Microsoft releases Defender ATP for Linux

Yes, you read that headline correctly, Microsoft has just released a security program for Linux.

Researcher finds Linux and macOS sudo bug impacting 'pwfeedback' option

Which seems more unlikely to you? Dogs and cats living together in peace or Microsoft releasing a security program for Linux? Actually, both are true. On June 23, Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for Linux for general use

But before you get excited while you could use this on a Linux desktop, this version of ATP is not meant for the desktop. It's to protect Linux servers from server and network threats. If you want protection for your standalone desktop, you're better off with a such as ClamAV or Sophos Antivirus for Linux.

For sysadmins and security pros, Microsoft Defender Security Center is now available for monitoring and managing security across the full spectrum of enterprise desktop and server platforms -- Android, Windows, Windows Server, macOS, and Linux.

The point of this new program, according to Moti Gindi, corporate vice president of Microsoft Threat Protection, is "to protect the modern workplace environment across everything that it is, being Microsoft or non-Microsoft. We're protecting endpoints across Mac and today we're extending this endpoint protection to Linux and to iOS and Android." 

This program is now available for Red Hat Enterprise Linux (RHEL) 7 or higher; CentOS Linux 7 or newer; Ubuntu 16.04 or higher LTS versions; SUSE Linux Enterprise Server (SLES) 12 or higher; Debian 9 or newer; and Oracle Enterprise Linux 7.2.

On these servers, you use its shell program to launch, configure and manage the Defender agent. Once it's running you can start scans and manage threats from it locally or remotely. You can also deploy and configure it using the DevOps tools Puppet, Ansible, or manually using Bash commands.

You can also use the ATP's client shell interface to initiate scans, and manage threats. Once set up, though, you'd usually monitor your servers with the Microsoft Defender Security Center.

Once installed, ATP reports the following information to the Microsoft Defender Security Center console:

Antivirus alert information:

  • Severity
  • Scan type
  • Device information (see below for details)
  • File information (name, path, size, and hash)
  • Threat information (name, type, and state)

Device information:

  • Machine identifier
  • Tenant identifier
  • App version
  • Hostname
  • OS type
  • OS version
  • Computer model
  • Processor architecture
  • Whether the device is a virtual machine

While it's been in beta since February, Microsoft knows full well this is a 1.0 release. Helen Allas, a Microsoft Principal Program Manager, wrote:

We are just at the beginning of our Linux journey and we are not stopping here! We are committed to the continuous expansion of our capabilities for Linux and will be bringing you enhancements in the coming months. We can't wait for you to become part of our Linux journey and try out new capabilities as they become available. Make sure to turn on preview features in Microsoft Defender Security Center to get the latest updates before anyone else and stay tuned to our blog and Twitter channel for the latest announcements.

The program is available now. To use Microsoft Defender ATP for Linux, you'll need the Microsoft Defender ATP for Servers license. If you don't have one, you can sign up for a free trial of Microsoft Defender ATP.

Start with the Microsoft Defender ATP for Linux documentation. Finally, if you're already running the beta, Microsoft Defender ATP for Linux preview, you must update the agent to version 101.00.75 or higher.
 
Related Stories: