What's new in Microsoft Defender for Endpoint on Linux
Applies to:
- Microsoft Defender for Endpoint Server
- Microsoft Defender for Servers
This article is updated frequently to let you know what's new in the latest releases of Microsoft Defender for Endpoint on Linux.
Important
Starting with version 101.24082.0004, Defender for Endpoint on Linux no longer supports the Auditd event provider. We're transitioning completely to the more efficient eBPF technology. This change allows for better performance, reduced resource consumption, and overall improved stability. eBPF support has been available since August 2023, and is fully integrated into all updates of Defender for Endpoint on Linux (version 101.23082.0006 and later). We strongly encourage you to adopt the eBPF build, as it provides significant enhancements over Auditd. If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, you have the following options:
Continue to use Defender for Endpoint on Linux build
101.24072.0000with Auditd. This build continues to be supported for several months, so you have time to plan and execute your migration to eBPF.If you are on versions later than
101.24072.0000, Defender for Endpoint on Linux relies onnetlinkas a backup supplementary event provider. In the event of a fallback, all process operations continue to flow seamlessly.
Review your current Defender for Endpoint on Linux deployment, and begin planning your migration to the eBPF-supported build. For more information on eBPF and how it works, see Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux.
If you have any concerns or need assistance during this transition, contact support.
Releases for Defender for Endpoint on Linux
Jan-2025 Build: 101.24102.0000 | Release version: 30.124102.0000.0
| Build: | 101.24102.0000 |
|---|---|
| Released: | January 8, 2025 |
| Published: | January 8, 2025 |
| Release version: | 30.124102.0000.0 |
| Engine version: | 1.1.24080.11 |
| Signature version: | 1.419.351.0 |
What's new
The default engine version has been updated to
1.1.24080.11, and the default signature version has been updated to1.419.351.0.Improved the reporting of command-line threat information for short lived processes on the security portal.
Nov-2024 Build: 101.24092.0002 | Release version: 30.124092.0002.0
| Build: | 101.24092.0002 |
|---|---|
| Released: | November 14, 2024 |
| Published: | November 14, 2024 |
| Release version: | 30.124092.0002.0 |
| Engine version: | 1.1.24080.9 |
| Signature version: | 1.417.659.0 |
What's new
To support hardened installations with nonexecutable
/varpartitions, mdatp antivirus definitions will now install to/opt/microsoft/mdatp/definitions.noindexinstead of/varif the latter is detected as nonexecutable. During upgrades, the installer attempts to migrate older definitions to the new path upon detecting a nonexecutable/var, unless it finds that the path has already been customized (usingmdatp definitions path set).Beginning with this version, Defender for Endpoint on Linux no longer needs executable permissions for
/var/log. If these permissions aren't available, log files are automatically redirected to/opt.
Oct-2024 Build: 101.24082.0004 | Release version: 30.124082.0004.0
| Build: | 101.24082.0004 |
|---|---|
| Released: | October 15, 2024 |
| Published: | October 15, 2024 |
| Release version: | 30.124082.0004 |
| Engine version: | 1.1.24080.9 |
| Signature version: | 1.417.659.0 |
What's new
- Starting this version, Defender for Endpoint on Linux no longer supports
AuditDas a supplementary event provider. For improved stability and performance, we have transitioned to eBPF. If you disable eBPF, or in the event eBPF isn't supported on any specific kernel, Defender for Endpoint on Linux automatically switches back to Netlink as a fallback supplementary event provider. Netlink provides reduced functionality and tracks only process-related events. In this case, all process operations continue to flow seamlessly, but you could miss specific file and socket-related events that eBPF would otherwise capture. For more information, see Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux. If you have any concerns or need assistance during this transition, contact support. - Stability and performance improvements
- Other bug fixes
Sept-2024 Build: 101.24072.0001 | Release version: 30.124072.0001.0
| Build: | 101.24072.0001 |
|---|---|
| Released: | September 23, 2024 |
| Published: | September 23, 2024 |
| Release version: | 30.124072.0001.0 |
| Engine version: | 1.1.24060.6 |
| Signature version: | 1.415.228.0 |
What's new
- Added support for Ubuntu 24.04
- Updated default engine version to
1.1.24060.6and default signatures version to1.415.228.0.
July-2024 Build: 101.24062.0001 | Release version: 30.124062.0001.0
| Build: | 101.24072.0001 |
|---|---|
| Released: | July 31, 2024 |
| Published: | July 31, 2024 |
| Release version: | 30.124062.0001.0 |
| Engine version: | 1.1.24050.7 |
| Signature version: | 1.411.410.0 |
What's new
There are multiple fixes and new changes in this release.
- Fixes bug in which infected command-line threat information wasn't showing correctly in security portal.
- Fixes a bug where disabling a preview feature required a Defender of Endpoint to disable it.
- Global Exclusions feature using managed JSON is now in Public Preview. available in insiders slow from 101.23092.0012. For more information, see linux-exclusions.
- Updated the Linux default engine version to 1.1.24050.7 and default signature version to 1.411.410.0.
- Stability and performance improvements.
- Other bug fixes.
June-2024 Build: 101.24052.0002 | Release version: 30.124052.0002.0
| Build: | 101.24052.0002 |
|---|---|
| Released: | June 24, 2024 |
| Published: | June 24, 2024 |
| Release version: | 30.124052.0002.0 |
| Engine version: | 1.1.24040.2 |
| Signature version: | 1.411.153.0 |
What's new
There are multiple fixes and new changes in this release.
- This release fixes a bug related to high memory usage eventually leading to high CPU due to eBPF memory leak in kernel space resulting in servers going into unusable states. This only impacted the kernel versions 3.10x and <= 4.16x, majorly on RHEL/CentOS distros. Update to the latest MDE version to avoid any impact.
- We have now simplified the output of
mdatp health --detail features - Stability and performance improvements.
- Other bug fixes.
May-2024 Build: 101.24042.0002 | Release version: 30.124042.0002.0
| Build: | 101.24042.0002 |
|---|---|
| Released: | May 29, 2024 |
| Published: | May 29, 2024 |
| Release version: | 30.124042.0002.0 |
| Engine version: | 1.1.24030.4 |
| Signature version: | 1.407.521.0 |
What's new
There are multiple fixes and new changes in this release:
- In version 24032.0007, there was a known issue where the enrollment of devices to MDE Security Management failed when using the "Device Tagging" mechanism via the mdatp_managed.json file. This issue has been resolved in the current release.
- Stability and performance improvements.
- Other bug fixes.
May-2024 Build: 101.24032.0007 | Release version: 30.124032.0007.0
| Build: | 101.24032.0007 |
|---|---|
| Released: | May 15, 2024 |
| Published: | May 15, 2024 |
| Release version: | 30.124032.0007.0 |
| Engine version: | 1.1.24020.3 |
| Signature version: | 1.403.3500.0 |
What's new
There are multiple fixes and new changes in this release:
In passive and on-demand modes, antivirus engine remains in idle state and is used only during scheduled custom scans. Thus as part of performance improvements, we have made changes to keep the AV engine down in passive and on-demand mode except during scheduled custom scans. If the real time protection is enabled, antivirus engine will always be up and running. This has no impact on your server protection in any mode.
To keep users informed of the state of antivirus engine, we have introduced a new field called "engine_load_status" as part of MDATP health. It indicates whether antivirus engine is currently running or not.
Field nameengine_load_statusPossible values Engine not loaded (AV engine process is down), Engine load succeeded (AV engine process up and running) Healthy scenarios:
- If RTP is enabled, engine_load_status should be "Engine load succeeded"
- If MDE is in on-demand or passive mode, and custom scan isn't running then "engine_load_status" should be "Engine not loaded"
- If MDE is in on-demand or passive mode, and custom scan is running then "engine_load_status" should be "Engine load succeeded"
Bug fix to enhance behavioral detections.
Stability and performance improvements.
Other bug fixes.
Known Issues
There's a known issue where enrolling devices to MDE Security Management via "Device Tagging" mechanism using mdatp_managed.json is failing in 24032.0007. To mitigate this issue, use the following mdatp CLI command to tag devices:
sudo mdatp edr tag set --name GROUP --value MDE-ManagementThe issue has been fixed in Build: 101.24042.0002
March-2024 Build: 101.24022.0001 | Release version: 30.124022.0001.0
| Build: | 101.24022.0001 |
|---|---|
| Released: | March 22,2024 |
| Published: | March 22,2024 |
| Release version: | 30.124022.0001.0 |
| Engine version: | 1.1.23110.4 |
| Signature version: | 1.403.87.0 |
What's new
There are multiple fixes and new changes in this release:
- The addition of a new log file -
microsoft_defender_scan_skip.log. This logs the filenames that were skipped from various antivirus scans by Microsoft Defender for Endpoint due to any reason. - Stability and performance improvements.
- Bug fixes.
March-2024 Build: 101.24012.0001 | Release version: 30.124012.0001.0
| Build: | 101.24012.0001 |
|---|---|
| Released: | March 12,2024 |
| Published: | March 12,2024 |
| Release version: | 30.124012.0001.0 |
| Engine version: | 1.1.23110.4 |
| Signature version: | 1.403.87.0 |
What's new
There are multiple fixes and new changes in this release:
- Updated default engine version to
1.1.23110.4, and default signatures version to1.403.87.0. - Stability and performance improvements.
- Bug fixes.
February-2024 Build: 101.23122.0002 | Release version: 30.123122.0002.0
| Build: | 101.23122.0002 |
|---|---|
| Released: | February 5,2024 |
| Published: | February 5,2024 |
| Release version: | 30.123122.0002.0 |
| Engine version: | 1.1.23100.2010 |
| Signature version: | 1.399.1389.0 |
What's new
There are multiple fixes and new changes in this release:
Updated default engine version to
1.1.23100.2010, and default signatures version to1.399.1389.0.General stability and performance improvements.
Bug fixes.
Microsoft Defender for Endpoint on Linux now officially supports the following distros and versions:
Distro & version Ring Package Mariner 2 Production https://packages.microsoft.com/cbl-mariner/2.0/prod/extras/x86_64/config.repo Rocky 8.7 and higher Insiders Slow https://packages.microsoft.com/config/rocky/8/insiders-slow.repo Rocky 9.2 and higher Insiders Slow https://packages.microsoft.com/config/rocky/9/insiders-slow.repo Alma 8.4 and higher Insiders Slow https://packages.microsoft.com/config/alma/8/insiders-slow.repo Alma 9.2 and higher Insiders Slow https://packages.microsoft.com/config/alma/9/insiders-slow.repo
If you already have Defender for Endpoint running on any of these distros and facing any issues in the older versions, upgrade to the latest Defender for Endpoint version from the corresponding ring mentioned above. Refer our public deployment docs for more details.
Note
Known issues:
Microsoft Defender for Endpoint for Linux on Rocky and Alma currently has the following known issues:
- Live Response and Threat Vulnerability Management are currently not supported (work in progress).
- Operating system info for devices isn't visible in the Microsoft Defender portal
January-2024 Build: 101.23112.0009 | Release version: 30.123112.0009.0
| Build: | 101.23112.0009 |
|---|---|
| Released: | January 29,2024 |
| Published: | January 29,2024 |
| Release version: | 30.123112.0009.0 |
| Engine version: | 1.1.23100.2010 |
| Signature version: | 1.399.1389.0 |
What's new
- Updated default engine version to
1.1.23110.4, and default signatures version to1.403.1579.0. - General stability and performance improvements.
- Bug fix for behavior monitoring configuration.
- Bug fixes.
November-2023 Build: 101.23102.0003 | Release version: 30.123102.0003.0
| Build: | 101.23102.0003 |
|---|---|
| Released: | November 28,2023 |
| Published: | November 28,2023 |
| Release version: | 30.123102.0003.0 |
| Engine version: | 1.1.23090.2008 |
| Signature version: | 1.399.690.0 |
What's new
- Updated default engine version to
1.1.23090.2008, and default signatures version to1.399.690.0. - Updated libcurl library to version
8.4.0to fix recently disclosed vulnerabilities with the older version. - Updated Openssl library to version
3.1.1to fix recently disclosed vulnerabilities with the older version. - General stability and performance improvements.
- Bug fixes.
November-2023 Build: 101.23092.0012 | Release version: 30.123092.0012.0
| Build: | 101.23092.0012 |
|---|---|
| Released: | November 14,2023 |
| Published: | November 14,2023 |
| Release version: | 30.123092.0012.0 |
| Engine version: | 1.1.23080.2007 |
| Signature version: | 1.395.1560.0 |
What's new
There are multiple fixes and new changes in this release:
Support added to restore threat based on original path using the following command:
sudo mdatp threat quarantine restore threat-path --path [threat-original-path] --destination-path [destination-folder]Starting with this release, Microsoft Defender for Endpoint on Linux will no longer be shipping a solution for RHEL 6.
RHEL 6 'Extended end of life support' is poised to end by June 30, 2024 and customers are advised to plan their RHEL upgrades accordingly aligned with guidance from Red Hat. Customers who need to run Defender for Endpoint on RHEL 6 servers can continue to use version 101.23082.0011 (doesn't expire before June 30, 2024) supported on kernel versions 2.6.32-754.49.1.el6.x86_64 or prior.
- Engine Update to
1.1.23080.2007and Signatures Ver:1.395.1560.0. - Streamlined device connectivity experience is now in public preview mode. public blog
- Performance improvements & bug fixes.
- Engine Update to
Known issues
- CPU lock-up seen on kernel version 5.15.0-0.30.20 in ebpf mode, see Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux for details and Mitigation options.
November-2023 Build: 101.23082.0011 | Release version: 30.123082.0011.0
| Build: | 101.23082.0011 |
|---|---|
| Released: | November 1,2023 |
| Published: | November 1,2023 |
| Release version: | 30.123082.0011.0 |
| Engine version: | 1.1.23070.1002 |
| Signature version: | 1.393.1305.0 |
What's new
This new release is build over October 2023 release (101.23082.0009) with addition of following changes. There's no change for other customers and upgrading is optional.
Fix for immutable mode of auditd when supplementary subsystem is ebpf: In ebpf mode all mdatp audit rules should be cleaned after switching to ebpf and rebooting. After reboot, mdatp audit rules weren't cleaned due to which it was resulting in hang of the server. The fix cleans these rules, user shouldn't see any mdatp rules loaded on reboot
Fix for MDE not starting up on RHEL 6.
Known issues
When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
Use your package manager to uninstall the
101.75.43or101.78.13mdatp version.Example:
sudo apt purge mdatp sudo apt-get install mdatpAs an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
October-2023 Build: 101.23082.0009 | Release version: 30.123082.0009.0
| Build: | 101.23082.0009 |
|---|---|
| Released: | October 9,2023 |
| Published: | October 9,2023 |
| Release version: | 30.123082.0009.0 |
| Engine version: | 1.1.23070.1002 |
| Signature version: | 1.393.1305.0 |
What's new
- This new release is build over October 2023 release (`101.23082.0009``) with addition of new CA Certificates. There's no change for other customers and upgrading is optional.
Known issues
When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
Use your package manager to uninstall the
101.75.43or101.78.13mdatp version.Example:
sudo apt purge mdatp sudo apt-get install mdatpAs an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
October-2023 Build: 101.23082.0006 | Release version: 30.123082.0006.0
| Build: | 101.23082.0006 |
|---|---|
| Released: | October 9,2023 |
| Published: | October 9,2023 |
| Release version: | 30.123082.0006.0 |
| Engine version: | 1.1.23070.1002 |
| Signature version: | 1.393.1305.0 |
What's new
Feature updates and new changes
- eBPF sensor is now the default supplementary event provider for endpoints
- Microsoft Intune tenant attach feature is in public preview (as of mid July)
- You must add "*.dm.microsoft.com" to firewall exclusions for the feature to work correctly
- Defender for Endpoint is now available for Debian 12 and Amazon Linux 2023
- Support to enable Signature verification of updates downloaded
You must update the manajed.json as shown below
"features":{ "OfflineDefinitionUpdateVerifySig":"enabled" }Prerequisite to enable feature
- Engine version on the device must be "1.1.23080.007" or above. Check your engine version by using the following command.
mdatp health --field engine_version
- Engine version on the device must be "1.1.23080.007" or above. Check your engine version by using the following command.
- Option to support monitoring of NFS and FUSE mount points. These are ignored by default. The following example shows how to monitor all filesystem while ignoring only NFS:
"antivirusEngine": { "unmonitoredFilesystems": ["nfs"] }Example to monitor all filesystems including NFS and FUSE:
"antivirusEngine": { "unmonitoredFilesystems": [] }- Other performance improvements
- Bug Fixes
Known issues
- When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at System hang due to blocked tasks in fanotify code. There are two ways to mitigate this upgrade issue:
Use your package manager to uninstall the
101.75.43or101.78.13mdatp version.Example:
sudo apt purge mdatp sudo apt-get install mdatpAs an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
September-2023 Build: 101.23072.0021 | Release version: 30.123072.0021.0
| Build: | 101.23072.0021 |
|---|---|
| Released: | September 11,2023 |
| Published: | September 11,2023 |
| Release version: | 30.123072.0021.0 |
| Engine version: | 1.1.20100.7 |
| Signature version: | 1.385.1648.0 |
What's new
- There are multiple fixes and new changes in this release
- In mde_installer.sh v0.6.3, users can use the
--channelargument to provide the channel of the configured repository during cleanup. For example,sudo ./mde_installer --clean --channel prod - The Network Extension can now be reset by administrators using
mdatp network-protection reset. - Other performance improvements
- Bug Fixes
- In mde_installer.sh v0.6.3, users can use the
Known issues
- While upgrading from mdatp version
101.75.43or101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
Use your package manager to uninstall the
101.75.43or101.78.13mdatp version.Example:
sudo apt purge mdatp sudo apt-get install mdatpAs an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
July-2023 Build: 101.23062.0010 | Release version: 30.123062.0010.0
| Build: | 101.23062.0010 |
|---|---|
| Released: | July 26,2023 |
| Published: | July 26,2023 |
| Release version: | 30.123062.0010.0 |
| Engine version: | 1.1.20100.7 |
| Signature version: | 1.385.1648.0 |
What's new
There are multiple fixes and new changes in this release
- If a proxy is set for Defender for Endpoint, then it's visible in the
mdatp healthcommand output - With this release we provided two options in mdatp diagnostic hot-event-sources:
- Files
- Executables
- Network Protection: Connections that are blocked by Network Protection and have the block overridden by users are now correctly reported to Microsoft Defender XDR
- Improved logging in Network Protection block and audit events for debugging
- If a proxy is set for Defender for Endpoint, then it's visible in the
Other fixes and improvements
- From this version, enforcementLevel are in passive mode by default giving admins more control over where they want 'RTP on' within their estate
- This change only applies to fresh MDE deployments, for example, servers where Defender for Endpoint is being deployed for the first time. In update scenarios, servers that have Defender for Endpoint deployed with RTP ON, continue operating with RTP ON even post update to version 101.23062.0010
Bug Fixes
- RPM database corruption issue in Defender Vulnerability Management baseline has been fixed
Other performance improvements
Known issues
- While upgrading from mdatp version
101.75.43or101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
Use your package manager to uninstall the
101.75.43or101.78.13mdatp version.Example:
sudo apt purge mdatp sudo apt-get install mdatpAs an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
July-2023 Build: 101.23052.0009 | Release version: 30.123052.0009.0
| Build: | 101.23052.0009 |
|---|---|
| Released: | July 10,2023 |
| Published: | July 10,2023 |
| Release version: | 30.123052.0009.0 |
| Engine version: | 1.1.20100.7 |
| Signature version: | 1.385.1648.0 |
What's new
- There are multiple fixes and new changes in this release
- The build version schema is updated from this release. While the major version number remains same as 101, the minor version number now has five digits followed by four digit patch number that is,
101.xxxxx.yyy- Improved Network Protection memory consumption under stress- Updated the engine version to
1.1.20300.5and signature version to1.391.2837.0. - Bug fixes.
- Updated the engine version to
Known issues
- While upgrading from mdatp version
101.75.43or101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
Use your package manager to uninstall the
101.75.43or101.78.13mdatp version.Example:
sudo apt purge mdatp sudo apt-get install mdatpAs an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
June-2023 Build: 101.98.89 | Release version: 30.123042.19889.0
| Build: | 101.98.89 |
|---|---|
| Released: | June 12,2023 |
| Published: | June 12,2023 |
| Release version: | 30.123042.19889.0 |
| Engine version: | 1.1.20100.7 |
| Signature version: | 1.385.1648.0 |
What's new
- There are multiple fixes and new changes in this release
- Improved Network Protection Proxy handling.
- In Passive mode, Defender for Endpoint no longer scans when Definition update happens.
- Devices continue to be protected even after Defender for Endpoint agent has expired. We recommend upgrading the Defender for Endpoint Linux agent to the latest available version to receive bug fixes, features, and performance improvements.
- Removed semanage package dependency.
- Engine Update to
1.1.20100.7and Signatures Ver:1.385.1648.0. - Bug fixes.
Known issues
- While upgrading from mdatp version
101.75.43or101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
Use your package manager to uninstall the
101.75.43or101.78.13mdatp version.Example:
sudo apt purge mdatp sudo apt-get install mdatpAs an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
May-2023 Build: 101.98.64 | Release version: 30.123032.19864.0
| Build: | 101.98.64 |
|---|---|
| Released: | May 3,2023 |
| Published: | May 3,2023 |
| Release version: | 30.123032.19864.0 |
| Engine version: | 1.1.20100.6 |
| Signature version: | 1.385.68.0 |
What's new
- There are multiple fixes and new changes in this release
- Health message improvements to capture details about auditd failures.
- Improvements to handle augenrules, which was causing installation failure.
- Periodic memory cleanup in engine process.
- Fix for memory issue in mdatp audisp plugin.
- Handled missing plugin directory path during installation.
- When conflicting application is using blocking fanotify, with default configuration mdatp health shows unhealthy. This is now fixed.
- Support for ICMP traffic inspection in BM.
- Engine Update to
1.1.20100.6and Signatures Ver:1.385.68.0. - Bug fixes.
Known issues
- While upgrading from mdatp version
101.75.43or101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
Use your package manager to uninstall the
101.75.43or101.78.13mdatp version.Example:
sudo apt purge mdatp sudo apt-get install mdatpAs an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Caution: Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
April-2023 Build: 101.98.58 | Release version: 30.123022.19858.0
| Build: | 101.98.58 |
|---|---|
| Released: | April 20,2023 |
| Published: | April 20,2023 |
| Release version: | 30.123022.19858.0 |
| Engine version: | 1.1.20000.2 |
| Signature version: | 1.381.3067.0 |
What's new
- There are multiple fixes and new changes in this release
- Logging and error reporting improvements for auditd.
- Handle failure in reload of auditd configuration.
- Handling for empty auditd rule files during MDE install.
- Engine Update to
1.1.20000.2and Signatures Ver:1.381.3067.0. - Addressed a health issue in mdatp that occurs due to selinux denials.
- Bug fixes.
Known issues
While upgrading mdatp to version
101.94.13or later, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following commands can help you to identify such auditd rules (commands need to be run as super user). Take a backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures.echo -c >> /etc/audit/rules.d/audit.rules augenrules --loadWhile upgrading from mdatp version
101.75.43or101.78.13, you could encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05. For more information, see System hang due to blocked tasks in fanotify code.
There are two ways to mitigate this upgrade issue:
Use your package manager to uninstall the
101.75.43or101.78.13mdatp version.Example:
sudo apt purge mdatp sudo apt-get install mdatpAs an alternative you can follow the instructions to uninstall, then install the latest version of the package.
If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Caution: Some customers (<1%) experience issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
March-2023 Build: 101.98.30 | Release version: 30.123012.19830.0
| Build: | 101.98.30 |
|---|---|
| Released: | March 20, 2023 |
| Published: | March 20, 2023 |
| Release version: | 30.123012.19830.0 |
| Engine version: | 1.1.19900.2 |
| Signature version: | 1.379.1299.0 |
What's new
- This new release is build over March 2023 release (`101.98.05``) with a fix for Live response commands failing for one of our customers. There's no change for other customers and upgrade is optional.
Known issues
- With mdatp version 101.98.30 you might see a health false issue in some of the cases, because SELinux rules aren't defined for certain scenarios. The health warning could look something like this:
found SELinux denials within last one day. If the MDATP is recently installed, clear the existing audit logs or wait for a day for this issue to autoresolve. Use command: "sudo ausearch -i -c 'mdatp_audisp_pl' | grep "type=AVC" | grep " denied" to find details
The issue could be mitigated by running the following commands.
sudo ausearch -c 'mdatp_audisp_pl' --raw | sudo audit2allow -M my-mdatpaudisppl_v1
sudo semodule -i my-mdatpaudisppl_v1.pp
Here, my-mdatpaudisppl_v1 represents the policy module name. After you run the commands, either wait for 24 hours or clear/archive the audit logs. The audit logs could be archived by running the following command
sudo service auditd stop
sudo systemctl stop mdatp
cd /var/log/audit
sudo gzip audit.*
sudo service auditd start
sudo systemctl start mdatp
mdatp health
In case the issue reappears with some different denials. We need to run the mitigation again with a different module name (for example, my-mdatpaudisppl_v2).
March-2023 Build: 101.98.05 | Release version: 30.123012.19805.0
| Build: | 101.98.05 |
|---|---|
| Released: | March 08, 2023 |
| Published: | March 08, 2023 |
| Release version: | 30.123012.19805.0 |
| Engine version: | 1.1.19900.2 |
| Signature version: | 1.379.1299.0 |
What's new
There are multiple fixes and new changes in this release.
- Improved Data Completeness for Network Connection events
- Improved Data Collection capabilities for file ownership/permissions changes
- seManage in part of the package, to that seLinux policies can be configured in different distro (fixed).
- Improved enterprise daemon stability
- AuditD stop path clean-up
- Improved the stability of mdatp stop flow.
- Added new field to wdavstate to keep track of platform update time.
- Stability improvements to parsing Defender for Endpoint onboarding blob.
- Scan doesn't proceed if a valid license isn't present (fixed)
- Added performance tracing option to xPlatClientAnalyzer, with tracing enabled mdatp process dumps the flow in all_process.zip file that can be used for analysis of performance issues.
- Added support in Defender for Endpoint for the following RHEL-6 kernel versions:
2.6.32-754.43.1.el6.x86_642.6.32-754.49.1.el6.x86_64
- Other fixes
Known issues
While upgrading mdatp to version 101.94.13, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Make sure to back up following file: `/etc/audit/rules.d/audit.rules`` as these steps are only to identify failures.
echo -c >> /etc/audit/rules.d/audit.rules augenrules --loadWhile upgrading from mdatp version
101.75.43or101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.98.05. For more information, see System hang due to blocked tasks in fanotify code
There are two ways to mitigate the problem in upgrading.
Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
As an alternative, you can follow the instructions to uninstall, then install the latest version of the package.
In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
Jan-2023 Build: 101.94.13 | Release version: 30.122112.19413.0
| Build: | 101.94.13 |
|---|---|
| Released: | January 10, 2023 |
| Published: | January 10, 2023 |
| Release version: | 30.122112.19413.0 |
| Engine version: | 1.1.19700.3 |
| Signature version: | 1.377.550.0 |
What's new
- There are multiple fixes and new changes in this release
- Skip quarantine of threats in passive mode by default.
- New config, nonExecMountPolicy, can now be used to specify behavior of RTP on mount point marked as noexec.
- New config, unmonitoredFilesystems, can be used to unmonitor certain filesystems.
- Improved performance under high load and in speed test scenarios.
- Fixes an issue with accessing SMB shares behind Cisco AnyConnect VPN connections.
- Fixes an issue with Network Protection and SMB.
- lttng performance tracing support.
- TVM, eBPF, auditd, telemetry, and mdatp cli improvements.
- mdatp health now reports behavior_monitoring
- Other fixes.
Known issues
While upgrading mdatp to version
101.94.13, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Take a backup of following file:/etc/audit/rules.d/audit.rulesas these steps are only to identify failures.echo -c >> /etc/audit/rules.d/audit.rules augenrules --loadWhile upgrading from mdatp version
101.75.43or101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.94.13. For more information, see System hang due to blocked tasks in fanotify code
There are two ways to mitigate the problem in upgrading.
Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
As an alternative to the above, you can follow the instructions to uninstall, then install the latest version of the package.
In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
Nov-2022 Build: 101.85.27 | Release version: 30.122092.18527.0
| Build: | 101.85.27 |
|---|---|
| Released: | November 02, 2022 |
| Published: | November 02, 2022 |
| Release version: | 30.122092.18527.0 |
| Engine version: | 1.1.19500.2 |
| Signature version: | 1.371.1369.0 |
What's new
- There are multiple fixes and new changes in this release
- V2 engine is default with this release and V1 engine bits are removed for enhanced security.
- V2 engine support configuration path for AV definitions. (mdatp definition set path)
- Removed external packages dependencies from MDE package. Removed dependencies are libatomic1, libselinux, libseccomp, libfuse, and libuuid
- In case crash collection is disabled by configuration, crash monitoring process isn't launched.
- Performance fixes to optimally use system events for AV capabilities.
- Stability improvement when restarting mdatp and load epsext issues.
- Other fixes
Known issues
- While upgrading from mdatp version
101.75.43or101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.85.21. For more information, see System hang due to blocked tasks in fanotify code
There are two ways to mitigate the problem in upgrading.
Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.
Example:
sudo apt purge mdatp
sudo apt-get install mdatp
As an alternative approach, follow the instructions to uninstall, then install the latest version of the package.
In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method.
sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp
Sep-2022 Build: 101.80.97 | Release version: 30.122072.18097.0
| Build: | 101.80.97 |
|---|---|
| Released: | September 14, 2022 |
| Published: | September 14, 2022 |
| Release version: | 30.122072.18097.0 |
| Engine version: | 1.1.19300.3 |
| Signature version: | 1.369.395.0 |
What's new
- Fixes a kernel hang observed on select customer workloads running mdatp version
101.75.43. After RCA, this was attributed to a race condition while releasing the ownership of a sensor file descriptor. The race condition was exposed due to a recent product change in the shutdown path. Customers on newer Kernel versions (5.1+) aren't impacted by this issue. For more information, see System hang due to blocked tasks in fanotify code.
Known issues
When upgrading from mdatp version
101.75.43or101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version101.80.97. This action should prevent the issue from occurring.sudo mdatp config real-time-protection --value=disabled sudo systemctl disable mdatp
After executing the commands, use your package manager to perform the upgrade.
As an alternative approach, follow the instructions to uninstall, then install the latest version of the package.
Aug-2022 Build: 101.78.13 | Release version: 30.122072.17813.0
| Build: | 101.78.13 |
|---|---|
| Released: | August 24, 2022 |
| Published: | August 24, 2022 |
| Release version: | 30.122072.17813.0 |
| Engine version: | 1.1.19300.3 |
| Signature version: | 1.369.395.0 |
What's new
- Rolled back due to reliability issues
Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)
| Build: | 101.75.43 |
|---|---|
| Released: | August 2, 2022 |
| Published: | August 2, 2022 |
| Release version: | 30.122071.17543.0 |
| Engine version: | 1.1.19300.3 |
| Signature version: | 1.369.395.0 |
What's new
- Added support for Red Hat Enterprise Linux version 9.0
- Added a new field in the output of
mdatp healththat can be used to query the enforcement level of the network protection feature. The new field is callednetwork_protection_enforcement_leveland can take one of the following values:audit,block, ordisabled. - Addressed a product bug where multiple detections of the same content could lead to duplicate entries in the threat history
- Addressed an issue where one of the processes spawned by the product (
mdatp_audisp_plugin) was sometimes not properly terminated when the service was stopped - Other bug fixes
Jul-2022 Build: 101.73.77 | Release version: 30.122062.17377.0
| Build: | 101.73.77 |
|---|---|
| Released: | July 21, 2022 |
| Published: | July 21, 2022 |
| Release version: | 30.122062.17377.0 |
| Engine version: | 1.1.19200.3 |
| Signature version: | 1.367.1011.0 |
What's new
- Added an option to configure file hash computation
- From this build onwards, the product has the new anti-malware engine by default
- Performance improvements for file copy operations
- Bug fixes
Jun-2022 Build: 101.71.18 | Release version: 30.122052.17118.0
| Build: | 101.71.18 |
|---|---|
| Released: | June 24, 2022 |
| Published: | June 24, 2022 |
| Release version: | 30.122052.17118.0 |
What's new
- Fix to support definitions storage in nonstandard locations (outside of /var) for v2 definition updates
- Fixed an issue in the product sensor used on RHEL 6 that could lead to an OS hang
mdatp connectivity testwas extended with an extra URL that the product requires to function correctly. The new URL is https://go.microsoft.com/fwlink/?linkid=2144709.- Up until now, the product log level wasn't persisted between product restarts. Beginning with this version, there's a new command-line tool switch that persists the log level. The new command is
mdatp log level persist --level <level>. - Removed the dependency on
pythonfrom the product installation package - Performance improvements for file copy operations and processing of network events originating from
auditd - Bug fixes
May-2022 Build: 101.68.80 | Release version: 30.122042.16880.0
| Build: | 101.68.80 |
|---|---|
| Released: | May 23, 2022 |
| Published: | May 23, 2022 |
| Release version: | 30.122042.16880.0 |
What's new
- Added support for kernel version
2.6.32-754.47.1.el6.x86_64when running on RHEL 6 - On RHEL 6, product can now be installed on devices running Unbreakable Enterprise Kernel (UEK)
- Fixed an issue where the process name was sometimes incorrectly displayed as
unknownwhen runningmdatp diagnostic real-time-protection-statistics - Fixed a bug where the product sometimes was incorrectly detecting files inside the quarantine folder
- Fixed an issue where the
mdatpcommand-line tool wasn't working when/optwas mounted as a soft-link - Performance improvements & bug fixes
May-2022 Build: 101.65.77 | Release version: 30.122032.16577.0
| Build: | 101.65.77 |
|---|---|
| Released: | May 2, 2022 |
| Published: | May 2, 2022 |
| Release version: | 30.122032.16577.0 |
What's new
- Improved the
conflicting_applicationsfield inmdatp healthto show only the most recent 10 processes and also to include the process names. This makes it easier to identify which processes are potentially conflicting with Microsoft Defender for Endpoint for Linux. - Bug fixes
Mar-2022 (Build: 101.62.74 | Release version: 30.122022.16274.0)
| Build: | 101.62.74 |
|---|---|
| Released: | Mar 24, 2022 |
| Published: | Mar 24, 2022 |
| Release version: | 30.122022.16274.0 |
What's new
- Addressed an issue where the product would incorrectly block access to files greater than 2 GB in size when running on older kernel versions
- Bug fixes
Mar-2022 Build: 101.60.93 | Release version: 30.122012.16093.0
| Build: | 101.60.93 |
|---|---|
| Released: | Mar 9, 2022 |
| Published: | Mar 9, 2022 |
| Release version: | 30.122012.16093.0 |
What's new
- This version contains a security update for CVE-2022-23278
Mar-2022 Build: 101.60.05 | Release version: 30.122012.16005.0
| Build: | 101.60.05 |
|---|---|
| Released: | Mar 3, 2022 |
| Published: | Mar 3, 2022 |
| Release version: | 30.122012.16005.0 |
What's new
- Added support for kernel version 2.6.32-754.43.1.el6.x86_64 for RHEL 6.10
- Bug fixes
Feb-2022 Build: 101.58.80 | Release version: 30.122012.15880.0
| Build: | 101.58.80 |
|---|---|
| Released: | Feb 20, 2022 |
| Published: | Feb 20, 2022 |
| Release version: | 30.122012.15880.0 |
What's new
- The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. This can be done through
mdatp threat quarantine restore --id [threat-id] --path [destination-folder]. - Beginning with this version, network protection for Linux can be evaluated on demand
- Bug fixes
Jan-2022 Build: 101.56.62 | Release version: 30.121122.15662.0
| Build: | 101.56.62 |
|---|---|
| Released: | Jan 26, 2022 |
| Published: | Jan 26, 2022 |
| Release version: | 30.121122.15662.0 |
What's new
- Fixed a product crash introduced in 101.53.02 and that has impacted multiple customers
Jan-2022 Build: 101.53.02 | Release version: 30.121112.15302.0
| Build: | 101.53.02 |
|---|---|
| Released: | Jan 8, 2022 |
| Published: | Jan 8, 2022 |
| Release version: | 30.121112.15302.0 |
What's new
- Performance improvements & bug fixes
2021 releases
Build: 101.52.57 | Release version: 30.121092.15257.0
| Build: | 101.52.57 |
|---|---|
| Release version: | 30.121092.15257.0 |
What's new
- Added a capability to detect vulnerable log4j jars in use by Java applications. The machine is periodically inspected for running Java processes with loaded log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in the Vulnerability Management area of the portal.
Build: 101.47.76 | Release version: 30.121092.14776.0
| Build: | 101.47.76 |
|---|---|
| Release version: | 30.121092.14776.0 |
What's new
Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this setting is set to enabled.
Bug fixes
Build: 101.45.13 | Release version: 30.121082.14513.0
| Build: | 101.45.13 |
|---|---|
| Release version: | 30.121082.14513.0 |
What's new
Beginning with this version, we're bringing Microsoft Defender for Endpoint support to the following distros:
- RHEL6.7-6.10 and CentOS6.7-6.10 versions.
- Amazon Linux 2
- Fedora 33 or higher
Bug fixes
Build: 101.45.00 | Release version: 30.121072.14500.0
| Build: | 101.45.00 |
|---|---|
| Release version: | 30.121072.14500.0 |
What's new
- Added new switches to the command-line tool:
- Control degree of parallelism for on-demand scans. This can be configured through
mdatp config maximum-on-demand-scan-threads --value [number-between-1-and-64]. By default, a degree of parallelism of2is used. - Control whether scans after security intelligence updates are enabled or disabled. This can be configured through
mdatp config scan-after-definition-update --value [enabled/disabled]. By default, this setting is set toenabled. - Changing the product log level now requires elevation
- Bug fixes
Build: 101.39.98 | Release version: 30.121062.13998.0
| Build: | 101.39.98 |
|---|---|
| Release version: | 30.121062.13998.0 |
What's new
- Performance improvements & bug fixes
Build: 101.34.27 | Release version: 30.121052.13427.0
| Build: | 101.34.27 |
|---|---|
| Release version: | 30.121052.13427.0 |
What's new
- Performance improvements & bug fixes
Build: 101.29.64 | Release version: 30.121042.12964.0
| Build: | 101.29.64 |
|---|---|
| Release version: | 30.121042.12964.0 |
What's new
- Beginning with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.
mdatp diagnostic real-time-protection-statisticsnow supports two more switches:--sort: sorts the output descending by total number of files scanned--top N: displays the top N results (only works if--sortis also specified)- Performance improvements & bug fixes
Build: 101.25.72 | Release version: 30.121022.12563.0
| Build: | 101.25.72 |
|---|---|
| Release version: | 30.121022.12563.0 |
What's new
- Microsoft Defender for Endpoint on Linux is now available in preview for US Government customers. For more information, see Microsoft Defender for Endpoint for US Government customers.
- Fixed an issue where usage of Microsoft Defender for Endpoint on Linux on systems with FUSE filesystems was leading to OS hang
- Performance improvements & other bug fixes
Build: 101.25.63 | Release version: 30.121022.12563.0
| Build: | 101.25.63 |
|---|---|
| Release version: | 30.121022.12563.0 |
What's new
- Performance improvements & bug fixes
Build: 101.23.64 | Release version: 30.121021.12364.0
| Build: | 101.23.64 |
|---|---|
| Release version: | 30.121021.12364.0 |
What's new
- Performance improvement for the situation where an entire mount point is added to the antivirus exclusion list. Prior to this version, the product processed file activity originating from the mount point. Beginning with this version, file activity for excluded mount points is suppressed, leading to better product performance
- Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run
mdatp health --details antivirus - Other performance improvements & bug fixes
Build: 101.18.53
What's new
EDR for Linux is now generally available
Added a new command-line switch (
--ignore-exclusions) to ignore AV exclusions during custom scans (mdatp scan custom)Extended
mdatp diagnostic createwith a new parameter (--path [directory]) that allows the diagnostic logs to be saved to a different directoryPerformance improvements & bug fixes