By Kurt Mackie and Azure Security News
Microsoft on Tuesday announced a preview of an enhancement to Microsoft Defender for Endpoint on Linux’s anti-virus solution, adding behavior monitoring, deep scanning and blocking capabilities.
The anti-virus in Microsoft Defender for Endpoint on Linux already scans for malware content. The preview is bringing a new capability to “closely monitor processes, file system activities and process interactions within the system,” the announcement explained. These “signals” are then checked by Microsoft’s machine learning cloud-based service.
“These behavior-based signals will act as additional runtime signals for behavioral cloud-powered machine learning models and for effective runtime protection,” the announcement explained.
The preview of the anti-virus behavior monitoring and blocking capabilities in Microsoft Defender for Endpoint on Linux is supported on the following Linux server distros:
- RHEL 7.2+,
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2+
However, this release is still at the preview stage, so organizations should not test it on production environment machines. There also are a lot of prerequisites for IT pros to follow even to use the preview.
It’s possible to use command-line interfaces to see details surfaced by the preview. Additionally, behavior monitoring alerts will show up in the Microsoft Defender Security Center portal, as well as the Microsoft 365 Security Center portal. These portal alerts can be used to conduct further investigations.
The preview is yet another advance on the Linux server side for Microsoft Defender for Endpoint users. In January, Microsoft added the ability to use that tool to conduct forensic analyses of those same Linux server distros, a capability that reached “general availability” commercial release back then.