Blog Post

Core Infrastructure and Security Blog
6 MIN READ

Deploying Microsoft Defender for Endpoint on Linux Servers.

TanTran's avatar
TanTran
Icon for Microsoft rankMicrosoft
Aug 01, 2020

Hi IT Pro,  

The following is step-by-step document for Defender for Endpoint Linux (MD ATP for Linux) deployment. 

Let's start your MD for Endpoint Linux deployment! 

________________________________

 

Microsoft Defender for Endpoint Linux (MD ATP) support for Linux with kernel version 3.10.0-327 or later, including the following Linux flavours : 

  • Red Hat Enterprise Linux 7.2 or higher 
  • CentOS 7.2 or higher 
  • Ubuntu 16.04 LTS or higher LTS 
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Linux 7.2 or higher 

 

MD ATP provide real-time protection for the following file system types: 

btrfs

ecryptfs

ext2

ext3

ext4

fuse

fuseblk

jfs

nfs

overlay

ramfs

reiserfs

tmpfs

udf

vfat

xfs

 

 

 

Deployment MD for Endpoint prerequisite: 

  • Administrative privileges on the device (in case of manual deployment) 
  • The fanotify kernel option must be enabled,
    • For RedHat Enterprise Linux 7.x and CentOS 7.x systems, the kernel module is enabled by default.
    • For Ubuntu, SUSE, and Oracle Enterprise Limited, Fanotify is enabled by default.
  • Disk space: 650 MB 
  • No other fanotify-based security solutions running on same Linux Computer. 
  • Network connections
    • Set firewall outbound connection rules to allow these URLs.

Service location

DNS record

Common URLs for all locations

x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
officecdn-microsoft-com.akamaized.net
crl.microsoft.com
events.data.microsoft.com

European Union

europe.x.cp.wd.microsoft.com
eu-v20.events.data.microsoft.com
usseu1northprod.blob.core.windows.net 
usseu1westprod.blob.core.windows.net

United Kingdom

unitedkingdom.x.cp.wd.microsoft.com
uk-v20.events.data.microsoft.com
ussuk1southprod.blob.core.windows.net 
ussuk1westprod.blob.core.windows.net

United States

unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com
ussus1eastprod.blob.core.windows.net 
ussus1westprod.blob.core.windows.net

 

  • If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
  • For transparent proxies, no additional configuration is needed
  • For static proxy, follow the steps in Manual Static Proxy Configuration.

 

DEPLOYMENT OPTIONS

 

MD for Endpoint deployment go through 4 steps as follow:

 

MANUAL DEPLOYMENT  (using YUM Utility)

 

  1. Install Yum Utility for package installing and uninstalling
  2. If the Server is RHEL and newly build, you have to register it with Redhat first.
  3. It may take more than 30 minutes for all the RHEL download and Linux update packages.
  • Yum update && yum install yum-utils

 

  • Microsoft Defender for Linux can be deployed from one of the following channels (denoted below as [channel]šŸ˜ž insiders-fastinsiders-slow, or prod. Each of these channels corresponds to a Linux software repository
  • RHEL and variants (CentOS and Oracle Linux)

 

 

 

 

 

 

 

sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo

 

 

 

 

 

 

 

 

 

If you want to check current Linux distro and version, run the command: 

 

 

 

 

 

 

 

cat/etc/os-release

 

 

 

 

 

 

 

 

 

  • Install the Microsoft GPG public key:

 

 

 

 

 

 

 

sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc

 

 

 

 

 

 

 

 

  • Download and make usable all the metadata for the currently enabled yum repositories:

 

 

 

 

 

 

 

yum makecache

 

 

 

 

 

 

 

 

  • RHEL and variants (CentOS and Oracle Linux):

 

 

 

 

 

 

 

sudo yum install mdatp

 

 

 

 

 

 

 

 

 

Downloading the  Onboarding package from MD ATP Portal

Download the onboarding package from Microsoft Defender Security Center:

  1. In Microsoft Defender Security Center, go to Settings > Device Management > Onboarding.
  2. In the first drop-down menu, select Linux Server as the operating system. In the second drop-down menu, select Local Script (for up to 10 devices) as the deployment method.
  3. Select Download onboarding package. Save the file as WindowsDefenderATPOnboardingPackage.zip.

 

 

Client Configuration (Onboarding Linux Client)

 

  • Make sure Python3 is in system ā€˜s path 

 

 

 

 

 

 

 

sudo alternatives --set python /usr/bin/python

 

 

 

 

 

 

 

 

  • Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target device
    • On the target device

 

 

 

 

 

 

 

python MicrosoftDefenderATPOnboardingLinuxServer.py

 

 

 

 

 

 

 

 

 

  • Verify that the device is now associated with your organization 

 

 

 

 

 

 

 

mdatp health --field org_id

 

 

 

 

 

 

 

 

 

  • Verify that the device is properly onboarded and reporting to the service

 

Monitoring new Linux Client on ATP Portal

  • Check if Linux Machine is display in ATP Portal Dashboard

 

 

How to configure Microsoft Defender for Endpoint on Linux Server

Location of mdatp configuration file: /etc/opt/microsoft/mdatp/managed/mdatp_managed.json

  • In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile
  • The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value.Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.
  • Typically, you would use a configuration management tool to push a file with the name mdatp_managed.json at the location /etc/opt/microsoft/mdatp/managed/.

mdatp_managed.json preference key and value

 

KEY

VALUE

Enable / disable real-time protection

enableRealTimeProtection

true (default)/false

Enable / disable passive mode

(In passive mode:

ā€¢ Real-time protection is turned off.

ā€¢ On-demand scanning is turned on.

ā€¢ Automatic threat remediation is turned off.

ā€¢ Security intelligence updates are turned on.

ā€¢ Status menu icon is hidden.

passiveMode

true/false (default)

Scan exclusions

 

exclusions

 

$type

excludedPath
excludedFileExtension
excludedFileName

 

Path to excluded content

 

path

 

valid paths (string)

 

Enable/Disable Delivered Cloud Protection

 

enabled

 

true (default)/false

 

 

Recommended configuration profile

 

To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender for Endpoint Linux provides.

The following configuration profile will:

  • Enable real-time protection (RTP)
  • Specify how the following threat types are handled:
    • Potentially unwanted applications (PUA) are blocked
    • Archive bombs (file with a high compression rate) are audited to the product logs
  • Enable automatic security intelligence updates
  • Enable cloud-delivered protection
  • Enable automatic sample submission at safe level

 

 

 

More MD for Endpoint Preference Configuration  

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-preferences 

 

Configuration profile deployment by Linux Management:

Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the /etc/opt/microsoft/mdatp/managed/mdatp_managed.json file.

 

 

Update Microsoft Defender for Endpoint on Linux server

 

Each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect your device.

 

To check the MD for Endpoint expiration date, run the following bash command: 

 

 

 

 

 

 

 

mdatp health --field product_expiration

 

 

 

 

 

 

 

 

To update Microsoft Defender for Endpoint on Linux manually, execute one of the following commands: 

 

RHEL and variants (CentOS and Oracle Linux) 

 

 

 

 

 

 

 

sudo yum update mdatp

 

 

 

 

 

 

 

 

SLES and variants 

 

 

 

 

 

 

 

sudo zypper update mdatp

 

 

 

 

 

 

 

 

Ubuntu and Debian systems 

 

 

 

 

 

 

 

sudo apt-get install --only-upgrade mdatp

 

 

 

 

 

 

 

 

TROUBLESHOOTING

 

Troubleshoot installation issues:

 

To verify if the installation succeeded, one can obtain installation.log and search the installation logs for ā€œpostinstall endā€ phrase,  using these commands:

 

 

 

 

 

 

 

 

sudo journalctl | grep 'microsoft-mdatp'  > installation.log

 

 

 

 

 

 

 

 

 

 

 

 

 

 

grep 'postinstall end' installation.log

 

 

 

 

 

 

 

 

 

Troubleshooting Connectivity: 

 

Run the connectivity test

 

 

 

 

 

 

 

mdatp connectivity test

 

 

 

 

 

 

 

 

 

Troubleshooting Performance:

 

To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender for Endpoint on Linux.

 

 

 

 

 

 

 

mdatp diagnostic real_time_protection_statistics > stat.log

 

 

 

 

 

 

 

 

This feature is enabled by default on the Dogfood and InsisderFast channels. If you're using a different update channel, this feature can be enabled from the command line:

 

 

 

 

 

 

 

mdatp config real-time-protection-statistics --value enabled

 

 

 

 

 

 

 

 

More Troubleshooting:

 

Installation

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-support-install

 

Performance

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf

 

Network Connectivity

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity

 

I hope the information is useful to you. Please provide feedback.

 

 

Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Updated Nov 20, 2020
Version 31.0
  • thanks James, I will post the Linux ATP Operation next time

  • benhelps's avatar
    benhelps
    Copper Contributor

    NVM, muddled my way through to the onboarding working. 

     

    Had to add repo and apt-get install mdatp, and restart server after onboarding (for it to be recognised as licenced)

  • benhelps's avatar
    benhelps
    Copper Contributor

    Hi,

     

    If this thread isn't abandoned by now - I'm attempting this on Ubuntu (18.04.4 LTS) and running into some issues.

     

    Seems to work per your document as far as onboarding, but then the 
    mdatp command lines fail with: Command 'mdatp' not found

  • tbdo88's avatar
    tbdo88
    Copper Contributor

    Hi Mr. Tran,

    Thanks for a good documentation. However , I do have some question not related to the installation procedure.

    The reason because our Linux servers are global, on and over a large network, we need to be able to monitoring but not to sacrificing our network and OS performance.  In your experiecences on windows Defender, does it cause any issue on the performace of the system ? does it block any port or ports to prevent the instruders ? 

    another stupid question.. for the MD ATP Portal node or the central node (may be you have a special term for that node), can we install it on a Linux environment ?

    Thanks with my Best Regards,

     

  • Mike_Elliott's avatar
    Mike_Elliott
    Copper Contributor

    Great article, thank you.

     

    In our testing with Linux servers we've found that the threat vulnerability reporting isn't accurate.  We see alerts for missing CVEs etc that have already been patched and installed.  We have an active support call open on that topic although there doesnt appear to be a fix expected any time soon.  In the meantime is there any way to disable vulnerability scanning features in isolation on Linux servers?  Also, if we are able to do this, do you think there are still sufficient benefits in using Defender for Endpoint on Linux servers in this configuration?