- Антивирус Microsoft Defender ATP доступен для Linux и Android
- Microsoft Defender ATP доступен для всех популярных дистрибутивов Linux
- Предварительная версия Microsoft Defender ATP для Android
- Microsoft Defender for Endpoint on Linux
- How to install Microsoft Defender for Endpoint on Linux
- Prerequisites
- Installation instructions
- System requirements
- Configuring Exclusions
- Network connections
- How to update Microsoft Defender for Endpoint on Linux
- How to configure Microsoft Defender for Endpoint on Linux
- Common Applications to Microsoft Defender for Endpoint can impact
- Deploy Microsoft Defender for Endpoint on Linux manually
- Prerequisites and system requirements
- Configure the Linux software repository
- RHEL and variants (CentOS and Oracle Linux)
- SLES and variants
- Ubuntu and Debian systems
- Application installation
- Download the onboarding package
- Client configuration
- Experience Linux endpoint detection and response (EDR) capabilities with simulated attacks
- Installer script
- Log installation issues
- Operating system upgrades
- How to migrate from Insiders-Fast to Production channel
- Uninstallation
Антивирус Microsoft Defender ATP доступен для Linux и Android
Добавление Linux в список платформ, поддерживаемых Microsoft Defender ATP, знаменует важный этап для всех наших клиентов.
Дополнительно объявив о предварительной доступности Microsoft Defender ATP для Android, Microsoft предоставила рынку унифицированное решение безопасности для наиболее часто используемых серверных и клиентских платформ, используемых в корпоративных средах.
Microsoft Defender ATP доступен для всех популярных дистрибутивов Linux
Впервые Microsoft Defender ATP для Linux был продемонстрирован на конференции для разработчиков Ignite 2019. В феврале 2020 была запущена общедоступная предварительная версия с поддержкой нескольких серверных дистрибутивов Linux.
На рабочих станциях Linux защитное решение Microsoft доступно в виде инструмента командной строки, который отправляет все обнаруженные угрозы в Центр безопасности Microsoft Defender.
На данный момент Microsoft Defender ATP для Linux поддерживает новейшие версии серверные версии дистрибутивов Linux, включая RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS или выше LTS, SLES 12+, Debian 9+, Oracle Linux 7.2.
Системные администраторы, обладающие лицензией Microsoft Defender ATP for Servers, могут развертывать и настраивать решение на устройства Linux с помощью Puppet или Ansible, а также с помощью встроенных инструментов управления конфигурациями Linux.
Microsoft предоставила всю необходимую документацию по установке, обновлению и настройке Microsoft Defender ATP для администраторов, которые не участвовали в программе предварительного доступа. Если используется предварительная версия службы, то нужно обновить агентское приложение до версии 101.00.75 или выше.
Этот первоначальный выпуск предоставляет мощные возможности превентивной защиты, полноценный инструментарий командной строки на клиентских устройствах для настройки и управления агентом, поддерживает запуск сканирований и управление угрозами и предлагает уже привычный интегрированный интерфейс для мониторинга предупреждений в Центре безопасности Microsoft Defender.
Предварительная версия Microsoft Defender ATP для Android
Впервые Microsoft Defender ATP для Android был представлен на конференции RSA Conference 2020. Теперь компания объявила о доступности предварительной версии инструмента защиты мобильных устройств Android для заинтересованных пользователей.
В официальном заявлении сообщается:
Общедоступная предварительная версия Microsoft Defender ATP для Android обеспечивает защиту от фишинговых и небезопасных подключений, инициализируемых приложениями, сайтами и вредоносными программами.
Решение предлагает возможности для ограничения доступа к корпоративным данным с устройств, которые считаются «рискованными», что позволит организациям защищать конфиденциальные данные на своих устройствах Android.
Все события и предупреждения будет доступны на панели Центра Безопасности Microsoft Defender. Команды по IT-безопасности получат централизованное представление угроз на устройствах Android и на других платформах.
На данный момент Microsoft Defender ATP для Android предлагает защиту от фишинга, проактивное сканирование потенциально опасных приложений, файлов и потенциально нежелательных приложений (ПНП), защиту от утечек данных и централизованную панель для мониторинга на базе Центра Безопасности Microsoft Defender.
Клиенты, оформившие доступ к предварительным функциям, уже сейчас могут получить Microsoft Defender ATP для Android (включить доступ можно в Центре Безопасности Microsoft Defender).
Подробная информация о Microsoft Defender ATP для Android, включая инструкции по установке, предварительные условия и системные требования, доступна по ссылке.
Роб Леффертс (Rob Lefferts), корпоративный вице-президент по безопасности Microsoft 365 заявил:
В ближайшие месяцы мы выпустим дополнительные функции для Android, и вы узнаете подробности о наших инициативах в сфере защиты от мобильных угроз для iOS.
Источник
Microsoft Defender for Endpoint on Linux
Applies to:
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint on Linux.
Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in Passive mode.
How to install Microsoft Defender for Endpoint on Linux
Prerequisites
- Access to the Microsoft 365 Defender portal
- Linux distribution using the systemd system manager
- Beginner-level experience in Linux and BASH scripting
- Administrative privileges on the device (in case of manual deployment)
Microsoft Defender for Endpoint on Linux agent is independent from OMS agent. Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.
Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux.
In general you need to take the following steps:
System requirements
Supported Linux server distributions and x64 (AMD64/EM64T) versions:
Red Hat Enterprise Linux 7.2 or higher
CentOS 7.2 or higher
Ubuntu 16.04 LTS or higher LTS
Debian 9 or higher
SUSE Linux Enterprise Server 12 or higher
Oracle Linux 7.2 or higher
Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).
Minimum kernel version 3.10.0-327
The fanotify kernel option must be enabled
Running Defender for Endpoint on Linux side by side with other fanotify -based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
Disk space: 1 GB
/opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see «Ensure that the daemon has executable permission» in Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux.
Cores: 2 minimum, 4 preferred
Memory: 1 GB minimum, 4 preferred
Please make sure that you have free disk space in /var.
The solution currently provides real-time protection for the following file system types:
After you’ve enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
Audit framework ( auditd ) must be enabled.
System events captured by rules added to /etc/audit/rules.d/ will add to audit.log (s) and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endpoint on Linux will be tagged with mdatp key.
Configuring Exclusions
When adding exclusions to Microsoft Defender Antivirus, you should be mindful of Common Exclusion Mistakes for Microsoft Defender Antivirus
Network connections
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an allow rule specifically for them.
| Spreadsheet of domains list | Description |
|---|---|
 | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. Download the spreadsheet here. |
Defender for Endpoint can discover a proxy server by using the following discovery methods:
- Transparent proxy
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Defender for Endpoint. For static proxy, follow the steps in Manual Static Proxy Configuration.
PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint on Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
How to update Microsoft Defender for Endpoint on Linux
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint on Linux, refer to Deploy updates for Microsoft Defender for Endpoint on Linux.
How to configure Microsoft Defender for Endpoint on Linux
Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender for Endpoint on Linux.
Common Applications to Microsoft Defender for Endpoint can impact
High I/O workloads from certain applications can experience performance issues when Microsoft Defender for Endpoint is installed. These include applications for developer scenarios like Jenkins and Jira, and database workloads like OracleDB and Postgres. If experiencing performance degradation, consider setting exclusions for trusted applications, keeping Common Exclusion Mistakes for Microsoft Defender Antivirus in mind. For additional guidance, consider consulting documentation regarding antivirus exclusions from third party applications.
Источник
Deploy Microsoft Defender for Endpoint on Linux manually
Applies to:
This article describes how to deploy Microsoft Defender for Endpoint on Linux manually. A successful deployment requires the completion of all of the following tasks:
Prerequisites and system requirements
Before you get started, see Microsoft Defender for Endpoint on Linux for a description of prerequisites and system requirements for the current software version.
Configure the Linux software repository
Defender for Endpoint on Linux can be deployed from one of the following channels (denoted below as [channel]): insiders-fast, insiders-slow, or prod. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in insiders-fast are the first ones to receive updates and new features, followed later by insiders-slow and lastly by prod.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either insiders-fast or insiders-slow.
Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
RHEL and variants (CentOS and Oracle Linux)
Install yum-utils if it isn’t installed yet:
Note your distribution and version, and identify the closest entry (by major, then minor) for it under https://packages.microsoft.com/config/rhel/ .
Use the following table to help guide you in locating the package:
| Distro & version | Package |
|---|---|
| For RHEL 8.0-8.5 | https://packages.microsoft.com/config/rhel/8/prod/ |
| For RHEL 7.2-7.9 | https://packages.microsoft.com/config/rhel/7/prod/ |
In the following commands, replace [version] and [channel] with the information you’ve identified:
In case of Oracle Linux, replace [distro] with «rhel».
For example, if you are running CentOS 7 and want to deploy Defender for Endpoint on Linux from the prod channel:
Or if you wish to explore new features on selected devices, you might want to deploy Microsoft Defender for Endpoint on Linux to insiders-fast channel:
Install the Microsoft GPG public key:
Download and make usable all the metadata for the currently enabled yum repositories:
SLES and variants
Note your distribution and version, and identify the closest entry(by major, then minor) for it under https://packages.microsoft.com/config/sles/ .
In the following commands, replace [distro] and [version] with the information you’ve identified:
For example, if you are running SLES 12 and wish to deploy Microsoft Defender for Endpoint on Linux from the prod channel:
Install the Microsoft GPG public key:
Ubuntu and Debian systems
Install curl if it isn’t installed yet:
Install libplist-utils if it isn’t installed yet:
Note your distribution and version, and identify the closest entry (by major, then minor) for it under https://packages.microsoft.com/config/[distro]/ .
In the below command, replace [distro] and [version] with the information you’ve identified:
For example, if you are running Ubuntu 18.04 and wish to deploy Microsoft Defender for Endpoint on Linux from the prod channel:
Install the repository configuration:
For example, if you chose prod channel:
Install the gpg package if not already installed:
If gpg is not available, then install gnupg .
Install the Microsoft GPG public key:
Install the https driver if it’s not already present:
Update the repository metadata:
Application installation
RHEL and variants (CentOS and Oracle Linux):
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the production channel if you also have the insiders-fast repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. Depending on the distribution and the version of your server, the repository alias might be different than the one in the following example.
SLES and variants:
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the production channel if you also have the insiders-fast repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
Ubuntu and Debian system:
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the production channel if you also have the insiders-fast repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
Download the onboarding package
Download the onboarding package from Microsoft 365 Defender portal:
In the Microsoft 365 Defender portal, go to Settings > Endpoints > Device management > Onboarding.
In the first drop-down menu, select Linux Server as the operating system. In the second drop-down menu, select Local Script as the deployment method.
Select Download onboarding package. Save the file as WindowsDefenderATPOnboardingPackage.zip.
From a command prompt, verify that you have the file. Extract the contents of the archive:
Client configuration
Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target device.
Initially the client device is not associated with an organization. Note that the orgId attribute is blank:
To run this command, you must have python installed on the device. If you’re running RHEL 8.x or Ubuntu 20.04 or higher, then you will need to use Python 3 instead of Python.
Verify that the device is now associated with your organization and reports a valid organization identifier:
A few minutes after you complete the installation, you can see the status by running the following command. A return value of 1 denotes that the product is functioning as expected:
When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of false . You can check the status of the definition update using the following command:
Please note that you may also need to configure a proxy after completing the initial installation. See Configure Defender for Endpoint on Linux for static proxy discovery: Post-installation configuration.
Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
Ensure that real-time protection is enabled (denoted by a result of 1 from running the following command):
Open a Terminal window. Copy and execute the following command:
The file should have been quarantined by Defender for Endpoint on Linux. Use the following command to list all the detected threats:
Experience Linux endpoint detection and response (EDR) capabilities with simulated attacks
To test out the functionalities of EDR for Linux, follow the steps below to simulate a detection on your Linux server and investigate the case.
Verify that the onboarded Linux server appears in Microsoft 365 Defender. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
Download and extract the script file to an onboarded Linux server and run the following command: ./mde_linux_edr_diy.sh
After a few minutes, a detection should be raised in Microsoft 365 Defender.
Look at the alert details, machine timeline, and perform your typical investigation steps.
Installer script
Alternatively, you can use an automated installer bash script provided in our public GitHub repository. The script identifies the distribution and version, and sets up the device to pull the latest package and install it. You can also onboard with a provided script.
Log installation issues
See Log installation issues for more information on how to find the automatically generated log that is created by the installer when an error occurs.
Operating system upgrades
When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint on Linux, install the upgrade, and finally reconfigure Defender for Endpoint on Linux on your device.
How to migrate from Insiders-Fast to Production channel
Uninstall the «Insiders-Fast channel» version of Defender for Endpoint on Linux.
Disable the Defender for Endpoint on Linux Insiders-Fast repo
The output should show «packages-microsoft-com-fast-prod».
Redeploy Microsoft Defender for Endpoint on Linux using the «Production channel».
Uninstallation
See Uninstall for details on how to remove Defender for Endpoint on Linux from client devices.
Источник
