What's new in Microsoft Defender for Endpoint on Linux

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2

This article is updated frequently to let you know what's new in the latest releases of Microsoft Defender for Endpoint on Linux.

• What's new in Defender for Endpoint on macOS
• What's new in Defender for Endpoint on iOS

March-2024 (Build: 101.24022.0001 | Release version: 30.124022.0001.0)

March-2024 Build: 101.24022.0001 | Release version: 30.124022.0001.0

 Released: March 22,2024
 Published: March 22,2024
 Build: 101.24022.0001
 Release version: 30.124022.0001.0
 Engine version: 1.1.23110.4
 Signature version: 1.403.87.0

What's new

There are multiple fixes and new changes in this release:

• The addition of a new log file - microsoft_defender_scan_skip.log. This will log the filenames that were skipped from various antivirus scans by Microsoft Defender for Endpoint due to any reason.
• Stability and performance improvements.
• Bug fixes.

March-2024 (Build: 101.24012.0001 | Release version: 30.124012.0001.0)

March-2024 Build: 101.24012.0001 | Release version: 30.124012.0001.0

 Released: March 12,2024
 Published: March 12,2024
 Build: 101.24012.0001
 Release version: 30.124012.0001.0
 Engine version: 1.1.23110.4
 Signature version: 1.403.87.0

What's new There are multiple fixes and new changes in this release:

• Updated default engine version to 1.1.23110.4, and default signatures version to 1.403.87.0.
• Stability and performance improvements.
• Bug fixes.

February-2024 (Build: 101.23122.0002 | Release version: 30.123122.0002.0)

February-2024 Build: 101.23122.0002 | Release version: 30.123122.0002.0

 Released: February 5,2024
 Published: February 5,2024
 Build: 101.23122.0002
 Release version: 30.123122.0002.0
 Engine version: 1.1.23100.2010
 Signature version: 1.399.1389.0

What's new There are multiple fixes and new changes in this release:

• Updated default engine version to 1.1.23100.2010, and default signatures version to 1.399.1389.0.

• General stability and performance improvements.

• Bug fixes.

• Microsoft Defender for Endpoint on Linux now officially supports the following distros and versions:

  Distro & version	Ring	Package
  Mariner 2	Production	https://packages.microsoft.com/cbl-mariner/2.0/prod/extras/x86_64/config.repo
  Rocky 8.7 and higher	Insiders Slow	https://packages.microsoft.com/config/rocky/8/insiders-slow.repo
  Rocky 9.2 and higher	Insiders Slow	https://packages.microsoft.com/config/rocky/9/insiders-slow.repo
  Alma 8.4 and higher	Insiders Slow	https://packages.microsoft.com/config/alma/8/insiders-slow.repo
  Alma 9.2 and higher	Insiders Slow	https://packages.microsoft.com/config/alma/9/insiders-slow.repo

If you already have Defender for Endpoint running on any of these distros and facing any issues in the older versions, please upgrade to the latest Defender for Endpoint version from the corresponding ring mentioned above. Refer our public deployment docs for more details.

Note

Known issues:

Microsoft Defender for Endpoint for Linux on Rocky and Alma currently has the following known issues:

• Live Response and Threat Vulnerability Management are currently not supported (work in progress).
• Operating system info for devices is not visible in the Microsoft Defender portal

January-2024 (Build: 101.23112.0009 | Release version: 30.123112.0009.0)

January-2024 Build: 101.23112.0009 | Release version: 30.123112.0009.0

 Released: January 29,2024
 Published: January 29, 2024
 Build: 101.23112.0009
 Release version: 30.123112.0009.0
 Engine version: 1.1.23100.2010
 Signature version: 1.399.1389.0

What's new

• Updated default engine version to 1.1.23110.4, and default signatures version to 1.403.1579.0.
• General stability and performance improvements.
• Bug fix for behavior monitoring configuration.
• Bug fixes.

November-2023 (Build: 101.23102.0003 | Release version: 30.123102.0003.0)

November-2023 Build: 101.23102.0003 | Release version: 30.123102.0003.0

 Released: November 28,2023
 Published: November 28,2023
 Build: 101.23102.0003
 Release version: 30.123102.0003.0
 Engine version: 1.1.23090.2008
 Signature version: 1.399.690.0

What's new

• Updated default engine version to 1.1.23090.2008, and default signatures version to 1.399.690.0.
• Updated libcurl library to version 8.4.0 to fix recently disclosed vulnerabilities with the older version.
• Updated Openssl library to version 3.1.1 to fix recently disclosed vulnerabilities with the older version.
• General stability and performance improvements.
• Bug fixes.

November-2023 (Build: 101.23092.0012 | Release version: 30.123092.0012.0)

November-2023 Build: 101.23092.0012 | Release version: 30.123092.0012.0

 Released: November 14,2023
 Published: November 14,2023
 Build: 101.23092.0012
 Release version: 30.123092.0012.0
 Engine version: 1.1.23080.2007
 Signature version: 1.395.1560.0

What's new

There are multiple fixes and new changes in this release:

• Support added to restore threat based on original path using the following command:

sudo mdatp threat quarantine restore threat-path --path [threat-original-path] --destination-path [destination-folder]

• Starting with this release, Microsoft Defender for Endpoint on Linux will no longer be shipping a solution for RHEL 6.

  RHEL 6 'Extended end of life support' is poised to end by June 30, 2024 and customers are advised to plan their RHEL upgrades accordingly aligned with guidance from Red Hat. Customers who need to run Defender for Endpoint on RHEL 6 servers can continue to leverage version 101.23082.0011 (does not expire before June 30, 2024) supported on kernel versions 2.6.32-754.49.1.el6.x86_64 or prior.

  • Engine Update to 1.1.23080.2007 and Signatures Ver: 1.395.1560.0.
  • Streamlined device connectivity experience is now in public preview mode. public blog
  • Performance improvements & bug fixes.

Known issues

• CPU lock-up seen on kernel version 5.15.0-0.30.20 in ebpf mode, see Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux for details and Mitigation options.

November-2023 (Build: 101.23082.0011 | Release version: 30.123082.0011.0)

November-2023 Build: 101.23082.0011 | Release version: 30.123082.0011.0

 Released: November 1,2023
 Published: November 1,2023
 Build: 101.23082.0011
 Release version: 30.123082.0011.0
 Engine version: 1.1.23070.1002
 Signature version: 1.393.1305.0

What's new This new release is build over October 2023 release (`101.23082.0009``) with addition of following changes. There's no change for other customers and upgrading is optional.

Fix for immutable mode of auditd when supplementary subsystem is ebpf: In ebpf mode all mdatp audit rules should be cleaned after switching to ebpf and rebooting. After reboot, mdatp audit rules were not cleaned due to which it was resulting in hang of the server. The fix cleans these rules, user should not see any mdatp rules loaded on reboot

Fix for MDE not starting up on RHEL 6.

Known issues

When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at System hang due to blocked tasks in fanotify code.

There are two ways to mitigate this upgrade issue:

1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

2. As an alternative you can follow the instructions to uninstall, then install the latest version of the package.

If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

October-2023 (Build: 101.23082.0009 | Release version: 30.123082.0009.0)

October-2023 Build: 101.23082.0009 | Release version: 30.123082.0009.0

 Released: October 9,2023
 Published: October 9,2023
 Build: 101.23082.0009
 Release version: 30.123082.0009.0
 Engine version: 1.1.23070.1002
 Signature version: 1.393.1305.0

What's new

• This new release is build over October 2023 release (`101.23082.0009``) with addition of new CA Certificates. There's no change for other customers and upgrading is optional.

Known issues

When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at System hang due to blocked tasks in fanotify code.

There are two ways to mitigate this upgrade issue:

1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

2. As an alternative you can follow the instructions to uninstall, then install the latest version of the package.

If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

October-2023 (Build: 101.23082.0006 | Release version: 30.123082.0006.0)

October-2023 Build: 101.23082.0006 | Release version: 30.123082.0006.0

 Released: October 9,2023
 Published: October 9,2023
 Build: 101.23082.0006
 Release version: 30.123082.0006.0
 Engine version: 1.1.23070.1002
 Signature version: 1.393.1305.0

What's new

• Feature updates and new changes

  • eBPF sensor is now the default supplementary event provider for endpoints
  • Microsoft Intune tenant attach feature is in public preview (as of mid July)
    • You must add "*.dm.microsoft.com" to firewall exclusions for the feature to work correctly
  • Defender for Endpoint is now available for Debian 12 and Amazon Linux 2023
  • Support to enable Signature verification of updates downloaded

    • Note that you must update the manajed.json as shown below

        "features":{
          "OfflineDefinitionUpdateVerifySig":"enabled"
        }
      

    • Prerequisite to enable feature

      • Engine version on the device must be "1.1.23080.007" or above. Check your engine version by using the following command. mdatp health --field engine_version
  • Option to support monitoring of NFS and FUSE mount points. These are ignored by default. The following example shows how to monitor all filesystem while ignoring only NFS:

    "antivirusEngine": {
        "unmonitoredFilesystems": ["nfs"]
    }
  

  Example to monitor all filesystems including NFS and FUSE:

  "antivirusEngine": {
      "unmonitoredFilesystems": []
  }
  

  • Other performance improvements
  • Bug Fixes

Known issues

• When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. More information about the underlying issue can be found at System hang due to blocked tasks in fanotify code. There are two ways to mitigate this upgrade issue:

1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

2. As an alternative you can follow the instructions to uninstall, then install the latest version of the package.

If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

September-2023 (Build: 101.23072.0021 | Release version: 30.123072.0021.0)

September-2023 Build: 101.23072.0021 | Release version: 30.123072.0021.0

 Released: September 11,2023
 Published: September 11,2023
 Build: 101.23072.0021
 Release version: 30.123072.0021.0
 Engine version: 1.1.20100.7
 Signature version: 1.385.1648.0

What's new

• There are multiple fixes and new changes in this release
  • In mde_installer.sh v0.6.3, users can use the --channel argument to provide the channel of the configured repository during cleanup. For example, sudo ./mde_installer --clean --channel prod
  • The Network Extension can now be reset by administrators using mdatp network-protection reset.
  • Other performance improvements
  • Bug Fixes

Known issues

• While upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. For more information, see System hang due to blocked tasks in fanotify code.

There are two ways to mitigate this upgrade issue:

1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

2. As an alternative you can follow the instructions to uninstall, then install the latest version of the package.

If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

July-2023 (Build: 101.23062.0010 | Release version: 30.123062.0010.0)

July-2023 Build: 101.23062.0010 | Release version: 30.123062.0010.0

 Released: July 26,2023
 Published: July 26,2023
 Build: 101.23062.0010
 Release version: 30.123062.0010.0
 Engine version: 1.1.20100.7
 Signature version: 1.385.1648.0

What's new

• There are multiple fixes and new changes in this release

  • If a proxy is set for Defender for Endpoint, then it's visible in the mdatp health command output
  • With this release we provided two options in mdatp diagnostic hot-event-sources:
    1. Files
    2. Executables
  • Network Protection: Connections that are blocked by Network Protection and have the block overridden by users are now correctly reported to Microsoft Defender XDR
  • Improved logging in Network Protection block and audit events for debugging

• Other fixes and improvements

  • From this version, enforcementLevel are in passive mode by default giving admins more control over where they want 'RTP on' within their estate
  • This change only applies to fresh MDE deployments, for example, servers where Defender for Endpoint is being deployed for the first time. In update scenarios, servers that have Defender for Endpoint deployed with RTP ON, continue operating with RTP ON even post update to version 101.23062.0010

• Bug Fixes

  • RPM database corruption issue in Defender Vulnerability Management baseline has been fixed

• Other performance improvements

Known issues

• While upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. For more information, see System hang due to blocked tasks in fanotify code.

There are two ways to mitigate this upgrade issue:

1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

2. As an alternative you can follow the instructions to uninstall, then install the latest version of the package.

If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

July-2023 (Build: 101.23052.0009 | Release version: 30.123052.0009.0)

July-2023 Build: 101.23052.0009 | Release version: 30.123052.0009.0

 Released: July 10,2023
 Published: July 10,2023
 Build: 101.23052.0009
 Release version: 30.123052.0009.0
 Engine version: 1.1.20100.7
 Signature version: 1.385.1648.0

What's new

• There are multiple fixes and new changes in this release - The build version schema is updated from this release. While the major version number remains same as 101, the minor version number now has five digits followed by four digit patch number that is, 101.xxxxx.yyy - Improved Network Protection memory consumption under stress
  • Updated the engine version to 1.1.20300.5 and signature version to 1.391.2837.0.
  • Bug fixes.

Known issues

• While upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. For more information, see System hang due to blocked tasks in fanotify code.

There are two ways to mitigate this upgrade issue:

1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

2. As an alternative you can follow the instructions to uninstall, then install the latest version of the package.

If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

June-2023 (Build: 101.98.89 | Release version: 30.123042.19889.0)

June-2023 Build: 101.98.89 | Release version: 30.123042.19889.0

 Released: June 12,2023
 Published: June 12, 2023
 Build: 101.98.89
 Release version: 30.123042.19889.0
 Engine version: 1.1.20100.7
 Signature version: 1.385.1648.0

What's new

• There are multiple fixes and new changes in this release
  • Improved Network Protection Proxy handling.
  • In Passive mode, Defender for Endpoint no longer scans when Definition update happens.
  • Devices continue to be protected even after Defender for Endpoint agent has expired. We recommend upgrading the Defender for Endpoint Linux agent to the latest available version to receive bug fixes, features and performance improvements.
  • Removed semanage package dependency.
  • Engine Update to 1.1.20100.7 and Signatures Ver: 1.385.1648.0.
  • Bug fixes.

Known issues

• While upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. For more information, see System hang due to blocked tasks in fanotify code.

There are two ways to mitigate this upgrade issue:

1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

2. As an alternative you can follow the instructions to uninstall, then install the latest version of the package.

If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Some customers (<1%) experience issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

May-2023 (Build: 101.98.64 | Release version: 30.123032.19864.0)

May-2023 Build: 101.98.64 | Release version: 30.123032.19864.0

 Released: May 3,2023
 Published: May 3, 2023
 Build: 101.98.64
 Release version: 30.123032.19864.0
 Engine version: 1.1.20100.6
 Signature version: 1.385.68.0

What's new

• There are multiple fixes and new changes in this release
  • Health message improvements to capture details about auditd failures.
  • Improvements to handle augenrules, which was causing installation failure.
  • Periodic memory cleanup in engine process.
  • Fix for memory issue in mdatp audisp plugin.
  • Handled missing plugin directory path during installation.
  • When conflicting application is using blocking fanotify, with default configuration mdatp health shows unhealthy. This is now fixed.
  • Support for ICMP traffic inspection in BM.
  • Engine Update to 1.1.20100.6 and Signatures Ver: 1.385.68.0.
  • Bug fixes.

Known issues

• While upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. For more information, see System hang due to blocked tasks in fanotify code.

There are two ways to mitigate this upgrade issue:

1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

2. As an alternative you can follow the instructions to uninstall, then install the latest version of the package.

If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Caution: Some customers (<1%) experience issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

April-2023 (Build: 101.98.58 | Release version: 30.123022.19858.0)

April-2023 Build: 101.98.58 | Release version: 30.123022.19858.0

 Released: April 20,2023
 Published: April 20, 2023
 Build: 101.98.58
 Release version: 30.123022.19858.0
 Engine version: 1.1.20000.2
 Signature version: 1.381.3067.0

What's new

• There are multiple fixes and new changes in this release
  • Logging and error reporting improvements for auditd.
  • Handle failure in reload of auditd configuration.
  • Handling for empty auditd rule files during MDE install.
  • Engine Update to 1.1.20000.2 and Signatures Ver: 1.381.3067.0.
  • Addressed a health issue in mdatp that occurs due to selinux denials.
  • Bug fixes.

Known issues

• While upgrading mdatp to version 101.94.13 or later, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following commands can help you to identify such auditd rules (commands need to be run as super user). Take a backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures.

echo -c >> /etc/audit/rules.d/audit.rules
augenrules --load

• While upgrading from mdatp version 101.75.43 or 101.78.13, you could encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. For more information, see System hang due to blocked tasks in fanotify code.

There are two ways to mitigate this upgrade issue:

1. Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

2. As an alternative you can follow the instructions to uninstall, then install the latest version of the package.

If you don't want to uninstall mdatp, you can disable rtp and mdatp in sequence before upgrading. Caution: Some customers (<1%) experience issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

March-2023 (Build: 101.98.30 | Release version: 30.123012.19830.0)

March-2023 Build: 101.98.30 | Release version: 30.123012.19830.0

 Released: March , 20,2023
 Published: March 20, 2023
 Build: 101.98.30
 Release version: 30.123012.19830.0
 Engine version: 1.1.19900.2
 Signature version: 1.379.1299.0
What's new

• This new release is build over March 2023 release (`101.98.05``) with a fix for Live response commands failing for one of our customers. There's no change for other customers and upgrade is optional.

Known issues

• With mdatp version 101.98.30 you might see a health false issue in some of the cases, because SELinux rules aren't defined for certain scenarios. The health warning could look something like this:

found SELinux denials within last one day. If the MDATP is recently installed, clear the existing audit logs or wait for a day for this issue to autoresolve. Use command: "sudo ausearch -i -c 'mdatp_audisp_pl' | grep "type=AVC" | grep " denied" to find details

The issue could be mitigated by running the following commands.

sudo ausearch -c 'mdatp_audisp_pl' --raw | sudo audit2allow -M my-mdatpaudisppl_v1
sudo semodule -i my-mdatpaudisppl_v1.pp

Here, my-mdatpaudisppl_v1 represents the policy module name. After you run the commands, either wait for 24 hours or clear/archive the audit logs. The audit logs could be archived by running the following command

sudo service auditd stop
sudo systemctl stop mdatp
cd /var/log/audit
sudo gzip audit.*
sudo service auditd start
sudo systemctl start mdatp
mdatp health

In case the issue reappears with some different denials. We need to run the mitigation again with a different module name (for example, my-mdatpaudisppl_v2).

March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)

March-2023 (Build: 101.98.05 | Release version: 30.123012.19805.0)

 Released: March , 08,2023
 Published: March 08, 2023
 Build: 101.98.05
 Release version: 30.123012.19805.0
 Engine version: 1.1.19900.2
 Signature version: 1.379.1299.0

What's new

There are multiple fixes and new changes in this release.

• Improved Data Completeness for Network Connection events
• Improved Data Collection capabilities for file ownership/permissions changes
• seManage in part of the package, to that seLinux policies can be configured in different distro (fixed).
• Improved enterprise daemon stability
• AuditD stop path clean-up
• Improved the stability of mdatp stop flow.
• Added new field to wdavstate to keep track of platform update time.
• Stability improvements to parsing Defender for Endpoint onboarding blob.
• Scan doesn't proceed if a valid license isn't present (fixed)
• Added performance tracing option to xPlatClientAnalyzer, with tracing enabled mdatp process dumps the flow in all_process.zip file that can be used for analysis of performance issues.
• Added support in Defender for Endpoint for the following RHEL-6 kernel versions:
  • 2.6.32-754.43.1.el6.x86_64
  • 2.6.32-754.49.1.el6.x86_64
• Other fixes

Known issues

• While upgrading mdatp to version 101.94.13, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Make sure to back up following file: `/etc/audit/rules.d/audit.rules`` as these steps are only to identify failures.

echo -c >> /etc/audit/rules.d/audit.rules
augenrules --load

• While upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.98.05. For more information, see System hang due to blocked tasks in fanotify code

There are two ways to mitigate the problem in upgrading.

Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version. Example:

sudo apt purge mdatp
sudo apt-get install mdatp

As an alternative, you can follow the instructions to uninstall, then install the latest version of the package.

In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

Jan-2023 (Build: 101.94.13 | Release version: 30.122112.19413.0)

Jan-2023 (Build: 101.94.13 | Release version: 30.122112.19413.0)

 Released: January 10, 2023
 Published: January 10, 2023
 Build: 101.94.13
 Release version: 30.122112.19413.0
 Engine version: 1.1.19700.3
 Signature version: 1.377.550.0

What's new

• There are multiple fixes and new changes in this release
  • Skip quarantine of threats in passive mode by default.
  • New config, nonExecMountPolicy, can now be used to specify behavior of RTP on mount point marked as noexec.
  • New config, unmonitoredFilesystems, can be used to unmonitor certain filesystems.
  • Improved performance under high load and in speed test scenarios.
  • Fixes an issue with accessing SMB shares behind Cisco AnyConnect VPN connections.
  • Fixes an issue with Network Protection and SMB.
  • lttng performance tracing support.
  • TVM, eBPF, auditd, telemetry and mdatp cli improvements.
  • mdatp health now reports behavior_monitoring
  • Other fixes.

Known issues

• While upgrading mdatp to version 101.94.13, you might notice that health is false, with health_issues as "no active supplementary event provider". This can happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines need to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Take a backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures.

echo -c >> /etc/audit/rules.d/audit.rules
augenrules --load

• While upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.94.13. For more information, see System hang due to blocked tasks in fanotify code

There are two ways to mitigate the problem in upgrading.

Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

As an alternative to the above, you can follow the instructions to uninstall, then install the latest version of the package.

In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

Nov-2022 (Build: 101.85.27 | Release version: 30.122092.18527.0)

Nov-2022 (Build: 101.85.27 | Release version: 30.122092.18527.0)

 Released: November 02, 2022
 Published: November 02, 2022
 Build: 101.85.27
 Release version: 30.122092.18527.0
 Engine version: 1.1.19500.2
 Signature version: 1.371.1369.0

What's new

• There are multiple fixes and new changes in this release
  • V2 engine is default with this release and V1 engine bits are removed for enhanced security.
  • V2 engine support configuration path for AV definitions. (mdatp definition set path)
  • Removed external packages dependencies from MDE package. Removed dependencies are libatomic1, libselinux, libseccomp, libfuse, and libuuid
  • In case crash collection is disabled by configuration, crash monitoring process isn't launched.
  • Performance fixes to optimally use system events for AV capabilities.
  • Stability improvement when restarting mdatp and load epsext issues.
  • Other fixes

Known issues

• While upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.85.21. For more information, see System hang due to blocked tasks in fanotify code

There are two ways to mitigate the problem in upgrading.

Use your package manager to uninstall the 101.75.43 or 101.78.13 mdatp version.

Example:

sudo apt purge mdatp
sudo apt-get install mdatp

As an alternative approach, follow the instructions to uninstall, then install the latest version of the package.

In case you don't want to uninstall mdatp you can disable rtp and mdatp in sequence before upgrade. Caution: Some customers(<1%) are experiencing issues with this method.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

Sep-2022 (Build: 101.80.97 | Release version: 30.122072.18097.0)

Sep-2022 (Build: 101.80.97 | Release version: 30.122072.18097.0)

 Released: September 14, 2022
 Published: September 14, 2022
 Build: 101.80.97
 Release version: 30.122072.18097.0
 Engine version: 1.1.19300.3
 Signature version: 1.369.395.0

What's new

• Fixes a kernel hang observed on select customer workloads running mdatp version 101.75.43. After RCA, this was attributed to a race condition while releasing the ownership of a sensor file descriptor. The race condition was exposed due to a recent product change in the shutdown path. Customers on newer Kernel versions (5.1+) aren't impacted by this issue. For more information, see System hang due to blocked tasks in fanotify code.

Known issues

• When upgrading from mdatp version 101.75.43 or 101.78.13, you might encounter a kernel hang. Run the following commands before attempting to upgrade to version 101.80.97. This action should prevent the issue from occurring.

sudo mdatp config real-time-protection --value=disabled
sudo systemctl disable mdatp

After executing the commands, use your package manager to perform the upgrade.

As an alternative approach, follow the instructions to uninstall, then install the latest version of the package.

Aug-2022 (Build: 101.78.13 | Release version: 30.122072.17813.0)

Aug-2022 (Build: 101.78.13 | Release version: 30.122072.17813.0)

 Released: August 24, 2022
 Published: August 24, 2022
 Build: 101.78.13
 Release version: 30.122072.17813.0
 Engine version: 1.1.19300.3
 Signature version: 1.369.395.0

What's new

• Rolled back due to reliability issues

Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)

Aug-2022 (Build: 101.75.43 | Release version: 30.122071.17543.0)

 Released: August 2, 2022
 Published: August 2, 2022
 Build: 101.75.43
 Release version: 30.122071.17543.0
 Engine version: 1.1.19300.3
 Signature version: 1.369.395.0

What's new

• Added support for Red Hat Enterprise Linux version 9.0
• Added a new field in the output of mdatp health that can be used to query the enforcement level of the network protection feature. The new field is called network_protection_enforcement_level and can take one of the following values: audit, block, or disabled.
• Addressed a product bug where multiple detections of the same content could lead to duplicate entries in the threat history
• Addressed an issue where one of the processes spawned by the product (mdatp_audisp_plugin) was sometimes not properly terminated when the service was stopped
• Other bug fixes
  

Jul-2022 (Build: 101.73.77 | Release version: 30.122062.17377.0)

Jul-2022 (Build: 101.73.77 | Release version: 30.122062.17377.0)

 Released: July 21, 2022
 Published: July 21, 2022
 Build: 101.73.77
 Release version: 30.122062.17377.0
 Engine version: 1.1.19200.3
 Signature version: 1.367.1011.0

What's new

• Added an option to configure file hash computation
• From this build onwards, the product has the new antimalware engine by default
• Performance improvements for file copy operations
• Bug fixes
  

Jun-2022 (Build: 101.71.18 | Release version: 30.122052.17118.0)

 Released: June 24, 2022
 Published: June 24, 2022
 Build: 101.71.18
 Release version: 30.122052.17118.0

What's new

• Fix to support definitions storage in nonstandard locations (outside of /var) for v2 definition updates
• Fixed an issue in the product sensor used on RHEL 6 that could lead to an OS hang
• mdatp connectivity test was extended with an extra URL that the product requires to function correctly. The new URL is https://go.microsoft.com/fwlink/?linkid=2144709.
• Up until now, the product log level wasn't persisted between product restarts. Beginning with this version, there's a new command-line tool switch that persists the log level. The new command is mdatp log level persist --level <level>.
• Removed the dependency on python from the product installation package
• Performance improvements for file copy operations and processing of network events originating from auditd
• Bug fixes
  

May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)

May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)

 Released: May 23, 2022
 Published: May 23, 2022
 Build: 101.68.80
 Release version: 30.122042.16880.0

What's new

• Added support for kernel version 2.6.32-754.47.1.el6.x86_64 when running on RHEL 6
• On RHEL 6, product can now be installed on devices running Unbreakable Enterprise Kernel (UEK)
• Fixed an issue where the process name was sometimes incorrectly displayed as unknown when running mdatp diagnostic real-time-protection-statistics
• Fixed a bug where the product sometimes was incorrectly detecting files inside the quarantine folder
• Fixed an issue where the mdatp command-line tool wasn't working when /opt was mounted as a soft-link
• Performance improvements & bug fixes
  

May-2022 (Build: 101.65.77 | Release version: 30.122032.16577.0)

May-2022 (Build: 101.65.77 | Release version: 30.122032.16577.0)

 Released: May 2, 2022
 Published: May 2, 2022
 Build: 101.65.77
 Release version: 30.122032.16577.0

What's new

• Improved the conflicting_applications field in mdatp health to show only the most recent 10 processes and also to include the process names. This makes it easier to identify which processes are potentially conflicting with Microsoft Defender for Endpoint for Linux.
• Bug fixes

Mar-2022 (Build: 101.62.74 | Release version: 30.122022.16274.0)

 Released: Mar 24, 2022
 Published: Mar 24, 2022
 Build: 101.62.74
 Release version: 30.122022.16274.0

What's new

• Addressed an issue where the product would incorrectly block access to files greater than 2 GB in size when running on older kernel versions
• Bug fixes

Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)

Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)

 Released: Mar 9, 2022
 Published: Mar 9, 2022
 Build: 101.60.93
 Release version: 30.122012.16093.0

What's new

• This version contains a security update for CVE-2022-23278

Mar-2022 (Build: 101.60.05 | Release version: 30.122012.16005.0)

 Released: Mar 3, 2022
 Published: Mar 3, 2022
 Build: 101.60.05
 Release version: 30.122012.16005.0

What's new

• Added support for kernel version 2.6.32-754.43.1.el6.x86_64 for RHEL 6.10
• Bug fixes

Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)

Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)

 Released: Feb 20, 2022
 Published: Feb 20, 2022
 Build: 101.58.80
 Release version: 30.122012.15880.0

What's new

• The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. This can be done through mdatp threat quarantine restore --id [threat-id] --path [destination-folder].
• Beginning with this version, network protection for Linux can be evaluated on demand
• Bug fixes

Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)

Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)

 Released: Jan 26, 2022
 Published: Jan 26, 2022
 Build: 101.56.62
 Release version: 30.121122.15662.0

What's new

• Fixed a product crash introduced in 101.53.02 and that has impacted multiple customers

Jan-2022 (Build: 101.53.02 | Release version: (30.121112.15302.0)

 Released: Jan 8, 2022
 Published: Jan 8, 2022
 Build: 101.53.02
 Release version: 30.121112.15302.0

What's new

• Performance improvements & bug fixes

2021 releases

(Build: 101.52.57 | Release version: 30.121092.15257.0)

Build: 101.52.57
Release version: 30.121092.15257.0

What's new

• Added a capability to detect vulnerable log4j jars in use by Java applications. The machine is periodically inspected for running Java processes with loaded log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in the Vulnerability Management area of the portal.

(Build: 101.47.76 | Release version: 30.121092.14776.0)

Build: 101.47.76
Release version: 30.121092.14776.0

What's new

Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this setting is set to enabled.

• Bug fixes

(Build: 101.45.13 | Release version: 30.121082.14513.0)

Build: 101.45.13
Release version: 30.121082.14513.0

What's new

• Beginning with this version, we're bringing Microsoft Defender for Endpoint support to the following distros:

  • RHEL6.7-6.10 and CentOS6.7-6.10 versions.
  • Amazon Linux 2
  • Fedora 33 or higher

• Bug fixes

(Build: 101.45.00 | Release version: 30.121072.14500.0)

Build: 101.45.00
Release version: 30.121072.14500.0

What's new

• Added new switches to the command-line tool:
  • Control degree of parallelism for on-demand scans. This can be configured through mdatp config maximum-on-demand-scan-threads --value [number-between-1-and-64]. By default, a degree of parallelism of 2 is used.
  • Control whether scans after security intelligence updates are enabled or disabled. This can be configured through mdatp config scan-after-definition-update --value [enabled/disabled]. By default, this setting is set to enabled.
• Changing the product log level now requires elevation
• Bug fixes

(Build: 101.39.98 | Release version: 30.121062.13998.0)

Build: 101.39.98
Release version: 30.121062.13998.0

What's new

Performance improvements & bug fixes

(Build: 101.34.27 | Release version: 30.121052.13427.0)

Build: 101.34.27
Release version: 30.121052.13427.0

What's new

Performance improvements & bug fixes

(Build: 101.29.64 | Release version: 30.121042.12964.0)

Build: 101.29.64
Release version: 30.121042.12964.0

What's new

• Beginning with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.
• mdatp diagnostic real-time-protection-statistics now supports two more switches:
  • --sort: sorts the output descending by total number of files scanned
  • --top N: displays the top N results (only works if --sort is also specified)
• Performance improvements & bug fixes

(Build: 101.25.72 | Release version: 30.121022.12563.0)

Build: 101.25.72
Release version: 30.121022.12563.0

What's new

Microsoft Defender for Endpoint on Linux is now available in preview for US Government customers. For more information, see Microsoft Defender for Endpoint for US Government customers.

• Fixed an issue where usage of Microsoft Defender for Endpoint on Linux on systems with FUSE filesystems was leading to OS hang
• Performance improvements & other bug fixes

(Build: 101.25.63 | Release version: 30.121022.12563.0)

Build: 101.25.63
Release version: 30.121022.12563.0

What's new

Performance improvements & bug fixes

(Build: 101.23.64 | Release version: 30.121021.12364.0)

Build: 101.23.64
Release version: 30.121021.12364.0

What's new

Performance improvement for the situation where an entire mount point is added to the antivirus exclusion list. Prior to this version, the product processed file activity originating from the mount point. Beginning with this version, file activity for excluded mount points is suppressed, leading to better product performance

• Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run mdatp health --details antivirus
• Other performance improvements & bug fixes

(Build: 101.18.53)

Build: 101.18.53

What's new

EDR for Linux is now generally available

• Added a new command-line switch (--ignore-exclusions) to ignore AV exclusions during custom scans (mdatp scan custom)
• Extended mdatp diagnostic create with a new parameter (--path [directory]) that allows the diagnostic logs to be saved to a different directory
• Performance improvements & bug fixes