Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Linux

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

The potentially unwanted application (PUA) protection feature in Defender for Endpoint on Linux can detect and block PUA files on endpoints in your network.

These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.

How it works

Defender for Endpoint on Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.

When a PUA is detected on an endpoint, Defender for Endpoint on Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender portal or through the mdatp command-line tool. The threat name will contain the word "Application".

Configure PUA protection

PUA protection in Defender for Endpoint on Linux can be configured in one of the following ways:

  • Off: PUA protection is disabled.
  • Audit: PUA files are reported in the product logs, but not in Microsoft Defender XDR. No record of the infection is stored in the threat history and no action is taken by the product.
  • Block: PUA files are reported in the product logs and in Microsoft Defender XDR. A record of the infection is stored in the threat history and action is taken by the product.

Warning

By default, PUA protection is configured in Audit mode.

You can configure how PUA files are handled from the command line or from the management console.

Use the command-line tool to configure PUA protection:

In Terminal, execute the following command to configure PUA protection:

mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]

Use the management console to configure PUA protection:

In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see Threat type settings in Set preferences for Defender for Endpoint on Linux.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.