Microsoft announced an upgrade to its next generation of protection on Linux and MacOs with a new Microsoft Defender Antivirus malware engine. The new antimalware engine brings machine learning, big-data analysis, in-depth threat research, and the Microsoft cloud infrastructure to protect devices (or endpoints) within organizations.
The new antimalware engine in Microsoft Defender is currently in public preview mode. After the public preview phase, general availability will gradually roll out to all devices.
In a Tech Community blog, Microsoft says users can expect the following:
- Better support for protection against known and unknown malware with client-side machine-learning models, heuristics, and correlation between static signals.
- Enhanced cloud-delivered protection with support for metadata-based machine-learning models, file classifications and reputation-based machine-learning models, and more.
- Emergency security intelligence updates are now available through cloud-delivered protection that can help protect against malware outbreaks.
- Better support for false positive and false negative prevention.
- Threat naming and definition version nomenclature will change for the purpose of consistency across all platforms and aligning to our overall naming conventions. For more information about how Microsoft names malware, see Malware names | Microsoft Docs.
- Reduced memory and CPU footprints
- Improved behavior monitoring with lower resource consumption is now available to all our customers as a configurable component for Linux (if enabled).
- Memory scanning, providing better coverage for fileless attacks (Linux).
- Reduced overall package size, significantly reduced security intelligence update download sizes.
- Custom file indicators are now available with “audit”, “allow”, “block & remediate” action. The certificate indicator type will be added at a later date.
The prerequisites for the new Microsoft Defender antimalware engine are the following:
- Preview features must be enabled on your tenant. See Turn on preview features for more information
- The device must be in the insiders-fast or insiders-slow channel on Linux, Beta or Preview on macOS.
- If your organization has preview features enabled in your tenant, please ensure that machines participating in these channels are always on the latest version to take the latest fixes and improvements.
- The minimum Microsoft Defender for Endpoint version number must be 101.56.62 and for down-level servers (RHEL 6.x and CentOS 6.x) it must be 101.62.64
Another key feature of the new antimalware engine is the ability to create custom file indicators, of which some may already have experience with on Windows. The three indicator response actions are ‘allow’, ‘alert only’, and ‘alert and block’. The actions are now supported on macOS and Linux.
Microsoft also notes that warn and block indicator types are currently not supported for Linux & macOS, as visually indicated in the Microsoft 365 Defender portal. Microsoft adds, “If you have previously created non-scoped custom file indicators (targeted to all devices) in your environment, the indicators will also start applying to any device that is running the new antimalware engine.”
For more information, visit Microsoft’s Tech Community blog.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!