What's new in Microsoft Defender for Endpoint on Linux
This article is updated frequently to let you know what's new in the latest releases of Microsoft Defender for Endpoint on Linux.
Important
Starting with version 101.2408.0004
, Defender for Endpoint on Linux no longer supports the Auditd
event provider. We're transitioning completely to the more efficient eBPF technology. This change allows for better performance, reduced resource consumption, and overall improved stability. eBPF support has been available since August 2023, and is fully integrated into all updates of Defender for Endpoint on Linux (version 101.23082.0006
and later). We strongly encourage you to adopt the eBPF build, as it provides significant enhancements over Auditd. If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, you have the following options:
Continue to use Defender for Endpoint on Linux build
101.24072.0000
with Auditd. This build will continue to be supported for several months, so you have time to plan and execute your migration to eBPF.If you are on versions later than
101.24072.0000
, Defender for Endpoint on Linux relies onnetlink
as a backup supplementary event provider. In the event of a fallback, all process operations continue to flow seamlessly.
Review your current Defender for Endpoint on Linux deployment, and begin planning your migration to the eBPF-supported build. For more information on eBPF and how it works, see Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux.
If you have any concerns or need assistance during this transition, contact support.
Nov-2024 (Build: 101.24092.0002 | Release version: 30.124092.0002.0)
Nov-2024 Build: 101.24092.0002 | Release version: 30.124092.0002.0
Released: November 14, 2024 Published: November 14, 2024 Build: 101.24092.0002 Release version: 30.124092.0002 Engine version: 1.1.24080.9 Signature version: 1.417.659.0
What's new
Support added for hardened installations on non-executable
/var
partitions. Beginning with this release, antivirus signatures are installed at/opt/microsoft/mdatp/definitions.noindex
by default, instead of/var/opt/microsoft/mdatp/definitions.noindex
. During upgrades, the installer attempts to migrate older definitions to the new path unless it detects that the path is already customized (usingmdatp definitions path set
).Beginning with this version, Defender for Endpoint on Linux no longer needs executable permissions for
/var/log
. If these permissions are not available, log files are automatically be redirected to/opt
.
Oct-2024 (Build: 101.24082.0004 | Release version: 30.124082.0004.0)
Sept-2024 Build: 101.24082.0004 | Release version: 30.124082.0004.0
Released: October 15, 2024
Published: October 15, 2024
Build: 101.24082.0004
Release version: 30.124082.0004
Engine version: 1.1.24080.9
Signature version: 1.417.659.0
What's new
- Starting this version, Defender for Endpoint on Linux no longer supports
AuditD
as a supplementary event provider. For improved stability and performance, we have completely transitioned to eBPF. If you disable eBPF, or in the event eBPF is not supported on any specific kernel, Defender for Endpoint on Linux automatically switches back to Netlink as a fallback supplementary event provider. Netlink provides reduced functionality and tracks only process-related events. In this case, all process operations continue to flow seamlessly, but you could miss specific file and socket-related events that eBPF would otherwise capture. For more details, see Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux. If you have any concerns or need assistance during this transition, contact support. - Stability and performance improvements
- Other bug fixes
Sept-2024 (Build: 101.24072.0001 | Release version: 30.124072.0001.0)
Sept-2024 Build: 101.24072.0001 | Release version: 30.124072.0001.0
Released: September 23, 2024
Published: September 23, 2024
Build: 101.24072.0001
Release version: 30.124072.0001.0
Engine version: 1.1.24060.6
Signature version: 1.415.228.0
What's new
- Added support for Ubuntu 24.04
- Updated default engine version to
1.1.24060.6
and default signatures version to1.415.228.0
.
July-2024 (Build: 101.24062.0001 | Release version: 30.124062.0001.0)
July-2024 Build: 101.24062.0001 | Release version: 30.124062.0001.0
Released: July 31, 2024
Published: July 31, 2024
Build: 101.24062.0001
Release version: 30.124062.0001.0
Engine version: 1.1.24050.7
Signature version: 1.411.410.0
What's new
There are multiple fixes and new changes in this release.
- Fixes bug in which infected command-line threat information was not showing correctly in security portal.
- Fixes a bug where disabling a preview feature required a Defender of Endpoint to disable it.
- Global Exclusions feature using managed JSON is now in Public Preview. available in insiders slow from 101.23092.0012. For more information, see linux-exclusions.
- Updated the Linux default engine version to 1.1.24050.7 and default sigs Version to 1.411.410.0.
- Stability and performance improvements.
- Other bug fixes.
June-2024 (Build: 101.24052.0002 | Release version: 30.124052.0002.0)
June-2024 Build: 101.24052.0002 | Release version: 30.124052.0002.0
Released: June 24, 2024
Published: June 24, 2024
Build: 101.24052.0002
Release version: 30.124052.0002.0
Engine version: 1.1.24040.2
Signature version: 1.411.153.0
What's new
There are multiple fixes and new changes in this release.
- This release fixes a bug related to high memory usage eventually leading to high CPU due to eBPF memory leak in kernel space resulting in servers going into unusable states. This only impacted the kernel versions 3.10x and <= 4.16x, majorly on RHEL/CentOS distros. Please update to the latest MDE version to avoid any impact.
- We have now simplified the output of
mdatp health --detail features
- Stability and performance improvements.
- Other bug fixes.
May-2024 (Build: 101.24042.0002 | Release version: 30.124042.0002.0)
May-2024 Build: 101.24042.0002 | Release version: 30.124042.0002.0
Released: May 29, 2024
Published: May 29, 2024
Build: 101.24042.0002
Release version: 30.124042.0002.0
Engine version: 1.1.24030.4
Signature version: 1.407.521.0
What's new
There are multiple fixes and new changes in this release:
- In version 24032.0007, there was a known issue where the enrollment of devices to MDE Security Management failed when using the "Device Tagging" mechanism via the mdatp_managed.json file. This issue has been resolved in the current release.
- Stability and performance improvements.
- Other bug fixes.
May-2024 (Build: 101.24032.0007 | Release version: 30.124032.0007.0)
May-2024 Build: 101.24032.0007 | Release version: 30.124032.0007.0
Released: May 15, 2024
Published: May 15, 2024
Build: 101.24032.0007
Release version: 30.124032.0007.0
Engine version: 1.1.24020.3
Signature version: 1.403.3500.0
What's new
There are multiple fixes and new changes in this release:
In passive and on-demand modes, antivirus engine remains in idle state and is used only during scheduled custom scans. Thus as part of performance improvements, we have made changes to keep the AV engine down in passive and on-demand mode except during scheduled custom scans. If the real time protection is enabled, antivirus engine will always be up and running. This will have no impact on your server protection in any mode.
To keep users informed of the state of antivirus engine, we have introduced a new field called "engine_load_status" as part of MDATP health. It indicates whether antivirus engine is currently running or not.
Field name
engine_load_status
Possible values Engine not loaded (AV engine process is down), Engine load succeeded (AV engine process up and running) Healthy scenarios:
- If RTP is enabled, engine_load_status should be "Engine load succeeded"
- If MDE is in on-demand or passive mode, and custom scan isn't running then "engine_load_status" should be "Engine not loaded"
- If MDE is in on-demand or passive mode, and custom scan is running then "engine_load_status" should be "Engine load succeeded"
Bug fix to enhance behavioral detections.
Stability and performance improvements.
Other bug fixes.
Known Issues
There's a known issue where enrolling devices to MDE Security Management via "Device Tagging" mechanism using mdatp_managed.json is failing in 24032.0007. To mitigate this issue, use the following mdatp CLI command to tag devices:
sudo mdatp edr tag set --name GROUP --value MDE-Management
The issue has been fixed in Build: 101.24042.0002
March-2024 (Build: 101.24022.0001 | Release version: 30.124022.0001.0)
March-2024 Build: 101.24022.0001 | Release version: 30.124022.0001.0
Released: March 22,2024
Published: March 22,2024
Build: 101.24022.0001
Release version: 30.124022.0001.0
Engine version: 1.1.23110.4
Signature version: 1.403.87.0
What's new
There are multiple fixes and new changes in this release:
- The addition of a new log file -
microsoft_defender_scan_skip.log
. This will log the filenames that were skipped from various antivirus scans by Microsoft Defender for Endpoint due to any reason. - Stability and performance improvements.
- Bug fixes.
March-2024 (Build: 101.24012.0001 | Release version: 30.124012.0001.0)
March-2024 Build: 101.24012.0001 | Release version: 30.124012.0001.0
Released: March 12,2024
Published: March 12,2024
Build: 101.24012.0001
Release version: 30.124012.0001.0
Engine version: 1.1.23110.4
Signature version: 1.403.87.0
What's new There are multiple fixes and new changes in this release:
- Updated default engine version to
1.1.23110.4
, and default signatures version to1.403.87.0
. - Stability and performance improvements.
- Bug fixes.
February-2024 (Build: 101.23122.0002 | Release version: 30.123122.0002.0)
February-2024 Build: 101.23122.0002 | Release version: 30.123122.0002.0
Released: February 5,2024
Published: February 5,2024
Build: 101.23122.0002
Release version: 30.123122.0002.0
Engine version: 1.1.23100.2010
Signature version: 1.399.1389.0
What's new There are multiple fixes and new changes in this release:
Updated default engine version to
1.1.23100.2010
, and default signatures version to1.399.1389.0
.General stability and performance improvements.
Bug fixes.
Microsoft Defender for Endpoint on Linux now officially supports the following distros and versions:
Distro & version Ring Package Mariner 2 Production https://packages.microsoft.com/cbl-mariner/2.0/prod/extras/x86_64/config.repo Rocky 8.7 and higher Insiders Slow https://packages.microsoft.com/config/rocky/8/insiders-slow.repo Rocky 9.2 and higher Insiders Slow https://packages.microsoft.com/config/rocky/9/insiders-slow.repo Alma 8.4 and higher Insiders Slow https://packages.microsoft.com/config/alma/8/insiders-slow.repo Alma 9.2 and higher Insiders Slow https://packages.microsoft.com/config/alma/9/insiders-slow.repo
If you already have Defender for Endpoint running on any of these distros and facing any issues in the older versions, please upgrade to the latest Defender for Endpoint version from the corresponding ring mentioned above. Refer our public deployment docs for more details.
Note
Known issues:
Microsoft Defender for Endpoint for Linux on Rocky and Alma currently has the following known issues:
- Live Response and Threat Vulnerability Management are currently not supported (work in progress).
- Operating system info for devices is not visible in the Microsoft Defender portal
January-2024 (Build: 101.23112.0009 | Release version: 30.123112.0009.0)
January-2024 Build: 101.23112.0009 | Release version: 30.123112.0009.0
Released: January 29,2024
Published: January 29, 2024
Build: 101.23112.0009
Release version: 30.123112.0009.0
Engine version: 1.1.23100.2010
Signature version: 1.399.1389.0
What's new
- Updated default engine version to
1.1.23110.4
, and default signatures version to1.403.1579.0
. - General stability and performance improvements.
- Bug fix for behavior monitoring configuration.
- Bug fixes.
November-2023 (Build: 101.23102.0003 | Release version: 30.123102.0003.0)
November-2023 Build: 101.23102.0003 | Release version: 30.123102.0003.0
Released: November 28,2023
Published: November 28,2023
Build: 101.23102.0003
Release version: 30.123102.0003.0
Engine version: 1.1.23090.2008
Signature version: 1.399.690.0
What's new
- Updated default engine version to
1.1.23090.2008
, and default signatures version to1.399.690.0
. - Updated libcurl library to version
8.4.0
to fix recently disclosed vulnerabilities with the older version. - Updated Openssl library to version
3.1.1
to fix recently disclosed vulnerabilities with the older version. - General stability and performance improvements.
- Bug fixes.
November-2023 (Build: 101.23092.0012 | Release version: 30.123092.0012.0)
November-2023 Build: 101.23092.0012 | Release version: 30.123092.0012.0
Released: November 14,2023
Published: November 14,2023
Build: 101.23092.0012
Release version: 30.123092.0012.0
Engine version: 1.1.23080.2007
Signature version: 1.395.1560.0
What's new
There are multiple fixes and new changes in this release:
- Support added to restore threat based on original path using the following command:
sudo mdatp threat quarantine restore threat-path --path [threat-original-path] --destination-path [destination-folder]
Starting with this release, Microsoft Defender for Endpoint on Linux will no longer be shipping a solution for RHEL 6.
RHEL 6 'Extended end of life support' is poised to end by June 30, 2024 and customers are advised to plan their RHEL upgrades accordingly aligned with guidance from Red Hat. Customers who need to run Defender for Endpoint on RHEL 6 servers can continue to leverage version 101.23082.0011 (does not expire before June 30, 2024) supported on kernel versions 2.6.32-754.49.1.el6.x86_64 or prior.
- Engine Update to
1.1.23080.2007
and Signatures Ver:1.395.1560.0
. - Streamlined device connectivity experience is now in public preview mode. public blog
- Performance improvements & bug fixes.
- Engine Update to
Known issues
- CPU lock-up seen on kernel version 5.15.0-0.30.20 in ebpf mode, see Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux for details and Mitigation options.
November-2023 (Build: 101.23082.0011 | Release version: 30.123082.0011.0)
November-2023 Build: 101.23082.0011 | Release version: 30.123082.0011.0
Released: November 1,2023
Published: November 1,2023
Build: 101.23082.0011
Release version: 30.123082.0011.0
Engine version: 1.1.23070.1002
Signature version: 1.393.1305.0
What's new This new release is build over October 2023 release (`101.23082.0009``) with addition of following changes. There's no change for other customers and upgrading is optional.
Fix for immutable mode of auditd when supplementary subsystem is ebpf: In ebpf mode all mdatp audit rules should be cleaned after switching to ebpf and rebooting. After reboot, mdatp audit rules were not cleaned due to which it was resulting in hang of the server. The fix cleans these rules, user should not see any mdatp rules loaded on reboot
Fix for MDE not starting up on RHEL 6.
Known issues
When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
- Use your package manager to uninstall the
101.75.43
or101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
- As an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
October-2023 (Build: 101.23082.0009 | Release version: 30.123082.0009.0)
October-2023 Build: 101.23082.0009 | Release version: 30.123082.0009.0
Released: October 9,2023
Published: October 9,2023
Build: 101.23082.0009
Release version: 30.123082.0009.0
Engine version: 1.1.23070.1002
Signature version: 1.393.1305.0
What's new
- This new release is build over October 2023 release (`101.23082.0009``) with addition of new CA Certificates. There's no change for other customers and upgrading is optional.
Known issues
When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
- Use your package manager to uninstall the
101.75.43
or101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
- As an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
October-2023 (Build: 101.23082.0006 | Release version: 30.123082.0006.0)
October-2023 Build: 101.23082.0006 | Release version: 30.123082.0006.0
Released: October 9,2023
Published: October 9,2023
Build: 101.23082.0006
Release version: 30.123082.0006.0
Engine version: 1.1.23070.1002
Signature version: 1.393.1305.0
What's new
Feature updates and new changes
- eBPF sensor is now the default supplementary event provider for endpoints
- Microsoft Intune tenant attach feature is in public preview (as of mid July)
- You must add "*.dm.microsoft.com" to firewall exclusions for the feature to work correctly
- Defender for Endpoint is now available for Debian 12 and Amazon Linux 2023
- Support to enable Signature verification of updates downloaded
Note that you must update the manajed.json as shown below
"features":{ "OfflineDefinitionUpdateVerifySig":"enabled" }
Prerequisite to enable feature
- Engine version on the device must be "1.1.23080.007" or above. Check your engine version by using the following command.
mdatp health --field engine_version
- Engine version on the device must be "1.1.23080.007" or above. Check your engine version by using the following command.
- Option to support monitoring of NFS and FUSE mount points. These are ignored by default. The following example shows how to monitor all filesystem while ignoring only NFS:
"antivirusEngine": { "unmonitoredFilesystems": ["nfs"] }
Example to monitor all filesystems including NFS and FUSE:
"antivirusEngine": { "unmonitoredFilesystems": [] }
- Other performance improvements
- Bug Fixes
Known issues
- When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at System hang due to blocked tasks in fanotify code. There are two ways to mitigate this upgrade issue:
- Use your package manager to uninstall the
101.75.43
or101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
- As an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
September-2023 (Build: 101.23072.0021 | Release version: 30.123072.0021.0)
September-2023 Build: 101.23072.0021 | Release version: 30.123072.0021.0
Released: September 11,2023
Published: September 11,2023
Build: 101.23072.0021
Release version: 30.123072.0021.0
Engine version: 1.1.20100.7
Signature version: 1.385.1648.0
What's new
- There are multiple fixes and new changes in this release
- In mde_installer.sh v0.6.3, users can use the
--channel
argument to provide the channel of the configured repository during cleanup. For example,sudo ./mde_installer --clean --channel prod
- The Network Extension can now be reset by administrators using
mdatp network-protection reset
. - Other performance improvements
- Bug Fixes
- In mde_installer.sh v0.6.3, users can use the
Known issues
- While upgrading from mdatp version
101.75.43
or101.78.13
, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05
. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
- Use your package manager to uninstall the
101.75.43
or101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
- As an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
July-2023 (Build: 101.23062.0010 | Release version: 30.123062.0010.0)
July-2023 Build: 101.23062.0010 | Release version: 30.123062.0010.0
Released: July 26,2023
Published: July 26,2023
Build: 101.23062.0010
Release version: 30.123062.0010.0
Engine version: 1.1.20100.7
Signature version: 1.385.1648.0
What's new
There are multiple fixes and new changes in this release
- If a proxy is set for Defender for Endpoint, then it's visible in the
mdatp health
command output - With this release we provided two options in mdatp diagnostic hot-event-sources:
- Files
- Executables
- Network Protection: Connections that are blocked by Network Protection and have the block overridden by users are now correctly reported to Microsoft Defender XDR
- Improved logging in Network Protection block and audit events for debugging
- If a proxy is set for Defender for Endpoint, then it's visible in the
Other fixes and improvements
- From this version, enforcementLevel are in passive mode by default giving admins more control over where they want 'RTP on' within their estate
- This change only applies to fresh MDE deployments, for example, servers where Defender for Endpoint is being deployed for the first time. In update scenarios, servers that have Defender for Endpoint deployed with RTP ON, continue operating with RTP ON even post update to version 101.23062.0010
Bug Fixes
- RPM database corruption issue in Defender Vulnerability Management baseline has been fixed
Other performance improvements
Known issues
- While upgrading from mdatp version
101.75.43
or101.78.13
, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05
. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
- Use your package manager to uninstall the
101.75.43
or101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
- As an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
July-2023 (Build: 101.23052.0009 | Release version: 30.123052.0009.0)
July-2023 Build: 101.23052.0009 | Release version: 30.123052.0009.0
Released: July 10,2023
Published: July 10,2023
Build: 101.23052.0009
Release version: 30.123052.0009.0
Engine version: 1.1.20100.7
Signature version: 1.385.1648.0
What's new
- There are multiple fixes and new changes in this release
- The build version schema is updated from this release. While the major version number remains same as 101, the minor version number now has five digits followed by four digit patch number that is,
101.xxxxx.yyy
- Improved Network Protection memory consumption under stress- Updated the engine version to
1.1.20300.5
and signature version to1.391.2837.0
. - Bug fixes.
- Updated the engine version to
Known issues
- While upgrading from mdatp version
101.75.43
or101.78.13
, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05
. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
- Use your package manager to uninstall the
101.75.43
or101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
- As an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
June-2023 (Build: 101.98.89 | Release version: 30.123042.19889.0)
June-2023 Build: 101.98.89 | Release version: 30.123042.19889.0
Released: June 12,2023
Published: June 12, 2023
Build: 101.98.89
Release version: 30.123042.19889.0
Engine version: 1.1.20100.7
Signature version: 1.385.1648.0
What's new
- There are multiple fixes and new changes in this release
- Improved Network Protection Proxy handling.
- In Passive mode, Defender for Endpoint no longer scans when Definition update happens.
- Devices continue to be protected even after Defender for Endpoint agent has expired. We recommend upgrading the Defender for Endpoint Linux agent to the latest available version to receive bug fixes, features and performance improvements.
- Removed semanage package dependency.
- Engine Update to
1.1.20100.7
and Signatures Ver:1.385.1648.0
. - Bug fixes.
Known issues
- While upgrading from mdatp version
101.75.43
or101.78.13
, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05
. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
- Use your package manager to uninstall the
101.75.43
or101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
- As an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
May-2023 (Build: 101.98.64 | Release version: 30.123032.19864.0)
May-2023 Build: 101.98.64 | Release version: 30.123032.19864.0
Released: May 3,2023
Published: May 3, 2023
Build: 101.98.64
Release version: 30.123032.19864.0
Engine version: 1.1.20100.6
Signature version: 1.385.68.0
What's new
- There are multiple fixes and new changes in this release
- Health message improvements to capture details about auditd failures.
- Improvements to handle augenrules, which was causing installation failure.
- Periodic memory cleanup in engine process.
- Fix for memory issue in mdatp audisp plugin.
- Handled missing plugin directory path during installation.
- When conflicting application is using blocking fanotify, with default configuration mdatp health shows unhealthy. This is now fixed.
- Support for ICMP traffic inspection in BM.
- Engine Update to
1.1.20100.6
and Signatures Ver:1.385.68.0
. - Bug fixes.
Known issues
- While upgrading from mdatp version
101.75.43
or101.78.13
, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05
. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
- Use your package manager to uninstall the
101.75.43
or101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
- As an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Caution: Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
April-2023 (Build: 101.98.58 | Release version: 30.123022.19858.0)
April-2023 Build: 101.98.58 | Release version: 30.123022.19858.0
Released: April 20,2023
Published: April 20, 2023
Build: 101.98.58
Release version: 30.123022.19858.0
Engine version: 1.1.20000.2
Signature version: 1.381.3067.0
What's new
- There are multiple fixes and new changes in this release
- Logging and error reporting improvements for auditd.
- Handle failure in reload of auditd configuration.
- Handling for empty auditd rule files during MDE install.
- Engine Update to
1.1.20000.2
and Signatures Ver:1.381.3067.0
. - Addressed a health issue in mdatp that occurs due to selinux denials.
- Bug fixes.
Known issues
- While upgrading mdatp to version
101.94.13
or later, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following commands can help you to identify such auditd rules (commands need to be run as super user). Take a backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures.
echo -c >> /etc/audit/rules.d/audit.rules
augenrules --load
- While upgrading from mdatp version
101.75.43
or101.78.13
, you could encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05
. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
- Use your package manager to uninstall the
101.75.43
or101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
- As an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Caution: Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
March-2023 (Build: 101.98.30 | Release version: 30.123012.19830.0)
March-2023 Build: 101.98.30 | Release version: 30.123012.19830.0
Released: March , 20,2023
Published: March 20, 2023
Build: 101.98.30
Release version: 30.123012.19830.0
Engine version: 1.1.19900.2
Signature version: 1.379.1299.0
What's new
- This new release is build over March 2023 release (`101.98.05``) with a fix for Live response commands failing for one of our customers. There's no change for other customers and upgrade is optional.
Known issues
- With mdatp version 101.98.30 you might see a health false issue in some of the cases, because SELinux rules aren't defined for certain scenarios. The health warning could look something like this:
found SELinux denials within last one day. If the MDATP is recently installed, clear the existing audit logs or wait for a day for this issue to autoresolve. Use command: "sudo ausearch -i -c 'mdatp_audisp_pl' | grep "type=AVC" | grep " denied" to find details
The issue could be mitigated by running the following commands.
sudo ausearch -c 'mdatp_audisp_pl' --raw | sudo audit2allow -M my-mdatpaudisppl_v1
sudo semodule -i my-mdatpaudisppl_v1.pp
Here, my-mdatpaudisppl_v1 represents the policy module name. After you run the commands, either wait for 24 hours or clear/archive the audit logs. The audit logs could be archived by running the following command
sudo service auditd stop
sudo systemctl stop mdatp
cd /var/log/audit
sudo gzip audit.*
sudo service auditd start
sudo systemctl start mdatp
mdatp health
In case the issue reappears with some different denials. We need to run the mitigation again with a different module name (for example, my-mdatpaudisppl_v2).
March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)
March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)
Released: March , 08,2023
Published: March 08, 2023
Build: 101.98.05
Release version: 30.123012.19805.0
Engine version: 1.1.19900.2
Signature version: 1.379.1299.0
What's new
There are multiple fixes and new changes in this release.
- Improved Data Completeness for Network Connection events
- Improved Data Collection capabilities for file ownership/permissions changes
- seManage in part of the package, to that seLinux policies can be configured in different distro (fixed).
- Improved enterprise daemon stability
- AuditD stop path clean-up
- Improved the stability of mdatp stop flow.
- Added new field to wdavstate to keep track of platform update time.
- Stability improvements to parsing Defender for Endpoint onboarding blob.
- Scan doesn't proceed if a valid license isn't present (fixed)
- Added performance tracing option to xPlatClientAnalyzer, with tracing enabled mdatp process dumps the flow in all_process.zip file that can be used for analysis of performance issues.
- Added support in Defender for Endpoint for the following RHEL-6 kernel versions:
2.6.32-754.43.1.el6.x86_64
2.6.32-754.49.1.el6.x86_64
- Other fixes
Known issues
- While upgrading mdatp to version 101.94.13, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Make sure to back up following file: `/etc/audit/rules.d/audit.rules`` as these steps are only to identify failures.
echo -c >> /etc/audit/rules.d/audit.rules
augenrules --load
- While upgrading from mdatp version
101.75.43
or101.78.13
, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05
. For more information, see System hang due to blocked tasks in fanotify code
There are two ways to mitigate the problem in upgrading.
Use your package manager to uninstall the 101.75.43
or 101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
As an alternative, you can follow the instructions to uninstall, then install the latest version of the package.
In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
Jan-2023 (Build: 101.94.13 | Release version: 30.122112.19413.0)
Jan-2023 (Build: 101.94.13 | Release version: 30.122112.19413.0)
Released: January 10, 2023
Published: January 10, 2023
Build: 101.94.13
Release version: 30.122112.19413.0
Engine version: 1.1.19700.3
Signature version: 1.377.550.0
What's new
- There are multiple fixes and new changes in this release
- Skip quarantine of threats in passive mode by default.
- New config, nonExecMountPolicy, can now be used to specify behavior of RTP on mount point marked as noexec.
- New config, unmonitoredFilesystems, can be used to unmonitor certain filesystems.
- Improved performance under high load and in speed test scenarios.
- Fixes an issue with accessing SMB shares behind Cisco AnyConnect VPN connections.
- Fixes an issue with Network Protection and SMB.
- lttng performance tracing support.
- TVM, eBPF, auditd, telemetry and mdatp cli improvements.
- mdatp health now reports behavior_monitoring
- Other fixes.
Known issues
- While upgrading mdatp to version
101.94.13
, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Take a backup of following file:/etc/audit/rules.d/audit.rules
as these steps are only to identify failures.
echo -c >> /etc/audit/rules.d/audit.rules
augenrules --load
- While upgrading from mdatp version
101.75.43
or101.78.13
, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.94.13. For more information, see System hang due to blocked tasks in fanotify code
There are two ways to mitigate the problem in upgrading.
Use your package manager to uninstall the 101.75.43
or 101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
As an alternative to the above, you can follow the instructions to uninstall, then install the latest version of the package.
In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
Nov-2022 (Build: 101.85.27 | Release version: 30.122092.18527.0)
Nov-2022 (Build: 101.85.27 | Release version: 30.122092.18527.0)
Released: November 02, 2022
Published: November 02, 2022
Build: 101.85.27
Release version: 30.122092.18527.0
Engine version: 1.1.19500.2
Signature version: 1.371.1369.0
What's new
- There are multiple fixes and new changes in this release
- V2 engine is default with this release and V1 engine bits are removed for enhanced security.
- V2 engine support configuration path for AV definitions. (mdatp definition set path)
- Removed external packages dependencies from MDE package. Removed dependencies are libatomic1, libselinux, libseccomp, libfuse, and libuuid
- In case crash collection is disabled by configuration, crash monitoring process isn't launched.
- Performance fixes to optimally use system events for AV capabilities.
- Stability improvement when restarting mdatp and load epsext issues.
- Other fixes
Known issues
- While upgrading from mdatp version
101.75.43
or101.78.13
, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.85.21. For more information, see System hang due to blocked tasks in fanotify code
There are two ways to mitigate the problem in upgrading.
Use your package manager to uninstall the 101.75.43
or 101.78.13
mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
As an alternative approach, follow the instructions to uninstall, then install the latest version of the package.
In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
Sep-2022 (Build: 101.80.97 | Release version: 30.122072.18097.0)
Sep-2022 (Build: 101.80.97 | Release version: 30.122072.18097.0)
Released: September 14, 2022
Published: September 14, 2022
Build: 101.80.97
Release version: 30.122072.18097.0
Engine version: 1.1.19300.3
Signature version: 1.369.395.0
What's new
- Fixes a kernel hang observed on select customer workloads running mdatp version
101.75.43
. After RCA, this was attributed to a race condition while releasing the ownership of a sensor file descriptor. The race condition was exposed due to a recent product change in the shutdown path. Customers on newer Kernel versions (5.1+) aren't impacted by this issue. For more information, see System hang due to blocked tasks in fanotify code.
Known issues
- When upgrading from mdatp version
101.75.43
or101.78.13
, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.80.97
. This action should prevent the issue from occurring.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
After executing the commands, use your package manager to perform the upgrade.
As an alternative approach, follow the instructions to uninstall, then install the latest version of the package.
Aug-2022 (Build: 101.78.13 | Release version: 30.122072.17813.0)
Aug-2022 (Build: 101.78.13 | Release version: 30.122072.17813.0)
Released: August 24, 2022
Published: August 24, 2022
Build: 101.78.13
Release version: 30.122072.17813.0
Engine version: 1.1.19300.3
Signature version: 1.369.395.0
What's new
- Rolled back due to reliability issues
Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)
Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)
Released: August 2, 2022
Published: August 2, 2022
Build: 101.75.43
Release version: 30.122071.17543.0
Engine version: 1.1.19300.3
Signature version: 1.369.395.0
What's new
- Added support for Red Hat Enterprise Linux version 9.0
- Added a new field in the output of
mdatp health
that can be used to query the enforcement level of the network protection feature. The new field is callednetwork_protection_enforcement_level
and can take one of the following values:audit
,block
, ordisabled
. - Addressed a product bug where multiple detections of the same content could lead to duplicate entries in the threat history
- Addressed an issue where one of the processes spawned by the product (
mdatp_audisp_plugin
) was sometimes not properly terminated when the service was stopped - Other bug fixes
Jul-2022 (Build: 101.73.77 | Release version: 30.122062.17377.0)
Jul-2022 (Build: 101.73.77 | Release version: 30.122062.17377.0)
Released: July 21, 2022
Published: July 21, 2022
Build: 101.73.77
Release version: 30.122062.17377.0
Engine version: 1.1.19200.3
Signature version: 1.367.1011.0
What's new
- Added an option to configure file hash computation
- From this build onwards, the product has the new antimalware engine by default
- Performance improvements for file copy operations
- Bug fixes
Jun-2022 (Build: 101.71.18 | Release version: 30.122052.17118.0)
Released: June 24, 2022
Published: June 24, 2022
Build: 101.71.18
Release version: 30.122052.17118.0
What's new
- Fix to support definitions storage in nonstandard locations (outside of /var) for v2 definition updates
- Fixed an issue in the product sensor used on RHEL 6 that could lead to an OS hang
mdatp connectivity test
was extended with an extra URL that the product requires to function correctly. The new URL is https://go.microsoft.com/fwlink/?linkid=2144709.- Up until now, the product log level wasn't persisted between product restarts. Beginning with this version, there's a new command-line tool switch that persists the log level. The new command is
mdatp log level persist --level <level>
. - Removed the dependency on
python
from the product installation package - Performance improvements for file copy operations and processing of network events originating from
auditd
- Bug fixes
May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)
May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)
Released: May 23, 2022
Published: May 23, 2022
Build: 101.68.80
Release version: 30.122042.16880.0
What's new
- Added support for kernel version
2.6.32-754.47.1.el6.x86_64
when running on RHEL 6 - On RHEL 6, product can now be installed on devices running Unbreakable Enterprise Kernel (UEK)
- Fixed an issue where the process name was sometimes incorrectly displayed as
unknown
when runningmdatp diagnostic real-time-protection-statistics
- Fixed a bug where the product sometimes was incorrectly detecting files inside the quarantine folder
- Fixed an issue where the
mdatp
command-line tool wasn't working when/opt
was mounted as a soft-link - Performance improvements & bug fixes
May-2022 (Build: 101.65.77 | Release version: 30.122032.16577.0)
May-2022 (Build: 101.65.77 | Release version: 30.122032.16577.0)
Released: May 2, 2022
Published: May 2, 2022
Build: 101.65.77
Release version: 30.122032.16577.0
What's new
- Improved the
conflicting_applications
field inmdatp health
to show only the most recent 10 processes and also to include the process names. This makes it easier to identify which processes are potentially conflicting with Microsoft Defender for Endpoint for Linux. - Bug fixes
Mar-2022 (Build: 101.62.74 | Release version: 30.122022.16274.0)
Released: Mar 24, 2022
Published: Mar 24, 2022
Build: 101.62.74
Release version: 30.122022.16274.0
What's new
- Addressed an issue where the product would incorrectly block access to files greater than 2 GB in size when running on older kernel versions
- Bug fixes
Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)
Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)
Released: Mar 9, 2022
Published: Mar 9, 2022
Build: 101.60.93
Release version: 30.122012.16093.0
What's new
- This version contains a security update for CVE-2022-23278
Mar-2022 (Build: 101.60.05 | Release version: 30.122012.16005.0)
Released: Mar 3, 2022
Published: Mar 3, 2022
Build: 101.60.05
Release version: 30.122012.16005.0
What's new
- Added support for kernel version 2.6.32-754.43.1.el6.x86_64 for RHEL 6.10
- Bug fixes
Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)
Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)
Released: Feb 20, 2022
Published: Feb 20, 2022
Build: 101.58.80
Release version: 30.122012.15880.0
What's new
- The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. This can be done through
mdatp threat quarantine restore --id [threat-id] --path [destination-folder]
. - Beginning with this version, network protection for Linux can be evaluated on demand
- Bug fixes
Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)
Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)
Released: Jan 26, 2022
Published: Jan 26, 2022
Build: 101.56.62
Release version: 30.121122.15662.0
What's new
- Fixed a product crash introduced in 101.53.02 and that has impacted multiple customers
Jan-2022 (Build: 101.53.02 | Release version: (30.121112.15302.0)
Released: Jan 8, 2022
Published: Jan 8, 2022
Build: 101.53.02
Release version: 30.121112.15302.0
What's new
- Performance improvements & bug fixes
2021 releases
(Build: 101.52.57 | Release version: 30.121092.15257.0)
Build: 101.52.57
Release version: 30.121092.15257.0
What's new
Added a capability to detect vulnerable log4j jars in use by Java applications. The machine is periodically inspected for running Java processes with loaded log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in the Vulnerability Management area of the portal.
(Build: 101.47.76 | Release version: 30.121092.14776.0)
Build: 101.47.76
Release version: 30.121092.14776.0
What's new
Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this setting is set to enabled.
- Bug fixes
(Build: 101.45.13 | Release version: 30.121082.14513.0)
Build: 101.45.13
Release version: 30.121082.14513.0
What's new
Beginning with this version, we're bringing Microsoft Defender for Endpoint support to the following distros:
- RHEL6.7-6.10 and CentOS6.7-6.10 versions.
- Amazon Linux 2
- Fedora 33 or higher
Bug fixes
(Build: 101.45.00 | Release version: 30.121072.14500.0)
Build: 101.45.00
Release version: 30.121072.14500.0
What's new
- Added new switches to the command-line tool:
- Control degree of parallelism for on-demand scans. This can be configured through
mdatp config maximum-on-demand-scan-threads --value [number-between-1-and-64]
. By default, a degree of parallelism of2
is used. - Control whether scans after security intelligence updates are enabled or disabled. This can be configured through
mdatp config scan-after-definition-update --value [enabled/disabled]
. By default, this setting is set toenabled
.
- Control degree of parallelism for on-demand scans. This can be configured through
- Changing the product log level now requires elevation
- Bug fixes
(Build: 101.39.98 | Release version: 30.121062.13998.0)
Build: 101.39.98
Release version: 30.121062.13998.0
What's new
Performance improvements & bug fixes
(Build: 101.34.27 | Release version: 30.121052.13427.0)
Build: 101.34.27
Release version: 30.121052.13427.0
What's new
Performance improvements & bug fixes
(Build: 101.29.64 | Release version: 30.121042.12964.0)
Build: 101.29.64
Release version: 30.121042.12964.0
What's new
- Beginning with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.
mdatp diagnostic real-time-protection-statistics
now supports two more switches:--sort
: sorts the output descending by total number of files scanned--top N
: displays the top N results (only works if--sort
is also specified)
- Performance improvements & bug fixes
(Build: 101.25.72 | Release version: 30.121022.12563.0)
Build: 101.25.72
Release version: 30.121022.12563.0
What's new
Microsoft Defender for Endpoint on Linux is now available in preview for US Government customers. For more information, see Microsoft Defender for Endpoint for US Government customers.
- Fixed an issue where usage of Microsoft Defender for Endpoint on Linux on systems with FUSE filesystems was leading to OS hang
- Performance improvements & other bug fixes
(Build: 101.25.63 | Release version: 30.121022.12563.0)
Build: 101.25.63
Release version: 30.121022.12563.0
What's new
Performance improvements & bug fixes
(Build: 101.23.64 | Release version: 30.121021.12364.0)
Build: 101.23.64
Release version: 30.121021.12364.0
What's new
Performance improvement for the situation where an entire mount point is added to the antivirus exclusion list. Prior to this version, the product processed file activity originating from the mount point. Beginning with this version, file activity for excluded mount points is suppressed, leading to better product performance
- Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run
mdatp health --details antivirus
- Other performance improvements & bug fixes
(Build: 101.18.53)
Build: 101.18.53
What's new
EDR for Linux is now generally available
- Added a new command-line switch (
--ignore-exclusions
) to ignore AV exclusions during custom scans (mdatp scan custom
) - Extended
mdatp diagnostic create
with a new parameter (--path [directory]
) that allows the diagnostic logs to be saved to a different directory - Performance improvements & bug fixes