I know that it is still difficult for some of our readers to assume the presence of Microsoft on Linux. Going back to the background, in June Microsoft announced Microsoft Defender Advanced Threat Protection (ATP) for Linux for general use. Now Microsoft has improved the Linux version of Defender. Added a public preview of endpoint detection and response (EDR) capabilities.
It is not yet a version of Microsoft Defender that can run on a standalone Linux desktop. Its main job remains to protect Linux servers from server and network threats.
Microsoft Defender keeps getting better in Linux
For businesses, however, with home workers now using their Macs and Windows PCs here, there, and everywhere, it’s a different story. On Linux servers, we can use it to protect computers running macOS, Windows 8.1, and Windows 10.
With these new EDR capabilities, Linux Defender users can detect advanced attacks involving Linux servers. In addition to using rich experiences and quickly correcting threats. This builds on existing preventative antivirus capabilities and centralized reporting available through Microsoft Defender Security Center. More specifically, it includes:
Rich investigative experience including machine timeline, process creation, file creation, network connections, connection events, and advanced search Optimized CPU usage improved performance in build procedures and large software deployments. As with the Windows edition, you will learn where a threat comes from and how the malicious activity or process was created.
To run the updated program, we will need one of the following Linux servers: RHEL 7.2+; CentOS 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian or higher; or Oracle 7.2.
Next, to test these public preview features, we will need to enable the preview features in Microsoft Defender Security Center. Before doing this, make sure that you are running version 101.12.99 or higher. You can find out which version you are using with the command:
You should not demote all servers running Microsoft Defender for Endpoint on Linux to preview in all cases. Instead, Microsoft recommends setting only some of the servers in preview mode, with the following command:
$ sudo mdatp edr early-preview enable
Great news for anyone working with Linux. With this new improvement, Microsoft continues to grow in the ecosystem and its use for servers.