Member-only story
Microsoft Defender for Endpoint in Linux Capabilities
I’ve spoken about Defender in Linux recently with MDC, but I recently heard questions from customers about what capabilities are available in Defender for Endpoint for Linux and wanted to cover this topic.
What features are Available to protect Linux?
A common customer question, what MDE protection capabilities are available to Linux devices?
These are the available capabilities per platform, also explained by Microsoft’s own Product team in this video:

An omission you might have noticed is specifically around ASR (Attack Surface Reduction) rules.
First, what are ASR rules? The documentation explains:
Attack surface reduction rules can constrain software-based risky behaviors.
ASR requirements are listed in this document.
And this a list of some of the main rules enabled via ASR:

And as you can see, most (not all) of them are related to Microsoft Windows’ architecture — think of concepts such as:
- Drivers
- WMI
- Specific Windows’ executables (lsass.exe)
- Win32 API
So they wouldn’t apply to other platforms. For all the rules that could overlap with controls in Linux, well…
Then, how can we apply similar controls to Linux devices?
Here’s where It’s worth reviewing Defender for Endpoints’ settings available for Linux, and this is the reference document.
You can configure AV settings, Network protection / raw sockets settings, Boot loader, ptrace and advanced scan permissions, everything relevant to Linux distros.
Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo
Consider subscribing to Medium (here) to access more content that will empower you!
Thank you for reading and leave your thoughts/comments!
References
Scattered throughout the document