As we continue our powerful momentum in securing Linux platforms, we are excited to announce the public preview of Microsoft Defender for Endpoint on Linux antivirus behavior monitoring and blocking!
The new preventive antivirus functionality complements our existing strong content-based capabilities with behavior monitoring and deep memory scanning. These enhancements bring immediate ability to closely monitor processes, file system activities, and process interactions within the system. The enhanced ability to correlate events and behaviors across multiple processes allows us to more generically detect and block malware based on their behavioral classification. These behavior-based signals will act as additional runtime signals for behavioral cloud-powered machine learning models and for effective runtime protection.
Our Linux antivirus behavior monitoring and blocking can be previewed on any Linux distribution that is currently supported by Microsoft Defender for Endpoint on Linux:
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
Oracle Linux 7.2+
Microsoft Defender for Endpoint on Linux antivirus behavior monitoring seamlessly integrates into the existing preventive experiences. Behavior monitoring details and artifacts can be explored locally using the existing Microsoft Defender for Endpoint on Linux command line interface.
Behavior monitoring alerts appear in the Microsoft Defender Security Center (as well as in the Microsoft 365 security center) alongside all other alerts and can be effectively investigated.
What are the preview prerequisites for Linux antivirus behavior monitoring and blocking?
To experience the Linux antivirus behavior monitoring and blocking in public preview, you’ll need to have preview features turned on in the Microsoft Defender Security Center. If you have not yet opted into previews, we encourage you to turn on preview features in the Microsoft Defender Security Center or in the Microsoft 365 security center today.
As a preview entry prerequisite, please ensure the following requirements are fulfilled:
Device must be in the InsiderFast channel
Minimal Microsoft Defender for Endpoint version number must be (InsiderFast): 101.25.42
Device must be explicitly enrolled into the preview. The preview enrollment can be activated / deactivated using the following commands:
Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today.