Protecting Linux and macOS Endpoints with Microsoft Defender for Endpoint

Protecting Linux and macOS Endpoints with Microsoft Defender for Endpoint

10/14/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in deploying and configuring Microsoft Defender for Endpoint (MDE) on Linux and macOS operating systems. In an increasingly diverse corporate landscape, endpoint protection goes beyond the Windows environment. MDE extends its threat detection and response (EDR) capabilities to non-Windows platforms, providing a unified view of security posture and robust defense against cyberattacks across an organization's technology park [1].

Introduction

The proliferation of Linux and macOS devices in corporate environments, driven by developers, designers and other professionals, has brought new challenges to security teams. These systems, although often perceived as less vulnerable, are increasingly targets of sophisticated attacks. The need for an endpoint security solution that spans all major platforms is critical to maintaining a consistent and effective security posture. Microsoft Defender for Endpoint bridges this gap by providing advanced protection, detection, and response capabilities for Linux and macOS, integrating seamlessly with the Microsoft Defender XDR portal for centralized management [2].

This practical guide will cover prerequisites, the process of onboarding Linux and macOS devices into MDE, configuring security policies, managing exclusions, performing detection tests, and validating protection. Step-by-step instructions, example terminal commands and instructions will be provided so that the reader can deploy and manage Microsoft Defender for Endpoint in heterogeneous environments, strengthening the security of their endpoints and ensuring compliance with corporate security policies.

Why is Microsoft Defender for Endpoint crucial for Linux and macOS?

  • Comprehensive Protection: Provides next-generation antivirus, endpoint detection and response (EDR), vulnerability management, and access control capabilities for Linux and macOS.
  • Unified Visibility: Centralizes security monitoring and management of all endpoints (Windows, Linux, macOS, Android, iOS) in the Microsoft Defender XDR portal.
  • Advanced Threat Detection: Utilizes Microsoft threat intelligence and machine learning to identify and mitigate sophisticated, platform-specific threats.
  • Rapid Incident Response: Enables security teams to investigate and respond to security incidents quickly and effectively across all platforms.
  • Compliance and Governance: Helps ensure that all endpoints, regardless of operating system, are compliant with security policies and regulations.
  • Microsoft Ecosystem Integration: Integrates with other Microsoft solutions, such as Microsoft Sentinel and Microsoft Intune, for a holistic security approach.

Prerequisites

To deploy Microsoft Defender for Endpoint on Linux and macOS, you will need the following items:

  1. Licensing: Microsoft Defender for Endpoint licenses (e.g. Microsoft 365 E5, Microsoft 365 E3 with security add-on, or MDE standalone license) [3].
  2. Administrative Access: An account with the role of Security Administrator or Global Administrator in the Microsoft Defender XDR portal (https://security.microsoft.com).
  3. Root/Sudo Access: Root (Linux) or sudo (macOS) permissions on target devices for installation and configuration.
  4. Network Connectivity: Devices must have connectivity to MDE service endpoints for communication and definition updates.
  5. Supported Operating Systems: Check Microsoft documentation for specific versions of supported Linux and macOS distributions [4].

Step by Step: Onboarding and Configuring MDE on Linux and macOS

Let's cover the onboarding process and basic settings for both platforms.

1. Device Onboarding in Microsoft Defender for Endpoint

The onboarding process involves obtaining an integration package from the Microsoft Defender XDR portal and deploying it to devices.

  1. Access the Microsoft Defender X PortalDR:

    • Open your browser and navigate to https://security.microsoft.com.
    • Log in with an account that has the necessary permissions.

  2. Get the Onboarding Package:

    • In the left navigation pane, select Settings > Endpoints.
    • Under Device Management, select Integration.
    • In section 1. Select the operating system to start the integration process, choose Linux Server or macOS.
    • In section 2. Select deployment method, choose Local Script for a manual installation or Configuration Management Tool (e.g. Puppet, Ansible for Linux; Intune, JAMF for macOS) for large-scale deployments.
    • Click on Download integration package.

1.1. Onboarding in Linux (Manual)

  1. Install Prerequisites: Make sure the required packages are installed. For most distributions, this includes curl, wget, gnupg, apt-transport-https (Debian/Ubuntu), or yum-utils (RHEL/CentOS). ```bash # Example for Ubuntu/Debian sudo apt-get update sudo apt-get install -y curl wget apt-transport-https gnupg

    Example for RHEL/CentOS

    sudo yum install -y curl wget yum-utils gnupg ```

  2. Add Microsoft Repository: This allows you to install MDE using your distribution's package manager. ```bash # Example for Ubuntu/Debian wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > packages.microsoft.gpg sudo install -o root -g root -m 644 packages.microsoft.gpg /etc/apt/trusted.gpg.d/ sudo sh -c 'echo "deb [arch=amd64,armhf,arm64] https://packages.microsoft.com/ubuntu/22.04/prod jammy main" > /etc/apt/sources.list.d/microsoft-prod.list' sudo rm packages.microsoft.gpg sudo apt-get update

    Example for RHEL/CentOS

    sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/8/prod.repo ```

  3. Install MDE: Install the mdatp package. ```bash # Example for Ubuntu/Debian sudo apt-get install -y mdatp

    Example for RHEL/CentOS

    sudo yum install -y mdatp ```

  4. Configure MDE with the Onboarding Package: Copy the downloaded WindowsDefenderATPOnboardingPackage.zip file to the Linux server, unzip it and use the onboarding script. ```bash # Copy the .zip file to the Linux server # scp WindowsDefenderATPOnboardingPackage.zip user@your_linux_server:~/

    unzip WindowsDefenderATPOnboardingPackage.zip -d mde_onboarding sudo mdatp high-level-operations onboard --path mde_onboarding/MicrosoftDefenderATPOnboardingScript.sh ```

  5. Check Status: Check if the MDE is running and onboarded. bash mdatp health

1.2. Onboarding on macOS (Manual)

  1. Install MDE: Copy the downloaded MicrosoftDefenderATPOnboardingPackage.zip file to your macOS device. Unzip it. You will find a .pkg file (ex: wdav.pkg).

  2. Install the Package: Run the .pkg installer. bash sudo installer -pkg wdav.pkg -target /

    • Follow the on-screen instructions. You will need to grant full disk access permissions and system extension permissions to MDE in System Preferences > Security & Privacy.

  3. Configure MDE with the Onboarding Package: Use the onboarding script. bash # Copy the .zip file to Mac # Unzip the .zip file sudo /Library/Application\ Support/Microsoft/Defender/uninstall/install.sh --install sudo /Library/Application\ Support/Microsoft/Defender/install.sh --onboard /path/to/MicrosoftDefenderATPOnboardingScript.sh

    • Note: The exact path to the onboarding script may vary. Check the contents of the .zip file.

  4. Check Status: Check if the MDE is running and onboarded. bash mdatp health

2. Configuring Security Policies (Linux and macOS)

Security policies for MDE on Linux and macOS can be managed through JSON files (for manual/script deployment) or through tools such as Intune, JAMF, Puppet, Ansible, etc.

Let's use an example configuration via JSON file for antivirus control.

  1. Create a JSON configuration file: Create a mdatp_config.json file with the desired settings. json { "antivirusEngine": { "enabled": true, "scans": { "quickScan": { "enabled": true, "schedule": { "type": "daily", "time": "02:00" } }, "fullScan": { "enabled": false } }, "realTimeProtection": { "enabled": true, "scanOnAccess": true, "scanOnModify": true }, "exclusions": [ { "path": "/var/log", "type": "directory" }, { "path": "/opt/app/data.db", "type": "file" } ] }, "cloudService": { "enabled": true, "diagnosticLevel": "full" } }

    • This example enables real-time protection, configures a daily quick scan, and sets exclusions for a log directory and a database file.

  2. Apply the configuration: Use the mdatp config command. bash sudo mdatp config set --path mdatp_config.json

  3. Check the applied configuration: You can check the active configurations. bash mdatp config get --json

Tips for Centralized Management (Intune/JAMF)

  • Microsoft Intune (macOS): For macOS, Intune is the preferred tool for deploying and managing MDE. You can create configuration profiles to deploy the MDE package and configure security settings (real-time protection, exclusions, etc.).

  • Configuration Management Tools (Linux): For Linux, tools such as Puppet, Ansible, or Chef are commonly used to automate large-scale MDE deployment and configuration management.

3. Managing Exclusions

Exclusions are important to avoid conflicts with legitimate applications or to improve performance on systems with high I/O load. However, they must be used with caution to avoid creating security gaps.

  1. Add Exclusion via Command Line (Linux/macOS): ```bash # Delete a file sudo mdatp exclusion add --path /path/to/file.log --type file

    Delete a directory

    sudo mdatp exclusion add --path /path/to/directory --type directory

    Delete by extension

    sudo mdatp exclusion add --extension .tmp --type extension ```

  2. List Exclusions: Check the configured exclusions. bash mdatp exclusion list

  3. Remove Exclusions: Remove an exclusion if it is no longer needed. bash sudo mdatp exclusion remove --path /path/to/file.log

Validation and Testing

Validating MDE protection on Linux and macOS is essential to ensure the solution is working as expected.

1. Check Status in the Microsoft Defender XDR Portal

  1. In the Microsoft Defender XDR portal (https://security.microsoft.com), navigate to Assets > Devices.
  2. Verify that the onboarded Linux and macOS devices appear in the list and that their Health Status is Active.
  3. Click on a device to view its details, including Protection Status and Security Recommendations.

2. Antivirus Detection Test (EICAR)

Use the EICAR (European Institute for Computer Antivirus Research) test file to check whether your antivirus is working correctly.

  1. Generate EICAR file: Create a text file with the following exact content (no extra spaces or line breaks): X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

    • Linux: echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.com
    • macOS: echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.com

  2. Observe Detection: MDE should detect and block the EICAR file immediately if real-time protection is enabled.

  3. Check for Alerts in the MDE Portal: In the Microsoft Defender XDR portal, navigate to Incidents and Alerts > Alerts. You should see an alert related to EICAR detection on the Linux/macOS device.

3. EDR Detection Test (Attack Simulation)

Microsoft provides te scriptsste to simulate attack scenarios and verify the EDR functionality of the MDE.

  1. For Linux: Download and run the MDE detection test script for Linux. bash curl -o ~/mde_linux_test.sh https://aka.ms/LinuxMDEtest chmod +x ~/mde_linux_test.sh ~/mde_linux_test.sh

  2. For macOS: Download and run the MDE detection test script for macOS. bash curl -o ~/mde_macos_test.sh https://aka.ms/macMDEtest chmod +x ~/mde_macos_test.sh ~/mde_macos_test.sh

  3. Check Alerts in the MDE Portal: After running the script, check the Microsoft Defender XDR portal under Incidents & Alerts > Alerts. You should see alerts related to the simulated activities, such as Suspicious command executed or Suspicious script activity.

Security Tips and Best Practices

  • Centralized Management: Use configuration management tools (Intune, JAMF, Puppet, Ansible) to deploy and manage MDE on a large scale, ensuring consistency in policies.
  • Keep MDE Updated: Ensure that your MDE client and security definitions are always up to date to ensure protection against the latest threats.
  • Manage Exclusions Carefully: Review and minimize exclusions to avoid creating security gaps. Document all exclusions and their justifications.
  • SIEM/SOAR Integration: Integrate MDE alerts with your Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR), such as Microsoft Sentinel, for improved visibility and incident response.
  • Continuous Monitoring: Actively monitor the Microsoft Defender XDR portal for security alerts and recommendations for your Linux and macOS endpoints.
  • User Training: Educate users on the importance of endpoint security and how to report suspicious activity.
  • Tamper Protection: Although more prominent on Windows, ensure equivalent controls exist to prevent malicious users from disabling or changing MDE settings on Linux/macOS.

Common Troubleshooting

  • MDE does not install/onboard: Check prerequisites (distribution/OS version, required packages). Check the installation logs for errors. Make sure the onboarding package is correct and has not expired. Verify network connectivity to Microsoft endpoints.
  • MDE does not report to portal: Check the mdatp health command for onboarded and healthy status. Confirm that the device has connectivity to the internet and MDE services. Check any proxy or firewall settings that may be blocking communication.
  • High CPU/Memory Usage: Check MDE logs to identify processes that may be causing high usage. Review the configured exclusions. Optimize scan settings (e.g. schedule full scans for off-peak hours).
  • Conflicts with Other Security Solutions: If other antivirus or endpoint security solutions are installed, they may cause conflicts. Microsoft recommends removing other solutions before installing MDE.
  • False Positive Alerts: If MDE is generating many false positive alerts, investigate the activity that triggered the alert. Consider adding exclusions for legitimate processes or files (with caution) or adjusting detection policies.
  • Permission Issues (macOS): On macOS, ensure that all system extensions and full disk access permissions have been granted to MDE in System Preferences > Security & Privacy.

Conclusion

Microsoft Defender for Endpoint offers a next-generation endpoint security solution that effectively extends to Linux and macOS environments. By unifying threat protection, detection and response on a single platform, organizations can simplify security management and strengthen their posture against cyberattacks across their entire technology park. Careful implementation, appropriate policy configuration, and ongoing monitoring are critical to maximizing MDE benefits. With this practical guide, security professionals will be well-equipped to protect their Linux and macOS endpoints, ensuring tAll devices, regardless of operating system, contribute to a more secure and resilient corporate environment.

References:

[1] Microsoft Learn. Microsoft Defender for Endpoint on Linux. Available at: https://learn.microsoft.com/pt-br/defender-endpoint/microsoft-defender-endpoint-linux [2] Microsoft Learn. Microsoft Defender for Endpoint on macOS. Available at: https://learn.microsoft.com/pt-br/defender-endpoint/microsoft-defender-endpoint-mac [3] Microsoft Learn. Microsoft Defender for Endpoint licensing requirements. Available at: https://learn.microsoft.com/pt-br/defender-endpoint/licensing [4] Microsoft Learn. Prerequisites for Microsoft Defender for Endpoint on Linux. Available at: https://learn.microsoft.com/pt-br/defender-endpoint/linux-prerequisites [5] EICAR. EICAR Test File. Available at: https://www.eicar.org/download-anti-malware-testfile/