Implementing Microsoft Defender Antivirus Policy for Linux Systems

Introduction

I resigned from my current company for a few weeks ago since I got a much better opportunity at another company. And since my resignation I have been assigned tasks to implement stricter security controls for both Windows and Linux systems. Currently, we are relatively new to migrating Linux servers to Microsoft Defender for Endpoint but we are testing with some servers.

In this article I’ll go through the steps to implement Microsoft Antivirus Policy for Linux systems.

Enforcement Scope

1. Go to Microsoft Defender → Settings → Endpoints

   

2. Enable Use MDE to enforce security configuration settings from Intune

   

3. Select Linux Devices and On tagged devies

   

4. Click on Save after enabling all these settings.

Adding Device Tag

1. Find the Linux system on MDE.

   

2. Click on … and Manage Tags

   

3. Add the tag MDE-Management

   

Antivirus Policy

1. Go to Endpoint Security → Antivirus.

   

2. Click on Create and select Linux as Platform and Profile as Microsoft Defender Antivirus.

   

3. Enter the Name and Description.

   

4. In Antivirus Engine use the following baseline configuration.

   

5. In Antivirus Engine use the following baseline configuration.

   

6. When it comes to Threat Type Settings I would recommend using Audit Mode to see if any false positives occurs within your environment.

   

7. In Scanning Options I decided to enable more strict features since the system administrator wanted to see how much it would affect the performance.

   

8. In Network Protection I recommend enabling Auditing Mode so we can monitor what operations would be blocked and allowed.

   

9. Select your scope tag.

   

10. Select all devices.

    

11. Review the configurations and click Save.

    

All devices with the MDE-Management tag will automatically be assigned the Antivirus Policy without them being onboarded to Microsoft Defender for Cloud.

Conclusion

Microsoft Defender XDR comes with a-lot of features. I originally thought it wouldn’t be possible to onboard Antivirus Policy on Linux systems since these aren’t onboarded through Microsoft Intune. However, using Enforcement Scope and Tagging it’s possible to enable Antivirus Policy on Linux systems.