Update - 10/31/2023 - Device isolation and AV scan response actions for Microsoft Defender for Endpoint on Linux and macOS are now Generally Available.
As cyber threats continue to target devices, security teams need an endpoint protection platform that can help them quickly and effectively respond to these threats regardless of the device's platform. Microsoft Defender for Endpoint is an endpoint security solution that helps organizations worldwide discover and secure devices across their multiplatform enterprise.
Today we are thrilled to announce that we are adding more capabilities for macOS and Linux-based devices in Microsoft Defender for Endpoint with the introduction of Device isolation and Running antivirus scan as newly available response actions. These response actions will provide security teams with more flexibility and control across their multi-platform enterprise to quickly address advanced threats targeting their devices. Both response actions are now Generally Available.
Device isolation
In situations where the severity of an attack calls for immediate action, the Isolate device response action offers a crucial line of defense. By isolating a compromised device from the network, you can prevent attackers from controlling the device and engaging in activities such as data exfiltration and lateral movement.
To use the Isolate device manual response action, select the device in the Microsoft 365 Defender portal by clicking on the device icon shown in the incident graph, selecting Actions, and then selecting Isolate device or by navigating to device details and selecting Isolate Device from the drop-down.
This response action disconnects the compromised device from the network, ensuring it remains isolated while maintaining connectivity to the Defender for Endpoint service. This action enables continuous device monitoring, allowing you to detect and respond to any suspicious activities effectively. This response action can also be taken during a Live Response session and with our API for macOS.
Note: The Isolate device manual response action and API for Linux were made available for public preview earlier this year. This action is not currently available for Live Response on Linux devices.
Run antivirus scan
As part of our commitment to delivering comprehensive security through a simple and consistent experience across platforms, we also released the Run antivirus scan response action for macOS and Linux. This response action lets you remotely initiate an antivirus scan on your devices. This capability plays a crucial role in identifying and remediating malware that may be present on compromised devices.
You can use the Run antivirus scan manual response action by doing any of the following:
- Select the device in the Microsoft 365 Defender portal by clicking on the device icon shown in the incident graph, selecting Actions, and then selecting Run antivirus scan
- Navigate to the device details and select Run antivirus scan from the drop-down list.
You can choose between a quick scan or a full scan, depending on your requirements. Before confirming the scan, you also have the option to add a comment to provide additional context. Once the scan is initiated, the Action Center will display the scan information, and the device timeline will reflect a new event indicating that a scan action was submitted.
If malware is detected during the scan, Defender for Endpoint will generate alerts and promptly notify you. This response action can also be taken during a Live Response session and with our API for both macOS and Linux platforms.
Image 1 shows how these new options will now show up in the menu, alongside other actions you can take in the Microsoft 365 Defender portal.
We are excited to offer these capabilities to our Linux and Mac communities so that security teams can be better equipped to protect and respond to advanced threats across their multi-platform enterprise, no matter which platforms their devices run.
As we continue our journey toward General Availability, we value your support and feedback. Stay tuned for more updates and enhancements as we strive to provide the best possible solutions.
More information
- Check out our documentation for more details on how to use response actions in Microsoft Defender for Endpoint
- To learn more about running an antivirus scan, click here
- To learn more about Isolating devices from the network, click here