We know it's still hard for some of you to accept, but Microsoft really does support Linux - especially lately. A specific example: In June, Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for Linux for all users. Now, Microsoft has improved the Linux version of Defender by adding a public preview of Endpoint Detection and Response (EDR) capabilities.
This is not a version of Microsoft Defender that you can run on a standalone Linux desktop. Its main job remains to protect Linux servers from server threats and network. If you want protection for your standalone desktop, use programs like ClamAV or Sophos Antivirus for Linux.
For businesses, however, that have employees who work from home and use them now Poppy and their Windows computers everywhere, that's another story. While it relies on Linux servers, you can use it to protect running computers MacOS, Windows 8.1 and Windows 10.
With these new EDR capabilities, Linux Defender users can quickly detect advanced attacks involving Linux servers and recover any threats. This builds on existing antivirus prudence and aggregation reports available through the Microsoft Security Defender Center.
Specifically, it includes:
- Rich research, including "machine timeline", process creation, file creation, network connections and connection events.
- Optimized CPU performance with improved performance in compilation processes and "large" software applications.
- AV detection in the environment. As with Windows, you will receive information about where a threat came from and how the malicious process or activity was created.
To run the updated program, you will need one of the following Linux servers: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16.04 or newer LTS, SLES 12+ or Oracle Linux 7.2.
Next, to try out these public preview features, you should turn on the possibilities preview at the Microsoft Defender Security Center. Before doing this, make sure you are using version 101.12.99 or later. You can find out which version you are using with the command: mdatp health
You do not have to change all servers running Microsoft Defender for Endpoint to Linux in preview mode. Instead, Microsoft recommends that configure only some of the Linux servers in preview mode, with the following command: $ sudo mdatp edr early-preview enable
Once this is done, if you feel brave enough and want to see for yourself if it works, Microsoft offers a way to run a simulated attack. To do this, follow these steps to simulate a scan on the Linux server and investigate the case.
1.Make sure the embedded Linux server appears in the Microsoft Defender Security Center.
2.Download and export the script file from here aka.ms/LinuxDIY to an embedded Linux server and run the following command: ./mde_linux_edr_diy.sh
3. After a few minutes, it should "open" in Microsoft Defender Security Center.
4. Look at the notification details, the so-called machine timeline and perform the standard steps of your research.