Content updated: 29 March 2021. Changes or newer versions can be released by Microsoft.

Microsoft Defender for Endpoint supports more platforms. Since 2020 Defender for Endpoint is available for Linux systems. Recently Microsoft announced the behavior monitoring preview feature for Linux. This blog is about all the parts of Defender for Endpoint on Linux systems, focussed on the new behavior monitoring and detection part. 

Defender for Endpoint on Linux

Microsoft extends the endpoint security capabilities from only Windows to macOS, Linux, Android, and iOS. With the Defender for Endpoint solution, it is possible to protect all the different platforms.

With Microsoft Defender for Endpoint, customers benefit from a unified view of all threats and alerts across Windows and non-Windows platforms.

First of all the requirements for the Linux onboarding part.


Supported Linux server distributions and versions:

  • Red Hat Enterprise Linux 7.2 or higher
  • CentOS 7.2 or higher
  • Ubuntu 16.04 LTS or higher LTS
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Linux 7.2 or higher

Kernel and audit

  • Minimum kernel version 3.10.0-327
  • Fanotify kernel option must be enabled
  • Auditd must be enabled

Disk space:

  • 1GB minimum disk space


What is EDR / Behavior monitoring?

The protection for Linux is based on EDR detections. Most AV solutions will just look at known hashes for files and processes. EDR is more advanced and looks at memory, processes, network traffic and more advanced detections.

Since last week the Linux antivirus platform is supporting behavior monitoring capabilities. At the moment behavior monitoring and blocking are available as public preview for the supported Linux.

Microsoft announced EDR for Linux as:

The new preventive antivirus functionality complements our existing strong content-based capabilities with behavior monitoring and deep memory scanning. These enhancements bring immediate ability to closely monitor processes, file system activities, and process interactions within the system. The enhanced ability to correlate events and behaviors across multiple processes allows us to more generically detect and block malware based on their behavioral classification. These behavior-based signals will act as additional runtime signals for behavioral cloud-powered machine learning models and for effective runtime protection.

The preview is at the moment supported by the following Linux distributions: Note; all supported Linux platforms for MDFE

  • RHEL 7.2+,
  • CentOS Linux 7.2+
  • Ubuntu 16 LTS, or higher LTS
  • SLES 12+
  • Debian 9+
  • Oracle Linux 7.2+

For the behavior part, make sure the device contains the following prerequisites;

  • InsiderFast channel
  • Defender for Endpoint version 102.25.42 or higher
  • Manual enrollment in the preview future.
  • More later in the blog

First onboard Linux

For onboarding Linux multiple options are available. For this blog we using a CentOS machine. Follow the steps below for the CentOS part.

Install yum-utils

if it isn’t installed yet on the device install yum-utils.

sudo yum install yum-utils
Add repo
Now it is time to add the repo. For the add repo use the following format;

sudo yum-config-manager --add-repo=[distro]/[version]/[channel].repo

Replace the distro and version with the VM information. For example, if using CENTOS 7. Use the following code: In this demo example distro is replaced with centos and version with the used Linux distro version. Channel is the part where you can select the update ring. The choice of channel determines the frequency of updates. Insider-fast is the first order, followed by insider-slow and the most stable; prod.

The following channels are available:

  • Insiders-fast
  • Insiders-slow
  • Prod

Note: Browse for the explorer and data structure. Microsoft has published the MDATP Linux agents in their repository.

In the case of this blog post and the usage of the behavior part, we will use the insider-fast ring. The command for CentOS 7 with the insiders-slow ring is:

sudo yum-config-manager --add-repo=
Add Microsoft GPG public key
For installing the Microsoft GPG public key:
sudo rpm --import
Update cache
yum makecache

Install MDATP:

See for detailed instruction for distributions like SLED, Redhat etc. For CentOS use the following command to install Defender for Endpoint for Linux:

sudo yum install mdatp

Onboarding Defender for Endpoint package

Now onboarding Defender for Endpoint with the Python script. First, download the onboarding package from Microsoft Defender for Endpoint portal. For downloading the onboarding package:

  1. Go to: Settings > Device Management > Onboarding
  2. Download the Linux Server onboarding file
  3. Save the file and copy it to the machine
  4. Run the python script from the server

Checking health & onboarding

For checking the MDATP health use the command:
mdatp health
Checking health for the real_time_protection feature:
mdatp health --field real_time_protection_enabled
Checking organization ID. For correct onboarding the org_ID needs to be filled-in if not automatically added.
mdatp health --field org_id
Checking for the latest definition updates
mdatp health --field definitions_status

You can use an automated bash script. View the GitHub repository for the install scripts. Of course, you can use the Puppet or Ansible deployment toolings for Linux.

The Linux machine is now onboarded to the Defender for Endpoint instance:

Test & detection

Test test file: 

curl -o ~/

In this scenario the real-time protection kicks in, and flag the download as malicious.

Check Quarantined actions

mdatp threat list

All the incidents are reported to the Defender Security Center portal:

And the detailed page for the eicar-test-file:

Behavior monitoring

For the behavior monitoring public preview part the following requirements are needed:

  • InsiderFast channel
  • Defender for Endpoint version 102.25.42 or higher
  • Manual enrollment in the preview future.

Manual enrollment command

mdatp config behavior-monitoring --value enabled

Disable command

mdatp config behavior-monitoring --value disabled

For enabling the behavior monitoring part; Defender for Endpoint must be restarted.

Now make sure the cloud-delivered protection part is enabled.

mdatp health --field cloud_enabled

Behavior monitoring demo

Now the demo part for behavior monitoring. With the Do it ourself scenarios it is possible to use multiple scenarios to test the new feature. View the Microsoft source for all scenarios.


Note: all in this part is only for testing the behavior part. Not recommended for production systems.

Metasploit is a popular exploitation framework used by attackers. Metasploit allows attackers to generate reverse shell payloads that an attacker can execute on a remote machine to gain access to a victim machine.

First, install and configure Metasploit for the test behavior monitoring block actions.

Run the MSFVenon command:

msfvenom -p cmd/unix/reverse_python LHOST= LPORT=4444 -f raw

As you can see the Python reverse shell command is immediately killed before the attack could cause any harm to the system.

For the action checkup; use the command:

mdatp threat list

In the green the virus detection part. In red the new behavior actions.

If we take a look inside the Defender for Endpoint portal. You can find detection related to the behavior.


Pth-toolkit is another very popular post-compromise framework. Defender for Endpoint detects and prevent the PTHToolkitGen.


Microsoft Defender ATP for Linux is available in Defender for Endpoint. Microsoft releases and improves the Linux part a lot in the last months. With EDR and Behavior monitoring more enterprise protection layers can be added for protection Linux systems.

For the Linux part, more interesting  blog posts in the next months. Happy hunting


Microsoft: Enhancing Linux antivirus with behavior monitoring capabilities!

Microsoft: Microsoft Defender for Endpoint for Linux