News

Linux, Android Solutions Added for Microsoft Defender ATP

• By Kurt Mackie
• 06/23/2020

Microsoft is extending the security capabilities of its Microsoft Defender Advanced Threat Protection (ATP) solution to other platforms.

Microsoft Defender ATP works with the Microsoft Defender Security Center portal to protect endpoints and client devices against threats. On Tuesday, Microsoft announced the general availability of the product for Linux server machines, as well as a preview of Microsoft Defender ATP for Android.

Lastly, Microsoft Defender ATP was enhanced with a new Unified Extensible Firmware Interface (UEFI) scanner capability to better detect threats at a device's boot level, as announced last week.

Linux Support at GA
The new Linux GA support in Microsoft Defender ATP makes the product commercially available across multiple platforms (Windows, macOS and Linux), with Android and iOS commercial support yet to come.

Microsoft Defender ATP now supports the following Linux Server distros, per Microsoft's announcement:

• RHEL 7.2+
• CentOS Linux 7.2+
• Ubuntu 16 LTS, or higher LTS
• SLES 12+
• Debian 9+
• Oracle Linux 7.2

IT pros need to have a beginner experience level in "Linux and Bash scripting" to install Microsoft Defender ATP for Linux, per Microsoft's documentation. Microsoft Defender ATP for Linux "can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool," Microsoft's announcement explained.

The announcement included a terse note that Microsoft Defender ATP for Linux "requires the Microsoft Defender ATP for Servers license," without further elaboration. Organizations likely will have to talk with a Microsoft Cloud Solution Partner to get the fine print. On the Windows side, it means having a minimum of 50 seats on certain Microsoft E5 licenses, as described in this blog post by Microsoft Gold Partner Infused Innovations.

Android Mobile Support at Preview
The Microsoft Defender ATP for Android preview is being touted as a way to protect organizations from the lures of phishing attacks, where Android mobile device users get diverted onto "unsafe network connections from apps, websites, and malicious apps," according to another Microsoft announcement. IT pros can see the events detected by Microsoft Defender ATP for Android via the Microsoft Defender Security Center.

The Microsoft Defender ATP for Android preview uses reputation scanning on URLs to determine malicious links using the Microsoft Defender SmartScreen service. In addition, IT pros can set custom indicators for allowing or blocking URLs.

Microsoft Defender ATP for Android also checks for installations of "potentially unwanted applications," or apps with a low reputation, and lets end users know about untrustworthy apps. Some capabilities such as blocking against "malicious access to sensitive corporate information" require having an integration with Microsoft Endpoint Manager (Intune and Configuration Manager).

Microsoft's documentation, though, indicated that Intune is currently the only supported tool for deploying and setting compliance policies for Microsoft Defender ATP for Android preview:

Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender ATP for Android. Currently only enrolled devices are supported for enforcing Microsoft Defender ATP for Android related device compliance policies in Intune.

Microsoft is planning to add more capabilities to Microsoft Defender ATP for Android "in the coming months." It's planning to release Microsoft Defender ATP for iOS mobile devices sometime "later this year."

UEFI Scanner Addition
Last week, Microsoft announced it had added a UEFI scanner reporting capability within Microsoft Defender ATP. The UEFI scanner itself is actually "a new component of the built-in antivirus solution on Windows 10," the announcement clarified.

UEFI is a BIOS replacement that was supposed to add firmware protections at the boot level, where antivirus software was said to be unable to detect malware. UEFI's Secure Boot capability was supposed to have warded off so-called "bootkits" or "rootkits" from injecting malware into systems, but Secure Boot was found to be inadequate in late 2018. The newer UEFI hardware and firmware protections that are deemed more effective than Secure Boot are now available under the "secured-core" label for PCs.

UEFI scanner reporting in Microsoft Defender ATP checks a system's firmware file system at runtime and "integrates insights from our partner chipset manufacturers" to check for rootkits and other exploits, including suspicious drivers. It actually "analyzes content inside the firmware," Microsoft indicated. Attackers typically try to exploit misconfigured machines to deliver rootkits, Microsoft added.

Detected exploits will show up as a Windows security notification for end users. IT pros will get notified of exploits via the Microsoft Defender Security Center. It's also possible to use Microsoft Defender ATP to actively hunt for threats, Microsoft indicated.