Published in


Defender ATP & Linux: trusting Microsoft to protect your open-source workloads

Wortell Enterprise Security

Microsoft’s Defender ATP has been a big success. The EDR-based solution for endpoints is taking the market by storm and organizations are often using the renewal dates of their current solution to move to Microsoft’s E5 licensing package to enjoy the benefits of behavioral endpoint analysis and protection.

While Microsoft did release a MacOS agent last year, the real gap in the portfolio was the Linux-based protection. As workloads on Azure for more than 50% are Linux-based and growing, there is a real need to have the same EDR-based functionality on those OS’s.

At the annual RSA conference in California, Microsoft released a public preview of MDATP for Linux, along with announcing Microsoft Defender for iOS and Android later this year. I had a chance to try MDATP on Ubuntu, read further to see what I found out.

What is this EDR you keep talking about?

Endpoint Detection and Response, or EDR in short, is not your daddy’s AV solution. Wikipedia describes it as “technology that continually monitors and responds to mitigate cyber threats”.

Most AV solutions will just look at well known hashes for files, etc. While EDR solutions look at memory, processes, network traffic and more; but most importantly at the behavior. It puts those signals together to ‘understand’ what is happening and stop it in its tracks.

For example: a process injection, followed by a base64-encoded powershell execution, followed by a command-and-control communication of sorts, like I described in my previous blog. AV’s will not detect this, or only partially. EDR’s will see the bigger picture and prevent most if not all of these steps in the kill chain.

Microsoft Defender ATP is an EDR solution.

OK, let’s look at Linux

When you open up your Microsoft Defender ATP console, you’ll find Linux Server as a new choice in the dropdown on the Onboarding page.

Selecting this will allow you to download the onboarding package for your organization.

Onboarding package

The onboarding package is essentially a zip file containing a Python script named WindowsDefenderATPOnboardingPackage.py.

The python script will write a file called mdatp_onboard.json to /etc/opt/microsoft/mdatp which contains your organization id.

PRO TIP: Another way to create the required JSON file is to take the current Windows-based onboarding package zip file that you already have download and use this command to convert it into the right format:

Where do I find the agent?

Next step is to download the agent. Microsoft has published the MDATP Linux agents in their https://packages.microsoft.com repository. You will need to add that repo to your package manager. Download the repository configurition using this command:

curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list

Replace [distro], [version] and [channel] with your Linux distribution name, version and the name of the channel you’d like to use. For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the insider-fast channel:

curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list

PRO TIP: Unsure of which channel to use? Note your distribution and version, and identify the closest entry under https://packages.microsoft.com/config.

Then execute the following commands:

sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list
sudo apt-get install gpg
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
sudo apt-get install apt-transport-https
sudo apt-get update

See https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually for detailed instructions on other Linux distributions like SLES, Redhat, etc.

PRO TIP: Do you have a proxy configuration? Add the line Acquire::https::Proxy “http://proxy.server:port/"; to your package manager global configuration in /etc/apt/apt.conf.d/proxy.conf

Then just run the following command to install Microsoft Defender ATP for Linux:

sudo apt-get install mdatp

PRO TIP: A Puppet based deployment guide can be found here, and an Ansible based deployment guide can be found here.

Hello, World

Running mdatp — health will give you an overview of the status of your MDATP agent. It will take a few seconds before Healthy will turn to True:

Great! Everything is working as expected. Now let’s go back to the Microsoft Defender ATP console and see if our agent is showing up.

Awesome. Machine identified and also showing the Health State as Active.

What’s the extra load on my machine?

Good question. There is no official guidance yet, but one way to approach it and get the numbers for your environment. Run a typical workload on your machine and run these commands and copy the results:

ps -C wdavdaemon -o pid,ppid,%cpu,%mem,rss,user,cmd
cat /proc/cpuinfo | grep cores
cat /proc/meminfo | grep Mem

Then turn the real time protection off:

sudo mdatp --config realTimeProtectionEnabled off

Record memory and cpu usage again and copy the results:

ps -C wdavdaemon -o pid,ppid,%cpu,%mem,rss,user,cmd

Want to check if your MDATP agent is communicating? Run mdatp — connectivity-test and it will show you if it can reach the cloud endpoints:


One way to try out MDATP’s real time protection is to download the EICAR sample. Use this command:

curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt

The real time protection kicks in, flags the download as malicious and prevents the file from writing to disk:

Looking at the Microsoft Defender ATP console shows us the Alert:

Going to the Timeline tab on the Machine page, which shows process and file creation events, shows us that Microsoft is actively working to build that feature for Linux:


Microsoft Defender ATP for Linux is live! You can try out yourself today using the Public Preview. The agents are available through Microsoft’s package repository for most common distributions and deployment is easy.

Endpoint protection for Linux is now a reality with Microsoft’s best-of-suite approach, with the remaining EDR functionality coming later this year. Stay tuned for future blogs where we dive deeper!

Happy hunting!

— Maarten Goet, MVP & RD




Microsoft Cloud & Enterprise Security

Recommended from Medium

How I hacked a news website?

Put Customer Data Security FIRST to Avoid Breaches Like Marriott’s

How to recover a Gemini Login account?

{UPDATE} Don't Fall! Human Flat Gang 3D Hack Free Resources Generator

Session ID vs phone numbers

Announcing Gubiq 3.2

[FP]-LIMS and the importance of a digital identity during difficult times

Regulating Data Exploitation: A new construct for controlling Tech Platforms

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Maarten Goet

Maarten Goet

Microsoft MVP and Microsoft Regional Director.

More from Medium

The length of the Azure function app name

Private Linking from inside an Azure VM to multiple regional networks

Azure Landing Zone in Terraform-Complete CAF IaC Solution

Sharing output variables between Stages in Azure DevOps Pipelines