Linux 上適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint on Linux

適用於:Applies to:

想要體驗適用於端點的 Microsoft Defender 嗎?Want to experience Microsoft Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

本主題說明如何在 Linux 上安裝、設定、更新及使用 Microsoft Defender for Endpoint。This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint on Linux.


在 Linux 上執行其他協力廠商端點保護產品及 Microsoft Defender for Endpoint 時,可能會造成效能問題和不可預測的副作用。Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Linux is likely to lead to performance problems and unpredictable side effects. 若非 Microsoft endpoint protection 是您環境中的絕對需求,則在將防病毒功能設定為以被動式模式執行之前,您仍然可以在 Linux EDR 功能上安全地利用 Defender for endpoint。If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality to run in Passive mode.

如何在 Linux 上安裝 Microsoft Defender for EndpointHow to install Microsoft Defender for Endpoint on Linux


  • 存取 Microsoft Defender 資訊安全中心入口網站Access to the Microsoft Defender Security Center portal
  • 使用 systemd 系統管理員的 Linux 發行Linux distribution using the systemd system manager
  • 在 Linux 和 BASH 腳本中的初級層級體驗Beginner-level experience in Linux and BASH scripting
  • 當手動部署時,裝置上的系統管理許可權 () Administrative privileges on the device (in case of manual deployment)


Linux 代理程式上的 Microsoft Defender for Endpoint 獨立于 OMS 代理程式Microsoft Defender for Endpoint on Linux agent is independent from OMS agent. Microsoft Defender for Endpoint 依賴其自身的獨立遙測管線。Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.

Linux 上的 Microsoft Defender for Endpoint 尚未整合到 Azure Security Center 中。Microsoft Defender for Endpoint on Linux is not yet integrated into Azure Security Center.

安裝指示Installation instructions

您可以使用數種方法和部署工具,在 Linux 上安裝及設定 Microsoft Defender for Endpoint。There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux.

一般說來,您必須採取下列步驟:In general you need to take the following steps:

如果您遇到任何安裝失敗問題,請參閱在 Linux 上的 Microsoft Defender For Endpoint 中的安裝失敗疑難排解If you experience any installation failures, refer to Troubleshooting installation failures in Microsoft Defender for Endpoint on Linux.

系統需求System requirements

  • 支援的 Linux 伺服器發行和 x64 (AMD64/EM64T) 版本:Supported Linux server distributions and x64 (AMD64/EM64T) versions:

    • 紅色帽子 Enterprise Linux 7.2 或更高版本Red Hat Enterprise Linux 7.2 or higher

    • CentOS 7.2 或更高版本CentOS 7.2 or higher

    • Ubuntu 16.04 LTS 或更高版本 LTSUbuntu 16.04 LTS or higher LTS

    • Debian 9 或更高版本Debian 9 or higher

    • SUSE Linux Enterprise Server 12 或更高版本SUSE Linux Enterprise Server 12 or higher

    • Oracle Linux 7.2 或更高版本Oracle Linux 7.2 or higher


      未明確列出的發行及版本不受支援 (,即使它們派生自正式支援的發行) 也是一樣。Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).

  • 最小內核版本 3.10.0-327Minimum kernel version 3.10.0-327

  • fanotify必須啟用內核選項The fanotify kernel option must be enabled


    不支援以其他方式的安全性解決方案,並排在 Linux 上執行 Defender for Endpoint fanotifyRunning Defender for Endpoint on Linux side by side with other fanotify-based security solutions is not supported. 這可能會造成無法預期的結果,包括懸掛作業系統。It can lead to unpredictable results, including hanging the operating system.

  • 磁碟空間: 1 GBDisk space: 1 GB

  • /opt/microsoft/mdatp/sbin/wdavdaemon 需要可執行檔許可權。/opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. 如需詳細資訊,請參閱 疑難排解 Microsoft Defender for The Linux 上的 Microsoft Defender For Endpoint 的安裝問題For more information, see "Ensure that the daemon has executable permission" in Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux.

  • 核心:最少2個,最可取的Cores: 2 minimum, 4 preferred

  • 記憶體:最低 1 GB,優先順序為4Memory: 1 GB minimum, 4 preferred


    請確認您在/var. 中有可用的磁碟空間。Please make sure that you have free disk space in /var.

  • 目前的解決方案為下列檔案系統類型提供即時保護:The solution currently provides real-time protection for the following file system types:

    • btrfs
    • ecryptfs
    • ext2
    • ext3
    • ext4
    • fuse
    • fuseblk
    • jfs
    • nfs
    • overlay
    • ramfs
    • reiserfs
    • tmpfs
    • udf
    • vfat
    • xfs

在您啟用服務之後,您可能需要設定網路或防火牆,以允許它和您的端點之間的輸出連線。After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.

  • 必須啟用審核架構 (auditd) 。Audit framework (auditd) must be enabled.


    新增至的規則所捕獲的系統事件 /etc/audit/rules.d/ 會新增至 audit.log (s) ,而且可能會影響主機審核和上游集合。System events captured by rules added to /etc/audit/rules.d/ will add to audit.log(s) and might affect host auditing and upstream collection. 在 Linux 上由 Microsoft Defender for Endpoint 新增的事件將會以 mdatp 金鑰標示。Events added by Microsoft Defender for Endpoint on Linux will be tagged with mdatp key.

網路連線Network connections

下列可供下載的試算表會列出您網路必須能夠連線的服務及其相關 URLs。The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. 您應確定沒有防火牆或網路篩選規則可拒絕這些 URLs 的存取權。You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. 如果有,您可能需要專門為其建立一個 allow 規則。If there are, you may need to create an allow rule specifically for them.

網域清單的試算表Spreadsheet of domains list 說明Description
Microsoft Defender for Endpoint URLs 試算表的縮圖影像
服務位置、地理位置和作業系統的特定 DNS 記錄試算表。Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

在這裡下載試算表。Download the spreadsheet here.


如需詳細的 URL 清單,請參閱 設定 proxy 和網際網路連線設定For a more specific URL list, see Configure proxy and internet connectivity settings.

「!的 Defender」可以使用下列探索方法探索 proxy 伺服器:Defender for Endpoint can discover a proxy server by using the following discovery methods:

  • 透明ProxyTransparent proxy
  • 手動靜態 proxy 設定Manual static proxy configuration

如果 proxy 或防火牆封鎖匿名流量,請確定先前所列的 URLs 允許匿名流量。If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. 針對透明 proxy,不需要其他設定供 Defender 用於端點。For transparent proxies, no additional configuration is needed for Defender for Endpoint. 針對靜態 proxy,依照 手動靜態 proxy設定中的步驟進行。For static proxy, follow the steps in Manual Static Proxy Configuration.


不支援 PAC、WPAD 及已驗證的 proxy。PAC, WPAD, and authenticated proxies are not supported. 確定只使用靜態 proxy 或透明 proxy。Ensure that only a static proxy or transparent proxy is being used.

出於安全性原因,也不支援 SSL 檢查和截取 proxy。SSL inspection and intercepting proxies are also not supported for security reasons. 設定 SSL 檢查和 proxy 伺服器的例外狀況,以直接將來自 Linux 之 Defender 的資料傳遞至相關的 URLs,而不需截獲。Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint on Linux to the relevant URLs without interception. 將您的截取憑證新增至全域存放區將不允許截取。Adding your interception certificate to the global store will not allow for interception.

如需疑難排解步驟,請參閱 疑難排解 Microsoft Defender for a For Endpoint On Linux 上的 cloud connectivity connectivity 問題For troubleshooting steps, see Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux.

如何在 Linux 上更新 Microsoft Defender for EndpointHow to update Microsoft Defender for Endpoint on Linux

Microsoft 會定期發行軟體更新,以提升效能、安全性,並提供新功能。Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. 若要在 Linux 上更新 Microsoft Defender for Endpoint,請參閱 在 linux 上為 Microsoft defender For Endpoint 部署更新To update Microsoft Defender for Endpoint on Linux, refer to Deploy updates for Microsoft Defender for Endpoint on Linux.

設定 Linux 上適用於端點的 Microsoft Defender 的方式How to configure Microsoft Defender for Endpoint on Linux

有關如何在企業環境中設定產品的指引,可在 [Linux 上的 Microsoft Defender For Endpoint 的 設定偏好設定] 中取得。Guidance for how to configure the product in enterprise environments is available in Set preferences for Microsoft Defender for Endpoint on Linux.


  • 如需有關記錄、卸載或其他主題的詳細資訊,請參閱 ResourcesFor more information about logging, uninstalling, or other topics, see Resources.