Update: Enhanced antimalware engine for Linux and macOS is now generally available.
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security/IT team must configure your network/proxy/internet settings to allow connections between your endpoints and certain Microsoft URLs. To support the new Microsoft Defender for Endpoint on Linux and macOS anti-malware engine enhancements, you must allow-list within the proxy ecosystem in your environment the following URL endpoints:
[How this will affect your organization:]
Starting July 31, 2022, access to these URLs will be *required* to ensure uninterrupted cloud-delivered protection on your Linux and macOS systems behind a proxy. Organizations that have not allow-listed by July 31, 2022, access to the above mentioned URLs will be unable to download threat definition updates required for effective anti-malware protection.
We are announcing a significant upgrade to our next-generation protection on Linux and macOS with a new, enhanced engine.
The Microsoft Defender Antivirus antimalware engine is a key component of next-generation protection. This protection brings machine learning, big-data analysis, in-depth threat research, and the Microsoft cloud infrastructure, to protect devices (or endpoints) in your organization.
The main benefits of this major update include performance and prevention improvements, as well as adding support for custom file indicators on macOS and Linux.
Prerequisites
As a preview entry prerequisite, ensure the following requirements are fulfilled:
A key feature of the new antimalware engine is the ability to create custom file indicators. You may already have experience with custom file indicators on Windows. The existing three indicator response actions are “allow,” “alert only,” and “alert and block & remediate.” These actions are now supported on macOS and Linux.
Note that warn and block only (block without remediation) indicator types are currently not supported for Linux & macOS. This is visually indicated in the Microsoft 365 Defender portal. In addition, if you have previously created non-scoped custom file indicators (targeted to all devices) in your environment, the indicators will also start applying to any device that is running the new antimalware engine.
The change in threat / malware name is changing to ensure consistency with the standard naming scheme followed across all platforms, including Windows. This is part of the effort for aligning our nomenclature across all platforms and having a standardized naming mechanism.
Threat names will now follow this format:
<Category>.<Platform>.<Family>.<Variant> ---> [Threat Type]:[Platform]/[Malware Family].[Variant]?![Suffixes]?
Examples:
Previous engine syntax |
New engine syntax |
Linux |
|
Trojan.Linux.Mirai.1 Gen:Variant.Backdoor.Linux.Gafgyt.1 Gen:Variant.Backdoor.Linux.Tsunami.1 Gen:Variant.Trojan.Linux.Gafgyt.5 Trojan.Linux.Xorddos.B Gen:Variant.Application.Linux.Miner.3 |
Backdoor:Linux/Mirai.YA!MTB DDoS:Linux/Gafgyt.YA!MTB Backdoor:Linux/Tsunami.DS!MTB Backdoor:Linux/Gafgyt.cf!MTB Trojan:Linux/Xorddos Trojan:Linux/CoinMiner.N!MTB |
macOS |
|
Gen:Variant.Adware.MAC.AdLoad.1 Adware.MAC.Bundlore.EJL Adware.MAC.Generic.23253 Trojan.MAC.Lazarus.G |
PUA:MacOS/Adload.L!MTB Adware:MacOS/Multiverze PUA:MacOS/Maltiverza Trojan:MacOS/NukeSped.A!MTB |
Microsoft Defender for Endpoint threat list output
Some examples of the updated threat names when displayed through command line:
The following screenshot shows alerts will use the updated threat names in the user interface:
Alerts will use the updated threat names in the Microsoft 365 Defender portal.
For example:
The format of ‘Security intelligence version’ under the About tab and Virus and threat protection updates in the macOS Microsoft Defender interface and using the Linux command line interface will now display a different version numbering scheme.
Security Intelligence/definitions version example: 1.355.2459.0
Engine version example: 1.1.18900.3
In the previous engine capability, if any rule has been configured (using “mdatp threat allowed” command) to allow threats based on the threat family name, those rules will not be in effect with the new engine. New rules will have to be created with the corresponding new threat family names. For example, in case of EICAR threats:
IMPORTANT: Action might be needed
Note: In addition to setting exclusions for files that may no longer be covered by allowed threat configuration, you can now also use custom file indicators with the “Allow" action type as a mitigation.
We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft 365 security center.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.