: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian 9 or newer; or Oracle Linux 7.2 or higher.

"The complete set of the previously released antivirus (AV) and EDR capabilities now applies to these newly added Linux distributions. [Threat and vulnerability management] coverage will be expanded with Amazon Linux and Fedora in coming months," Microsoft says

Users need to be on Microsoft Defender for Endpoint version 101.45.13. It also notes that previously released AV and EDR capabilities also apply to RHEL6.7+, CentOS 6.7+. Supported kernel versions are listed here

Microsoft is also bringing TVM to Linux Debian. A public preview of TVM for Debian 9+ public preview will be available in the coming weeks. 

It's also making Defender antivirus generally available on Linux, bringing the ability to monitor processes, file system activities, and how processes interact with the OS using Microsoft's cloud security. 

"With behavior monitoring, Microsoft Defender for Endpoint on Linux protection is expanded to generically intercept whole new classes of threats such as ransom, sensitive data collection, crypto mining, and others. Behavior monitoring alerts appear in the Microsoft 365 Defender alongside all other alerts and can be effectively investigated," Microsoft notes. 

See also: The IoT is getting a lot bigger, but security is still getting left behind.

It promises to address ransomware threats too with machine-learning techniques. 

"Behavior monitoring provides effective measures against ransomware attacks which can be achieved using a variety of legitimate tools (for example, gpg, openssl) while carrying similar patterns from OS behavior perspective. Many of such patterns can be picked up by the behavior monitoring engine in a generic way."

Admins can also explore security events locally using the Microsoft Defender for Endpoint on the Linux command line interface. 

Editorial standards