Microsoft Defender for Endpoint on Linux
Tip
We're excited to share that Microsoft Defender for Endpoint on Linux now extends support for ARM64-based Linux servers in preview! For more information, see Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview).
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
This article describes how to install, configure, update, and use Microsoft Defender for Endpoint on Linux.
Caution
Running other non-Microsoft endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring antivirus functionality to run in Passive mode.
How to install Microsoft Defender for Endpoint on Linux
Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint detection and response (EDR) capabilities.
Prerequisites
- Access to the Microsoft Defender portal
- Linux distribution using the systemdsystem manager
- Beginner-level experience in Linux and BASH scripting
- Administrative privileges on the device (for manual deployment)
Note
Linux distribution using system manager supports both SystemV and Upstart. Microsoft Defender for Endpoint on Linux agent is independent from Operation Management Suite (OMS) agent. Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.
System requirements
CPU: 1 CPU core minimum. For high-performance workloads, more cores are recommended.
Disk Space: 2 GB minimum. For high-performance workloads, more disk space might be needed.
Memory: 1 GB of RAM minimum. For high-performance workloads, more memory might be needed.
Note
Performance tuning might be needed based on workloads. See Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux.
The following Linux server distributions and x64 (AMD64/EM64T) versions are supported:
- Red Hat Enterprise Linux 7.2 or higher
- Red Hat Enterprise Linux 8.x
- Red Hat Enterprise Linux 9.x
- CentOS 7.2 or higher
- Ubuntu 16.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 24.04 LTS
- Debian 9 - 12
- SUSE Linux Enterprise Server 12.x
- SUSE Linux Enterprise Server 15.x
- Oracle Linux 7.2 or higher
- Oracle Linux 8.x
- Oracle Linux 9.x
- Amazon Linux 2
- Amazon Linux 2023
- Fedora 33-38
- Rocky 8.7 and higher
- Rocky 9.2 and higher
- Alma 8.4 and higher
- Alma 9.2 and higher
- Mariner 2
The following Linux server distributions on ARM64 are now supported in preview:
- Ubuntu 20.04 ARM64
- Ubuntu 22.04 ARM64
- Amazon Linux 2 ARM64
- Amazon Linux 2023 ARM64
Important
Support for Microsoft Defender for Endpoint on Linux for ARM64-based Linux devices is now in preview. For more information, see Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview).
Note
The workstation versions of these distributions are unsupported. Distributions and versions that aren't explicitly listed are unsupported (even if they're derived from the officially supported distributions). After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only. Currently, Rocky and Alma distributions aren't supported in Microsoft Defender Vulnerability Management. Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version agnostic. The minimal requirement for the kernel version to be
3.10.0-327
or later.Caution
Running Defender for Endpoint on Linux side by side with other
fanotify
-based security solutions isn't supported. It can lead to unpredictable results, including hanging the operating system. If there are any other applications on the system that usefanotify
in blocking mode, applications are listed in theconflicting_applications
field of themdatp health
command output. The Linux FAPolicyD feature usesfanotify
in blocking mode, and is therefore unsupported when running Defender for Endpoint in active mode. You can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality Real Time Protection Enabled to Passive mode.List of supported filesystems for RTP, Quick, Full, and Custom Scan.
RTP, Quick, Full Scan | Custom Scan |
---|---|
btrfs |
All filesystems supported for RTP, Quick, Full Scan |
ecryptfs |
Efs |
ext2 |
S3fs |
ext3 |
Blobfuse |
ext4 |
Lustr |
fuse |
glustrefs |
fuseblk |
Afs |
jfs |
sshfs |
nfs (v3 only) |
cifs |
overlay |
smb |
ramfs |
gcsfuse |
reiserfs |
sysfs |
tmpfs |
|
udf |
|
vfat |
|
xfs |
Note
Starting with version 101.24082.0004
, Defender for Endpoint on Linux no longer supports the Auditd
event provider. We're transitioning completely to the more efficient extended Berkeley Packet Filter (eBPF) technology.
If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version 101.24072.0001
or lower, then Audit framework (auditd
) must be enabled on your system.
If you're using Auditd, then system events captured by rules added to /etc/audit/rules.d/
adds to audit.log
(s) and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endpoint on Linux are tagged with the mdatp
key.
- /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux.
Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux. Before you begin, make sure the Minimum requirements for Microsoft Defender for Endpoint are met.
You can use one of the following methods to deploy Microsoft Defender for Endpoint on Linux:
- To use command-line tool, see Manual deployment
- To use Puppet, see Deploy using Puppet configuration management tool
- To use Ansible, see Deploy using Ansible configuration management tool
- To use Chef, see Deploy using Chef configuration management tool
- To use Saltstack, see Deploy using Saltstack configuration management tool
- To install on ARM64-based Linux servers, see Microsoft Defender for Endpoint on Linux for ARM64-based devices (preview).
If you experience any installation failures, see Troubleshooting installation failures in Microsoft Defender for Endpoint on Linux.
Important
Installing Microsoft Defender for Endpoint in any location other than the default install path isn't supported.
Microsoft Defender for Endpoint on Linux creates an mdatp
user with random UID and GID. If you want to control the UID and GID, create an mdatp
user before installation using the /usr/sbin/nologin
shell option. Here's an example: mdatp:x:UID:GID::/home/mdatp:/usr/sbin/nologin
.
External package dependency
If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies. The following external package dependencies exist for the mdatp package:
- The mdatp RPM package requires
glibc >= 2.17
,policycoreutils
,selinux-policy-targeted
, andmde-netfilter
- For RHEL6 the mdatp RPM package requires
policycoreutils
,libselinux
, andmde-netfilter
- For DEBIAN the mdatp package requires
libc6 >= 2.23
,uuid-runtime
, andmde-netfilter
Note
Beginning with version 101.24082.0004
, Defender for Endpoint on Linux no longer supports the Auditd
event provider. We're transitioning completely to the more efficient eBPF technology.
If eBPF isn't supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version 101.24072.0001
or older, the following additional dependency on the auditd package exists for mdatp:
- The mdatp RPM package requires
audit
,semanage
. - For DEBIAN, the mdatp package requires
auditd
. - For Mariner, the mdatp package requires
audit
.
Themde-netfilter
package also has the following package dependencies:
- For DEBIAN, the mde-netfilter package requires
libnetfilter-queue1
, andlibglib2.0-0
- For RPM, the mde-netfilter package requires
libmnl
,libnfnetlink
,libnetfilter_queue
, andglib2
Configuring Exclusions
When adding exclusions to Microsoft Defender Antivirus, you should be mindful of Common Exclusion Mistakes for Microsoft Defender Antivirus.
Network connections
Ensure that connectivity is possible from your devices to Microsoft Defender for Endpoint cloud services. To prepare your environment, see STEP 1: Configure your network environment to ensure connectivity with Defender for Endpoint service.
Defender for Endpoint on Linux can connect through a proxy server by using the following discovery methods:
- Transparent proxy
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no another configuration is needed for Defender for Endpoint. For static proxy, follow the steps in Manual Static Proxy Configuration.
Warning
PAC, WPAD, and authenticated proxies aren't supported. Ensure that only a static proxy or transparent proxy is being used. SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint on Linux to the relevant URLs without interception. Adding your interception certificate to the global store won't allow for interception.
For troubleshooting steps, see Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux.
How to update Microsoft Defender for Endpoint on Linux
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender for Endpoint on Linux, refer to Deploy updates for Microsoft Defender for Endpoint on Linux.
How to configure Microsoft Defender for Endpoint on Linux
Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender for Endpoint on Linux.
Common Applications to Microsoft Defender for Endpoint can impact
High I/O workloads from certain applications can experience performance issues when Microsoft Defender for Endpoint is installed. Such applications for developer scenarios include Jenkins and Jira, and database workloads like OracleDB and Postgres. If experiencing performance degradation, consider setting exclusions for trusted applications, keeping Common Exclusion Mistakes for Microsoft Defender Antivirus in mind. For more guidance, consider consulting documentation regarding antivirus exclusions from non-Microsoft applications.
Resources
- For more information about logging, uninstalling, or other articles, see Resources.
Related articles
- Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint
- Connect your non-Azure machines to Microsoft Defender for Cloud
- Turn on network protection for Linux
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.