Exception Handling for Defender & Third-Party EDR Conflict

Question

Hello. We are currently operating Microsoft Defender for Cloud (MDC). We aim to comply with one of MDC's recommendations, 'EDR solution should be installed on Virtual Machines.' While Windows machines have Microsoft Defender for Endpoint (MDE) installed as an extension and are recognized as normal resources, Linux machines utilize a third-party antivirus solution, Crowdstrike. However, MDC fails to recognize this and marks them as abnormal resources. Upon reviewing relevant MS Docs, it seems this might be due to the following reasons. With this in mind, we have the following two questions:

Q1. How should we handle resources marked as abnormal under the recommendation 'EDR solution should be installed on Virtual Machines' (utilizing a third-party Crowdstrike antivirus) as there is no mention of exception handling in the recommendation? Is there a way to transition such resources to normal status or proceed with exception handling?

Q2. MDE.Linux was deployed as an extension to Linux machines with Crowdstrike antivirus installed, but deployment failed (confirmed due to conflicts with falcon-sensor). Will redeployment occur if the extension is removed? Alternatively, in case of deployment failure for MDE extension, is a separate MDE offboarding process required? Currently, we are using Plan2 with MDE integration, as shown in the image below.

Thank you.

Answer 1

Hello 용현 정,
Regarding your first question on Exemptions, please find the link below on how to exempt resources from recommendations.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource
Regarding the second question, you can try removing the MDE extension and then redeploying it, ensure that you first address the conflict with falcon sensor.