Defender for Endpoint on Linux - EDR Settings and Exclusions

Copper Contributor

Hi

We're evaluating the Defender for Linux on our Linux (RHEL 7.2 and Amazon Linux) fleet. Looked at the official documentation as below:

 

Set Preferences for Defender for Endpoint on Linux--> https://learn.microsoft.com/en-us/defender-endpoint/linux-preferences#recommended-configuration-prof...

 

Configure and Validate exclusions for Microsoft Defender for Endpoint on Linux--> https://learn.microsoft.com/en-us/defender-endpoint/linux-exclusions

 

Firstly, it is not very evident (at least to beginners) in the first article, as to which settings belong to Antivirus (EPP) and which ones control the EDR. Can someone please help clarify that. Also, is the JSON file (and manual commands the only interface to control the AV and EDR behavior for Defender for Endpoint on Linux OR there are any settings that we can control from the Defender portal?

 

The second article above states this:

 

"The antivirus exclusions described in this article apply to only antivirus capabilities and not endpoint detection and response (EDR). Files that you exclude using the antivirus exclusions described in this article can still trigger EDR alerts and other detections. Whereas the global exclusions described in this section apply to antivirus as well as endpoint detection and response capabilities thus stopping all associated AV protection, EDR alerts and detection. Global exclusions are available from Defender for Endpoint version 101.23092.0012 or later till Insider Slow Ring. For EDR exclusions, contact support."

 

Want to clarify the following:

 

1. Even after configuring the exclusions as scope "Global", we cannot see any exclusions listed on the Linux system upon running the command "mdatp edr exclusion list all". What does the EDR exclusion represents and where is the option to configure them?

 

Also, it states "For EDR exclusions, contact support" - is there a document that describes what there EDR exclusions are for which one needs to contact Microsoft support?

 

Finally, the below article states that the Defender Antivirus can be running in either of the following modes - Disabled, Active, Passive, or EDR Block mode. However, this is quite different from what we see on Linux. It has the setting named "passive_mode_enabled" that can be set to enabled/disabled.

 

https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-compatibility#use-w...

 

Is EDR in Block mode a thing so far for Linux OSes?

 

 

 

 

Thanks

Taranjeet Singh

0 Replies