Defender ATP & Linux: trusting Microsoft to protect your open-source workloads
Microsoft’s Defender ATP has been a big success. The EDR-based solution for endpoints is taking the market by storm and organizations are often using the renewal dates of their current solution to move to Microsoft’s E5 licensing package to enjoy the benefits of behavioral endpoint analysis and protection.
While Microsoft did release a MacOS agent last year, the real gap in the portfolio was the Linux-based protection. As workloads on Azure for more than 50% are Linux-based and growing, there is a real need to have the same EDR-based functionality on those OS’s.
At the annual RSA conference in California, Microsoft released a public preview of MDATP for Linux, along with announcing Microsoft Defender for iOS and Android later this year. I had a chance to try MDATP on Ubuntu, read further to see what I found out.
What is this EDR you keep talking about?
Endpoint Detection and Response, or EDR in short, is not your daddy’s AV solution. Wikipedia describes it as “technology that continually monitors and responds to mitigate cyber threats”.
Most AV solutions will just look at well known hashes for files, etc. While EDR solutions look at memory, processes, network traffic and more; but most importantly at the behavior. It puts those signals together to ‘understand’ what is happening and stop it in its tracks.
For example: a process injection, followed by a base64-encoded powershell execution, followed by a command-and-control communication of sorts, like I described in my previous blog. AV’s will not detect this, or only partially. EDR’s will see the bigger picture and prevent most if not all of these steps in the kill chain.
Microsoft Defender ATP is an EDR solution.
OK, let’s look at Linux
When you open up your Microsoft Defender ATP console, you’ll find Linux Server as a new choice in the dropdown on the Onboarding page.
Selecting this will allow you to download the onboarding package for your organization.
Onboarding package
The onboarding package is essentially a zip file containing a Python script named WindowsDefenderATPOnboardingPackage.py.
The python script will write a file called mdatp_onboard.json to /etc/opt/microsoft/mdatp which contains your organization id.
PRO TIP: Another way to create the required JSON file is to take the current Windows-based onboarding package zip file that you already have download and use this command to convert it into the right format:
Where do I find the agent?
Next step is to download the agent. Microsoft has published the MDATP Linux agents in their https://packages.microsoft.com repository. You will need to add that repo to your package manager. Download the repository configurition using this command:
curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].listReplace [distro], [version] and [channel] with your Linux distribution name, version and the name of the channel you’d like to use. For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the insider-fast channel:
curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
PRO TIP: Unsure of which channel to use? Note your distribution and version, and identify the closest entry under https://packages.microsoft.com/config.
Then execute the following commands:
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list
sudo apt-get install gpg
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
sudo apt-get install apt-transport-https
sudo apt-get update
See https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually for detailed instructions on other Linux distributions like SLES, Redhat, etc.
PRO TIP: Do you have a proxy configuration? Add the line Acquire::https::Proxy “http://proxy.server:port/"; to your package manager global configuration in /etc/apt/apt.conf.d/proxy.conf
Then just run the following command to install Microsoft Defender ATP for Linux:
sudo apt-get install mdatp
PRO TIP: A Puppet based deployment guide can be found here, and an Ansible based deployment guide can be found here.
Hello, World
Running mdatp — health will give you an overview of the status of your MDATP agent. It will take a few seconds before Healthy will turn to True:
Great! Everything is working as expected. Now let’s go back to the Microsoft Defender ATP console and see if our agent is showing up.
Awesome. Machine identified and also showing the Health State as Active.
What’s the extra load on my machine?
Good question. There is no official guidance yet, but one way to approach it and get the numbers for your environment. Run a typical workload on your machine and run these commands and copy the results:
ps -C wdavdaemon -o pid,ppid,%cpu,%mem,rss,user,cmd
cat /proc/cpuinfo | grep cores
cat /proc/meminfo | grep MemThen turn the real time protection off:
sudo mdatp --config realTimeProtectionEnabled offRecord memory and cpu usage again and copy the results:
ps -C wdavdaemon -o pid,ppid,%cpu,%mem,rss,user,cmdWant to check if your MDATP agent is communicating? Run mdatp — connectivity-test and it will show you if it can reach the cloud endpoints:
EICAR
One way to try out MDATP’s real time protection is to download the EICAR sample. Use this command:
curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txtThe real time protection kicks in, flags the download as malicious and prevents the file from writing to disk:
Looking at the Microsoft Defender ATP console shows us the Alert:
Going to the Timeline tab on the Machine page, which shows process and file creation events, shows us that Microsoft is actively working to build that feature for Linux:
Conclusion
Microsoft Defender ATP for Linux is live! You can try out yourself today using the Public Preview. The agents are available through Microsoft’s package repository for most common distributions and deployment is easy.
Endpoint protection for Linux is now a reality with Microsoft’s best-of-suite approach, with the remaining EDR functionality coming later this year. Stay tuned for future blogs where we dive deeper!
Happy hunting!
— Maarten Goet, MVP & RD
