แก้ไข

Microsoft Defender for Endpoint on Linux

  • นำไปใช้กับ: Microsoft Defender for Endpoint Plan 1, Microsoft Defender for Endpoint Plan 2

Tip

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft Defender for Endpoint on Linux helps organizations prevent, detect, investigate, and respond to advanced threats on Linux servers. The following table describes capabilities in Defender for Endpoint on Linux:

Category Description
Posture management Defender for Endpoint on Linux combines monitoring and risk-based vulnerability management with intelligent prioritization, remediation, and tracking. These features enable you to manage and secure your Linux servers.

Your security team gains a singular, comprehensive view of your organization's exposure score, security recommendations, remediation activities, software inventory, and more.
Threat protection Defender for Endpoint on Linux includes next-generation antivirus protection using local and cloud-based machine learning models, behavior analysis, and heuristics.

Cloud protection provides near-instant detection and blocking of new/emerging threats.

You get dedicated, continuous protection with regular security intelligence and product updates. You can configure security settings including antivirus, cloud protection, and scan options. You can schedule antivirus scans and detect and block potentially unwanted applications.

Network protection and web protection (both currently in preview) help protect your Linux devices from web-based threats by controlling connections to malicious or unwanted sites.

You can also investigate and define policies for custom IP-based and URL-based indicators of compromise (also currently in preview on Linux).
Endpoint detection and response Defender for Endpoint on Linux uses AI and advanced analytics to detect and respond to threats close to real time.

The Microsoft Defender portal at https://security.microsoft.com provides a central location to view detections across the Microsoft Defender suite and your organization's devices.

You can use advanced hunting to view raw data and get more insight into your network events.

Response actions on Linux include: running antivirus scans, isolating devices, collecting investigation packages, and collecting files for deep analysis. You can also use live response for remote shell connections to perform in-depth investigations.

Automated investigation and response, EDR in block mode, and blocking/stopping/quarantining files and processes aren't available on Linux. For a complete comparison, see Supported capabilities by platform.
Streamlined management and operations Defender for Endpoint on Linux offers broad coverage across a breadth of Linux distributions while making operations easier for your security team.

The Microsoft Defender portal allows you to manage your security settings and plan your update cycles in advance. You can support your Linux servers with offline and multicloud options.

Defender for Endpoint provides a comprehensive set of management APIs for programmatic access to device management, vulnerability management, and threat intelligence. For a full list of available APIs, see Supported APIs.
Enterprise-grade scale, performance, and reliability Microsoft Defender for Endpoint on Linux ensures stable and durable performance with a rich sensor framework that operates without kernel modules and integrates eBPF for operational stability.

Defender for Endpoint seamlessly integrates with the larger Microsoft Defender suite, offering extensibility through API integration, SIEM connectors, Power BI support, role-based access control (RBAC), and MSPP support.

Tip

  • All supported capabilities in Defender for Endpoint on Linux on AMD64 devices are also supported on the following Linux distributions on ARM64-based servers:
    • Ubuntu
    • RHEL
    • Debian
    • SUSE Linux
    • Amazon Linux
    • Oracle Linux
  • For a detailed comparison of supported features across all Defender for Endpoint platforms (Windows, macOS, and Linux), see Supported Microsoft Defender for Endpoint capabilities by platform.

Server licenses

To onboard servers to Defender for Endpoint, you need server licenses. You can choose from the following options:

For more information about licensing requirements for Microsoft Defender for Endpoint, see Microsoft Defender for Endpoint licensing information.

For detailed licensing information, see Product Terms: Microsoft Defender for Endpoint and work with your account team to learn more about the terms and conditions.

Deploy and configure policies for Defender for Endpoint on Linux

There are several methods and tools that you can use to deploy Microsoft Defender for Endpoint on Linux. Make sure to meet the prerequisites for Defender for Endpoint on Linux.

Note

We recommend using Deployment Tool based deployment. Deployment Tool based deployment simplifies the onboarding process, reduces manual tasks, and supports new installations, upgrades, and uninstalls.

Important

On Linux, Microsoft Defender for Endpoint creates an mdatp user with random UID and GID values. If you want to control these values, create an mdatp user before installation using the /usr/sbin/nologin shell option. Here's an example: mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin.

If you experience any installation issues, self-troubleshooting resources are available in the See also section.

Configure policies for Defender for Endpoint on Linux

To configure Defender for Endpoint on Linux, choose from the following options:

For more information, see Configure security settings and policies for Defender for Endpoint on Linux.

Software updates

Microsoft publishes software updates for Defender for Endpoint on Linux to improve performance, improve security, and deliver new features. Software updates are released on a monthly basis, following testing, and verification. Occasionally, it can take more than 30 days between releases. For more information, see What's new in Defender for Endpoint on Linux.

Each version of Defender for Endpoint on Linux is set to expire automatically after nine months. We recommend using current versions so you get available enhancements and fixes. For more information, see How to deploy updates for Microsoft Defender for Endpoint on Linux.

Device health reporting

The Device Health report provides information about the antivirus status of Linux servers. For example:

  • Antivirus mode.
  • Scan results.
  • Platform version.
  • Antivirus engine version.
  • Security intelligence version.

You can access this information through the portal or via API. For more information, see the following articles:

Response actions and live response

Your security operations team can remotely connect to a device and execute various response actions. For example:

  • Run an antivirus scan.
  • Isolate the device.
  • Collect investigation packages.

Your team can also use live response for a remote shell connection to perform in-depth investigative work. For more information, see the following articles:

Privacy

Microsoft is committed to providing the information and controls you need to choose how your data is collected and used in Defender for Endpoint on Linux.

For more information, see Privacy for Microsoft Defender for Endpoint on Linux.

Common applications that Defender for Endpoint impacts

High I/O workloads from certain applications can experience performance issues when Defender for Endpoint is installed. Such applications for developer scenarios include Jenkins and Jira, and database workloads like OracleDB and Postgres.

If you see performance degradation, consider setting exclusions for trusted applications. For more information, see the following articles:

If you're using non-Microsoft applications, also see their documentation regarding antivirus exclusions.

Next steps

See also

  • Last updated on