Member-only story

Microsoft Defender for Endpoint in Linux Capabilities

Andre Camillo, CISSP
2 min readOct 17, 2023

--

I’ve spoken about Defender in Linux recently with MDC, but I recently heard questions from customers about what capabilities are available in Defender for Endpoint for Linux and wanted to cover this topic.

What features are Available to protect Linux?

A common customer question, what MDE protection capabilities are available to Linux devices?

These are the available capabilities per platform, also explained by Microsoft’s own Product team in this video:

Source: Microsoft Learn

An omission you might have noticed is specifically around ASR (Attack Surface Reduction) rules.

First, what are ASR rules? The documentation explains:

Attack surface reduction rules can constrain software-based risky behaviors.

ASR requirements are listed in this document.

And this a list of some of the main rules enabled via ASR:

And as you can see, most (not all) of them are related to Microsoft Windows’ architecture — think of concepts such as:

  • Drivers
  • WMI
  • Specific Windows’ executables (lsass.exe)
  • Win32 API

So they wouldn’t apply to other platforms. For all the rules that could overlap with controls in Linux, well…

Then, how can we apply similar controls to Linux devices?

Here’s where It’s worth reviewing Defender for Endpoints’ settings available for Linux, and this is the reference document.

You can configure AV settings, Network protection / raw sockets settings, Boot loader, ptrace and advanced scan permissions, everything relevant to Linux distros.

Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo

Consider subscribing to Medium (here) to access more content that will empower you!

Thank you for reading and leave your thoughts/comments!

References

Scattered throughout the document

--

--

Andre Camillo, CISSP
Andre Camillo, CISSP

Written by Andre Camillo, CISSP

Cloud, AI and Cyber Security tech, Career, Growth Mindset. Find my Discord &more: https://linktr.ee/acamillo . Architect @Crowdstrike. Opinions are mine!

No responses yet

Write a response