Den's BlogDen's Blog Sec Engineer & Dad Personal blog

Deep dive into Microsoft Defender for Endpoint on Linux

Introduction

This end of the year i finished a Defender for Endpoint on linux server with a customer. And i wan to share with you my experience

Microsoft Defender for Endpoint (MDE) is an advanced enterprise security platform designed to protect and monitor a broad range of devices, including Linux servers. This article explores the deployment, configuration, and operational details of Defender for Endpoint on Linux, based on extensive hands-on testing and the latest documentation.

Key Capabilities of Defender for Endpoint on Linux

Microsoft Defender for Endpoint on Linux provides:

  • Posture Management: Asset discovery, risk-based vulnerability management, and remediation tracking.
  • Threat Protection: Next-generation antivirus protection leveraging local and cloud-based ML models, behavior analytics, and heuristics.
  • Endpoint Detection and Response (EDR): AI-driven threat detection, real-time response actions, and advanced hunting for deep insights.
  • Enterprise-grade Stability: A robust sensor framework without kernel modules, relying instead on extended Berkeley Packet Filter (eBPF) for stability and performance.

for more information consult: Microsoft Defender for Endpoint on Linux – Microsoft Defender for Endpoint | Microsoft Learn or Microsoft Defender for Endpoint on Linux – Microsoft Defender for Endpoint | Microsoft Learn

Deployment Methods

Defender for Endpoint on Linux supports multiple deployment approaches:

  • Installer Script: Automates onboarding using a script that identifies Linux distribution/version, installs dependencies, and registers the device.
  • Automation Tools: Ansible, Chef, Puppet, SaltStack.
  • Manual Installation: Direct setup using onboarding packages from the Microsoft Defender portal.

Installer Script used in my case :

sudo ./mde_installer.sh --install --onboard ./MicrosoftDefenderATPOnboardingLinuxServer.py --channel prod --min_req

This command installs the latest production agent, checks system requirements, and registers the device.

Configuration and Policy Management

Defender for Endpoint settings on Linux can be managed via two primary methods:

  • Microsoft Defender Portal: Centralized configuration and monitoring.
  • JSON Configuration Profiles: Advanced customization using /etc/opt/microsoft/mdatp/managed/mdatp_managed.json.

Example JSON Configuration:

{
  "antivirusEngine": {
    "enforcementLevel": "real_time",
    "threatTypeSettings": [
      {"key": "potentially_unwanted_application", "value": "block"},
      {"key": "archive_bomb", "value": "audit"}
    ]
  },
  "cloudService": {
    "automaticDefinitionUpdateEnabled": true,
    "automaticSampleSubmissionConsent": "safe",
    "enabled": true
  },
  "edr": {
    "groupIds": "LinuxServers",
    "tags": [{"key": "GROUP", "value": "Production"}]
  }
}

This profile enforces real-time protection, handles specific threats, and configures cloud-delivered protection features.

Validation and Troubleshooting

Validation Steps:

  • Confirm device onboarding using:
mdatp health --field real_time_protection_enabled
  • Verify antivirus functionality using EICAR test file:
curl -o /tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
mdatp threat list

Advanced EDR Features

Defender for Endpoint leverages eBPF technology for efficient event monitoring and response, reducing overhead compared to Auditd-based monitoring. Key configurations:

  • Module Load Events Monitoring
  • File Permission/Ownership Events
  • Network Protection (ICMP Inspection)

These features can be toggled in the JSON config under the features and networkProtection sections.

Performance Considerations and Exclusions

Certain applications (e.g., Jenkins, Jira, databases like OracleDB, Postgres) might experience performance impacts due to high I/O when Defender is installed. To mitigate, configure exclusions appropriately:

"exclusionSettings": {
  "exclusions": [
    {"$type": "excludedPath", "isDirectory": true, "path": "/var/lib/jenkins", "scopes": ["global"]}
  ]
}

Insights from Testing

[WARINING] During extensive testing and deployment in prod env., one notable observation was the delay in tag updates reflecting within the Microsoft Defender security console. Specifically, applying tags through the JSON configuration profile (mdatp_managed.json) typically took up to +24 hours before appearing correctly in the Defender security console. This latency is important to consider during deployments and operational planning. I contacted the product team and they don’t have an explanation at the moment.

Conclusion

Microsoft Defender for Endpoint on Linux is a powerful solution for enhancing Linux server security. While the deployment and policy management are robust and flexible, practitioners must account for synchronization delays, especially for tagging and grouping, which based on extensive testing can take up to a full day to reflect accurately in the Microsoft Defender security console. Planning accordingly ensures optimal operation and visibility.

Leave a Reply

Your email address will not be published. Required fields are marked *

Newsletter

Recent Comments

    Press ESC to close