Microsoft unveils new antimalware engine capabilities for Linux and macOS
Microsoft has announced an upgrade to its next generation of protection on Linux and MacOs with a new Microsoft Defender Antivirus anti-malware engine. The new antimalware engine brings machine learning, big data analysis, in-depth threat research, and Microsoft’s cloud infrastructure to protect devices (or endpoints) within organizations.
Microsoft Defender’s new anti-malware engine is currently in public preview mode. After the public preview phase, general availability will gradually roll out to all devices.
In a Tech Community blog, Microsoft says users can expect the following:
- Better support for protection against known and unknown malware with client-side machine learning models, heuristics, and correlation between static signals.
- Enhanced cloud protection with support for metadata-based machine learning models, file classifications and reputation-based machine learning models, and more.
- Emergency security intelligence updates are now available through cloud-delivered protection that can help protect against malware outbreaks.
- Better support for preventing false positives and false negatives.
- Threat naming and definition version nomenclature will change for consistency across platforms and to align with our global naming conventions. For more information on how Microsoft names malware, see Malware names | Microsoft docs.
- Reduced memory and CPU footprint
- Improved behavior monitoring with reduced resource consumption is now available to all our customers as a configurable component for Linux (if enabled).
- Memory analysis, providing better coverage for fileless attacks (Linux).
- Reduced overall package size, significantly reduced the size of Security Information Update downloads.
- Custom file flags are now available with ‘audit’, ‘allow’, ‘block and fix’ action. The certificate indicator type will be added later.
The prerequisites for the new Microsoft Defender anti-malware engine are:
- Preview features must be enabled on your tenant. To see Enable Preview features for more information
- The device must be in the insiders-fast or insiders-slow channel on Linux, Beta or Preview on macOS.
- If your organization has preview features enabled in your tenant, ensure that machines participating in those channels are always on the latest build to catch the latest fixes and improvements.
- Microsoft Defender for Endpoint minimum version number should be 101.56.62 and for down-level servers (RHEL 6.x and CentOS 6.x) it should be 101.62.64
Another key feature of the new antimalware engine is the ability to create custom file flags, some of which may already have experience on Windows. The indicator’s three response actions are “allow”, “alert only”, and “alert and block”. Actions are now supported on macOS and Linux.
Microsoft also notes that warning and blocking indicator types are not currently supported for Linux and macOS, as visually indicated in the Microsoft 365 Defender portal. Microsoft adds, “If you have already created non-scoped custom file flags (targeted to all devices) in your environment, the flags will also start applying to any device running the new anti-malware engine.
For more information, visit Microsoft Tech Community Blog.