Enhancing Linux antivirus with behavior monitoring capabilities!

This article is contributed. See the original author and article here.

As we continue our powerful momentum in securing Linux platforms, we are excited to announce the public preview of Microsoft Defender for Endpoint on Linux antivirus behavior monitoring and blocking!

 

The new preventive antivirus functionality complements our existing strong content-based capabilities with behavior monitoring and deep memory scanning. These enhancements bring immediate ability to closely monitor processes, file system activities, and process interactions within the system. The enhanced ability to correlate events and behaviors across multiple processes allows us to more generically detect and block malware based on their behavioral classification. These behavior-based signals will act as additional runtime signals for behavioral cloud-powered machine learning models and for effective runtime protection.

 

Our Linux antivirus behavior monitoring and blocking can be previewed on any Linux distribution that is currently supported by Microsoft Defender for Endpoint on Linux:

• RHEL 7.2+,


• CentOS Linux 7.2+


• Ubuntu 16 LTS, or higher LTS


• SLES 12+


• Debian 9+


• Oracle Linux 7.2+

 

 

Microsoft Defender for Endpoint on Linux antivirus behavior monitoring seamlessly integrates into the existing preventive experiences. Behavior monitoring details and artifacts can be explored locally using the existing Microsoft Defender for Endpoint on Linux command line interface.

 

 

 

Behavior monitoring alerts appear in the Microsoft Defender Security Center (as well as in the Microsoft 365 security center) alongside all other alerts and can be effectively investigated.

 

 

 

 

What are the preview prerequisites for Linux antivirus behavior monitoring and blocking?

 

To experience the Linux antivirus behavior monitoring and blocking in public preview, you’ll need to have preview features turned on in the Microsoft Defender Security Center. If you have not yet opted into previews, we encourage you to turn on preview features in the Microsoft Defender Security Center or in the Microsoft 365 security center today.

 

As a preview entry prerequisite, please ensure the following requirements are fulfilled:

• Device must be in the InsiderFast channel 


• Minimal Microsoft Defender for Endpoint version number must be (InsiderFast): 101.25.42


• Device must be explicitly enrolled into the preview. The preview enrollment can be activated / deactivated using the following commands:

$ sudo mdatp config behavior-monitoring –value enabled

$ sudo mdatp config behavior-monitoring –value disabled

 

• Microsoft Defender for Endpoint must be restarted for the enrollment/unenrollment commands to take effect.

 

 

 

How to start previewing Linux antivirus behavior monitoring and blocking?

 

To get started with the Linux antivirus behavior monitoring and blocking public preview:

• Ensure preview prerequisites are met


• Ensure to initially evaluate this new functionality on a selected subset of your non-production Linux devices


• Ensure cloud-delivered protection is enabled on devices enrolled into the preview by running the following command:  

$ mdatp health –field cloud_enabled # this should print “true”

 

• Try “Do It Yourself” scenarios to see features in action. You can find “Do It Yourself” scenarios attached to this blog


• Continue running Linux clients enrolled into evaluation as you normally would


• Share your feedback and observations to help us improve.

 

 

We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft Defender Security Center or through the Microsoft 365 security center.

 

Monitor the What’s new in Microsoft Defender for Endpoint on Linux page for upcoming announcements (including general availability of Linux antivirus behavior monitoring and blocking). Stay tuned to our blog and Twitter channel to stay up to date on additional Microsoft Defender for Endpoint advancements.

 

 

Microsoft Defender for Endpoint is an industry leading, cloud ML powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today. 

 

 

 

Microsoft Defender for Endpoint team

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.