Defender ATP & Linux: trusting Microsoft to protect your open-source workloads

Maarten Goet
Feb 27 · 6 min read
Image for post
Image for post
Wortell Enterprise Security

Microsoft’s Defender ATP has been a big success. The EDR-based solution for endpoints is taking the market by storm and organizations are often using the renewal dates of their current solution to move to Microsoft’s E5 licensing package to enjoy the benefits of behavioral endpoint analysis and protection.

While Microsoft did release a MacOS agent last year, the real gap in the portfolio was the Linux-based protection. As workloads on Azure for more than 50% are Linux-based and growing, there is a real need to have the same EDR-based functionality on those OS’s.

At the annual RSA conference in California, Microsoft released a public preview of MDATP for Linux, along with announcing Microsoft Defender for iOS and Android later this year. I had a chance to try MDATP on Ubuntu, read further to see what I found out.

What is this EDR you keep talking about?

Endpoint Detection and Response, or EDR in short, is not your daddy’s AV solution. Wikipedia describes it as “technology that continually monitors and responds to mitigate cyber threats”.

Most AV solutions will just look at well known hashes for files, etc. While EDR solutions look at memory, processes, network traffic and more; but most importantly at the behavior. It puts those signals together to ‘understand’ what is happening and stop it in its tracks.

For example: a process injection, followed by a base64-encoded powershell execution, followed by a command-and-control communication of sorts, like I described in my previous blog. AV’s will not detect this, or only partially. EDR’s will see the bigger picture and prevent most if not all of these steps in the kill chain.

Microsoft Defender ATP is an EDR solution.

OK, let’s look at Linux

When you open up your Microsoft Defender ATP console, you’ll find Linux Server as a new choice in the dropdown on the Onboarding page.

Image for post
Image for post

Selecting this will allow you to download the onboarding package for your organization.

Onboarding package

The onboarding package is essentially a zip file containing a Python script named WindowsDefenderATPOnboardingPackage.py.

Image for post
Image for post

The python script will write a file called mdatp_onboard.json to /etc/opt/microsoft/mdatp which contains your organization id.

PRO TIP: Another way to create the required JSON file is to take the current Windows-based onboarding package zip file that you already have download and use this command to convert it into the right format:

Where do I find the agent?

Next step is to download the agent. Microsoft has published the MDATP Linux agents in their https://packages.microsoft.com repository. You will need to add that repo to your package manager. Download the repository configurition using this command:

curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list

Replace [distro], [version] and [channel] with your Linux distribution name, version and the name of the channel you’d like to use. For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the insider-fast channel:

curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
Image for post
Image for post

PRO TIP: Unsure of which channel to use? Note your distribution and version, and identify the closest entry under https://packages.microsoft.com/config.

Then execute the following commands:

sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list
sudo apt-get install gpg
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
sudo apt-get install apt-transport-https
sudo apt-get update
Image for post
Image for post

See https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually for detailed instructions on other Linux distributions like SLES, Redhat, etc.

PRO TIP: Do you have a proxy configuration? Add the line Acquire::https::Proxy “http://proxy.server:port/"; to your package manager global configuration in /etc/apt/apt.conf.d/proxy.conf

Then just run the following command to install Microsoft Defender ATP for Linux:

sudo apt-get install mdatp
Image for post
Image for post

PRO TIP: A Puppet based deployment guide can be found here, and an Ansible based deployment guide can be found here.

Hello, World

Running mdatp — health will give you an overview of the status of your MDATP agent. It will take a few seconds before Healthy will turn to True:

Image for post
Image for post

Great! Everything is working as expected. Now let’s go back to the Microsoft Defender ATP console and see if our agent is showing up.

Image for post
Image for post

Awesome. Machine identified and also showing the Health State as Active.

What’s the extra load on my machine?

Good question. There is no official guidance yet, but one way to approach it and get the numbers for your environment. Run a typical workload on your machine and run these commands and copy the results:

ps -C wdavdaemon -o pid,ppid,%cpu,%mem,rss,user,cmd
cat /proc/cpuinfo | grep cores
cat /proc/meminfo | grep Mem

Then turn the real time protection off:

sudo mdatp --config realTimeProtectionEnabled off

Record memory and cpu usage again and copy the results:

ps -C wdavdaemon -o pid,ppid,%cpu,%mem,rss,user,cmd

Want to check if your MDATP agent is communicating? Run mdatp — connectivity-test and it will show you if it can reach the cloud endpoints:

EICAR

One way to try out MDATP’s real time protection is to download the EICAR sample. Use this command:

curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt

The real time protection kicks in, flags the download as malicious and prevents the file from writing to disk:

Image for post
Image for post

Looking at the Microsoft Defender ATP console shows us the Alert:

Image for post
Image for post

Going to the Timeline tab on the Machine page, which shows process and file creation events, shows us that Microsoft is actively working to build that feature for Linux:

Image for post
Image for post

Conclusion

Microsoft Defender ATP for Linux is live! You can try out yourself today using the Public Preview. The agents are available through Microsoft’s package repository for most common distributions and deployment is easy.

Endpoint protection for Linux is now a reality with Microsoft’s best-of-suite approach, with the remaining EDR functionality coming later this year. Stay tuned for future blogs where we dive deeper!

Happy hunting!

— Maarten Goet, MVP & RD

Wortell

Microsoft Cloud & Enterprise Security

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store