Microsoft Defender ATP: the protection of Linux systems

Many companies have infrastructures consisting of heterogeneous server operating systems and the difficulty of having to adopt and manage different security platforms to ensure protection of the entire machine fleet is known.. Microsoft recently announced the availability of Microsoft Defender Advanced Threat Protection (ATP), the security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats, also for Linux systems. This article describes how to protect Linux machines with this solution and provides an overview of how Microsoft Defender Security Center enables you to monitor and manage the security of the entire spectrum of client and server platforms in enterprise environments (Windows, Windows Server, macOS and Linux).

Microsoft has steadily evolved its endpoint security platform in recent years Microsoft Defender Advanced Threat Protection (ATP), to the point of being recognized as a leader, also getting the highest positioning in the execution capacity, in the last Gartner quadrant of "Endpoint Protection Platforms".

Figure 1 – Gartner Magic Quadrant "Endpoint Protection Platforms" (2019)

The ability to protect Linux systems also makes it an even more complete solution, able to offer:

  • Powerful preventive features. The solution provides real-time protection for the following types of file systems: btrfs, ecryptfs, ext2, ext3, ext4, fuse, fuseblk, jfs, nfs, overlay, ramfs, reiserfs, tmpfs, udf, and vfat.
  • A complete command-line experience to configure and manage the agent, initiate scans and manage threats.
  • An integration into alert monitoring within the Microsoft Defender Security Center.

System Requirements

Before you deploy the solution, you should verify that all the requirements of Microsoft Defender ATP in the Linux environment are met.

The Linux distributions and their versions currently supported are as follows:

  • Red Hat Enterprise Linux 7.2 or higher
  • CentOS 7.2 or higher
  • Ubuntu 16.04 LTS or higher
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Linux 7.2 or higher

The minimum supported kernel version is the 3.10.0-327 and the feature that must be enabled is fanotify. Fanotify is a file access notification system built into many Linux kernels that allows Microsoft Defender ATP to scan files and, if necessary, block access to threats. The use of this feature must be totally dedicated to Microsoft Defender ATP, as the joint use of this feature by other security solutions, can lead to unpredictable results, including blocking the operating system.

Network Requirements

For Microsoft Defender ATP to work correctly on Linux systems, you must allow proper network communication to specific URLs. In this spreadsheet Microsoft lists the associated services and URLs that the protected system must be able to connect to. For more details on this, see this Microsoft-specific document.

Microsoft Defender ATP uses the following proxy systems:

  • Transparent Proxy
  • Manual configuration of the static proxy

However, are not supported PAC files, WPAD and authenticated proxies. Please also note that SSL inspection mechanisms are not supported for security reasons.

Deployment methods

Microsoft Defender ATP activation on Linux systems can be done manually or through third-party management tools, including Ansible and Puppet, Microsoft documents in detail the steps to follow. Both tools have the following steps::

  • Download the onboarding package from the Microsoft Defender Security Center.

Figure 2 – Download the onboarding package from the Microsoft Defender Security Center portal

  • Creating the manifest (Puppet) or the YAML file (Ansible).
  • Deployment that involves the enrollment of the agent and its configurations.

At the end of the installation process, you can fully manage the Microsoft Defender ATP component directly through bash.

Figure 3 – Running the mdadp command from a Linux machine with the component installed

Once the onboarding process is complete, you can manage Linux machines from the Microsoft Defender Security Center portal, as is the case with other operating systems.

Figure 4 – Linux devices in the Microsoft Defender Security Center portal

In the face of malware detections, alerts are reported within the Microsoft Defender Security Center:

Figure 5 – Detection timeline with Eicar test file on Linux machine

Software updates

Microsoft regularly publishes software updates to improve performance, security and provide new features for Microsoft Defender ATP for Linux. One thing to watch out for is that each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect the system, therefore, you must update the product before that date. For the procedure to update the solution, you can consult this document of Microsoft.

When you upgrade your Linux operating system to a new major release, you must first uninstall Microsoft Defender ATP for Linux, install the update and then reconfigure Microsoft Defender ATP on the system.

Configuring the solution

In enterprise environments that have multiple systems, Microsoft Defender ATP for Linux can be easily managed through configuration profiles. The configuration profile is nothing more than a file with an extension ".json" composed of different voices, identified by a key (denoted the name of the preference) followed by a value. Values can be simple, as a numeric value, or complex, as a nested list of preferences.

These profiles can be distributed by the management tool available to you, going to manage it centrally. Distributed preferences will take precedence over locally set preferences on the system so that you can better govern the different settings. For more details on the structure of this profile and the methodologies to be used for its distribution, see this article of Microsoft.


Although there are those who say that Linux machines do not need security solutions, I personally believe that linux systems should also be properly protected as with any other operating system. Microsoft Defender ATP for Linux is constantly expanding and exciting new features are expected in the coming months to enrich the solution with new and advanced protection features. The addition of Linux to the platforms natively supported by Microsoft Defender ATP marks an important turning point for all customers who need to also include these systems in a unified protection strategy. The Microsoft Defender Security Center provides a centralized solution for monitoring and managing the security of the entire server and client machine fleet.

Please follow and like us: