I'm at a loss trying to capture the absurdity of this, but I'll try..
Smith finally escaped Oceania and made a nice home for himself in a free land with free peoples. One day agents from Oceania show up at his door. "No hard feelings bud. In fact we brought a gift. We think it will help you. We want to install these little black boxes all throughout your home."
Smith is all ... "ok".
It's probably more "Our customers have policies/certifications requiring they have antivirus software everywhere, even if that's stupid. We could tell those customers that we can't offer a solution and they'll go somewhere else. Or we could make the thing they 'need' and get their business". Not very absurd at all.
I work at a similar cybersecurity company and I can almost guarantee this is the case. Company policy will be to put an AV on everything, and the CSO/procurement always prefer a one size fits all solution so they only have to deal with one vendor. How well it works on Linux is secondary to the fact that it makes it easy for them to hit all the checkboxes in compliance reports.
You may not want a product like this on Linux. But if you do business in the DoD supply chain, even way down the chain, then you will be required to do so.
As I understand it, Microsoft Defender may not be open source, so you have to trust that what you're running really is Microsoft Defender and that it's behaving correctly.
Given that, a possible upside with ClamAV could be that you could verify the behaviour of the processes on the installed systems, to make sure you're up-to-date and have the correct software and signatures installed.
That's not unreasonable - Microsoft's software delivery pipeline should be trustworthy and their security reputation could be damaged if an issue were discovered here.
> Microsoft Defender may not be open source, so you have to trust that what you're running really is Microsoft Defender and that it's behaving correctly.
That’s true of everything installed on a system - if you don’t control the software you’re running, Defender is the least of your worries. Unless you’re doing a full analysis of every binary you’re trusting the source.
Fun fact that doesn't actually pass on pci-dss1 audit. You need a commercial antivirus with active subscription and centralized monitoring of that.
Also I'm guessing it's easier for admins of mixed infra to have a single threat definition (ie. So your storage server catches the same threats as your endpoints)
It's not necessarily ignorance, but also risk management. Who is the CIO to say that Linux is exempted from that condition? He'd need a stack of evidence that it's not commonly affected, which would need to be kept up to date .
A CSO/CISO should be aware of what the threats to their environment are. Otherwise how can they effectively mitigate the risk? They should rely upon SMEs who can keep them abreast of changes in threat models.
God I wish - central management and logging is mandatory under all of these compliance regimes.
We’re in the middle of adopting HiTrust and I’ve been forced to install Cisco AMP on all of my servers. The product is absolute garbage and frequently eats up all available RAM, causing itself to crash and leave a core dump filling up my root partition.
The worst part? AMP on Linux is literally ClamAV plus a kernel module to monitor file access, network connections and process creation.
We've deployed AMP across our RHEL environment, and experienced the exact issues you've described. Cisco's general remediation is to increase the exclusion policy til the core dumps stop occurring. On some systems, AMP is barely monitoring any filesystems...
I've experienced this at one workplace, and I had to install some anti-virus software on my Linux workstation. But it already existed. (It may have even been open source.) I'm not sure how it helps Microsoft to also introduce a product for this.
> I'm not sure how it helps Microsoft to also introduce a product for this.
People don't give Microsoft money for a product that's not by Microsoft. If Microsoft offers one, and can even claim that they cover all platforms with one overarching offering, companies pay them for it.
This is absolutely the reality. Spot on mate. I am one of those people ensuring compliance. Even though it doesn't matter, I guess it's a compliance thing. For some businesses GRC matters!
In my experience, Trend Micro's antivirus is bullshit not only on Windows but also on Linux. I'm happy if MS Defender for Linux is available and corp adopted it.
Had to double check if we were reading the same post. This isn't meant for home users. It costs a lot of money and is targeting enterprise users. Defender ATP is like Carbonblack or Crowdstrike falcon which support windows and Linux. MS finally supports Linux to compete better. It's a great product but you need E5 license for it.
It's not an antivirus, it doesn't care about binary signatures. It looks attack patterns based on known attacker behavior.
A good linux example would be httpd starting netcat that connects to a remote port. Or firefox spawning a bash shell. For windows a simple example would be when an office app starts wscript or powershell and that child process schedules taks, wmi, downloads a payload,etc... Those are simple examples but they track more complex attack scenarios, for cloud hosted solutions like defender atp and crowdstrike they also collect everything that happens on every device of every customer, so if they find new malware or an attacker with a certain TTP on one device, they will deploy rules to catch that for all their customers.
Defender ATP is closer to an EDR tool, which means it's designed for detection and response teams, not individual users. It'll take more a reporting and contextualizing approach than an av that is typically blocking.
The Linux ecoystem has consistently p it their fingers in their ears and stop informing the very real and long outstanding problems of malware and apts
What about it? Are those applicable to my reply at all?so worst case scenario Microsoft took the scamiest approach to it possible but it still defeats something. Vs no protection at all because Linux users blatantly ignore apts
Those are the options. Head completely in sand or get some sand in your eyes
Whilst I've never been a Microsoft user, it's refreshing to see these moves. For decades they've been an opponent of anything being OSS, let alone running on OSS. While the move isn't for everyone (heck, not me) it's still a very positive step, pretty much in line with Nadella's underlying strategy vis-a-vis Microsoft's newfound growth.
Security mandates such as PCI mandate running anti-virus and friends on a per host basis. They demand a 24-hour event review, FIM, etc. If tools like this come to Linux, it'll make it significantly easier for many organizations to start complying with these mandates. To be clear - these organizations already take security at best as a suggestion - these tools help reduce the barrier to entry so that at least the basics can be addressed.
I'd imagine that well over 95% of Linux users would never run Microsoft tools on Linux. At the same time, for those Windows shops that are experimenting with Linux, or need to support a few workloads, can't afford the dedicated expertise (yet) this is definitely a step forward to help them.
> If tools like this come to Linux, it'll make it significantly easier for many organizations to start complying with these mandates.
You said a lot more than you probably intended. Microsoft created the Microsoft-loving, Linux-hating trade press in the 90's. Consultancies fell into line, and started pushing the theory to uncritical IT management that if you had a computer connected to the corporate network, it had to run a virus scanner. Period; full stop. Regardless of operating system.
I've never met anyone in corporate IT who actually does the math, and determines whether a particular threat vector is worth the cost of the preventative measure. The philosophy in the 3 Fortune 250's I've worked for has been: if it exists, it must be purchased/used/applied. In the 90's, yes, every WINDOWS computer connected to the corporate network needed the corporate AV running on it. Linux? Mac? Not so much. Even if they managed to get compromised, the chance that they would infect a neighboring computer were very small. These odds didn't justify the expense or the hassle of needing them to slaved into the corporate AV solution, no matter how much Microsoft diverted attention away from the very special problem that Windows has always posed from a security standpoint, how much they paid the trade press to paper over it, and how much they partnered with consultancies to push that line. They didn't care about the mainframe, did they? They didn't care about the Unix workstations, either. But Linux? It was the devil.
We have come full circle. Microsoft is trying their hardest to astroturf the message that WSL enables a lot of development workflows for which Windows has been a poor choice of late, and this requires them to "love Linux." So now Microsoft MUST release their Defender product for Linux, in order to be taken seriously BY THE VERY CULTURE THEY CREATED. As a guy who run Linux on the desktop for 19 years, and got my corporate IT (in the 90's) to consider Linux all the way to the point of them looking into a virus scanner for it (finding that Symantec didn't support it, and dropping the idea), the irony here is both delicious and sickening at the same time.
As I keep saying, I'll believe Microsoft "loves" Linux they day they create Office and an AD client for it.
> As I keep saying, I'll believe Microsoft "loves" Linux they day they create Office and an AD client for it.
Exactly. Everything else is just a marketing gimmick. They don't even support interoperability between OOXML, thus crippling every other "enterprisey" user who might want to have usable content/data between their co-workers who might be using Windows
- paint the picture that "MS <3 linux! Techbros, dont'cha see! Yeah!"
- thus counter the "Hard for Ubuntu/Fedora/Linux users to use MS Apps!" argument by going "Know what, Ubuntu is within Windoze! No need to dual boot now! Wow! Such advancement!" and find a way to safeguard and maximize license/OS-aaS revenue
- no need to ever invest in interoperability for OOXML and such defined standards (this is a great lesson they have learnt from the LDAP-MSAD story)
- no need to bother much the "situation" of dual-boot - now there's a better way, by saying, "you could run Linux within, with full native suppirt, and no need to go out-of-band from your corporate security and compliance baselines! So much win, ya'see!"
Look beyond the gimmicks, and one could see it's just the same objective - just a different approach now.
Not just "Windows on every desktop" but rather, "all data-processings units in the world to directly be leading in one way or other to cause some kida revenue flow for MS"
> As I keep saying, I'll believe Microsoft "loves" Linux they day they create Office and an AD client for it.
Microsoft is a company, suggesting a company "Loves" anything is a misnomer. I say this because I sort of disagree here, but only kind-of.
Microsoft embraces ("Loves") the parts of Linux which are compatible with Microsoft's strategy. Linux on Azure is getting quite huge, it's the difference between Azure existing as a profitable business for Microsoft and Azure being a cost center. Microsoft does a fair amount to embrace Linux on the server, they support Docker, they do a lot of work with Node, and have a fair number of people onboard doing Linux specific stuff.
Linux AD & Office are only really important to desktop deployments and Microsoft has zero strategic interest in the Linux Desktop. If Microsoft were to port Office & AD to Linux Desktop, it would be an act of charity. If Microsoft is doing charity work, there are a lot of projects I'd like to see them invest in before AD and Office on Linux.
And interrupt their mostly nontechnical employees’ productivity to learn a new OS, for a negligible cost savings? Good luck getting that past a board of directors.
For Microsoft? Windows has been on decline in importance at Microsoft for some time.
For Windows? Nah, too many Fortune 500 businesses rely on software running on Windows for day to day operations. While it's hard to see from the consumer/ web/ developer side of the world, Win32 still dominates. Lots of vertical industry specific software which won't be replaced for quite some time.
I wonder how much work would have to go into porting Office to Linux. My first thought is that since they've had it on MacOS for years now, it (hopefully) uses some portable UNIX libraries, but who knows. Linux still has a pretty small desktop market, and those who are on Linux are already used to (Libre|Open)Office or GoogleDocs. I'd like if Office came to Linux for the purposes of getting more people to potentially switch, but I don't know if it would be worth while for them financially.
Adobe too. Man would it be fantastic to see Adobe add support. Same thought pops in my head: they're already running on UNIX, how much would be required to port to Linux? Probably more than I expect.
Porting? Who talked about porting? Why do you (and they) voluntarily ignore 20+ years of Wine?
99% of the (few) Windows programs I still routinely use work perfectly fine under Wine. I can even run my old Windows 3.1 (16 bit) stuff on 64 bit Ubuntu, which I couldn't run on Windows 10. Heck when I was a Linux newbie, I was amazed to find Windows programs that didn't support Windows XP links were nicely following Ext symlinks!
Office doesn't play nice on Wine? Seriously, if Valve can get stuff working on Proton that requires DRM, DirectX etc. it doesn't look like fixing existing issues to make Office work 100% under Wine is beyond reach for Microsoft. Heck, we're talking about the same corporation capable of giving us the WSL!
> Porting? Who talked about porting? Why do you (and they) voluntarily ignore 20+ years of Wine?
Indeed. I was happily using Codeweaver's Crossover product to run Office 2000 (on RedHat 6.2 with Ximian Desktop, IIC) before Microsoft realized this loophole produced a flawless experience, and then changed the binaries to purposely frustrate this solution going forward. Nothing every worked quite right after that. Eventually, Evolution had a usable Exchange integration, and OpenOffice wasn't completely useless, so I simply stopped caring.
Recently, I was using Mikrotik Winbox for the first time under Ubuntu. I was shocked how easy it was to make it run (apt install wine-stable, wine winbox.exe) and how well it worked.
Endpoint protection- aka enterprise antivirus / hacking- has become a very big market over the past few years, And linux is a massive player in the server and cloud space. They would be fools to ignore it, no other conspiracy needed.
I mean, they are in the middle of rewriting Office to use react native, specifically for cross platform compatibility. And Teams already has a linux client.
Regarding AD clients, what are you looking for that's not well covered by LDAP clients and all the AAD connection capabilities built into Azure? AKS runs RBAC based on bindings to AAD. Certainly for any server workloads, AD integrations are well covered.
Perhaps the clarification Yu out need is, microsoft loves Linux on the server. They don't particularly care about linux on the desktop.
Most PCI audits don't require A/V on Linux/nix types systems. The majority of assessors don't ding you if you don't deploy, and the DSS standard is pretty clear:
5.1 Deploy anti-virus software on all systems commonly affected* by malicious software (particularly personal computers and servers).
Since the majority of *nix servers aren't commonly affected, there's no reason/requirement to deploy A/V. Now this doesn't mean your boss won't require it, "just to be sure."
you're a fool if you think Linux systems are not commonly affected. most compliance requirements do require you to have av on Linux too.
as someone in the security industry, my experience is that Linux servers are clearly more frequently affected than osx, and there are very few people left who would say osx doesn't have malware still.
just because a large compiled library of code doesn't exist and isn't commonly passed around doesn't mean it's malware free or even malware light.
compiled sttaic malware isn't common because it doesn't have to. rce is done on Linux systems an overwhelming majority of the time using native applications in the way they are meant to be used, just by the wrong people. (the attacker). the lack of quality security tool for the Linux environment is THE biggest concern mature security teams struggle with.
Linux is the most common internet facing os platform, and I'm here to tell you, if it's internet facing, it have threat actors targeting AND affecting it. the only reason Linux hasn't surpassed windows in how frequently is it the victim of malware/attacks is because of workstations.
Not a fool, just someone with over 20 years experience, who has gone through multiple PCI audits and never once met an assessor who thought it was required.
And if you're managing your servers properly, A/V is unnecessary; first there are few viruses and malware that affect *nix, second, if you can't control code deployment on your systems, you're in the wrong business.
None of our systems providing Internet services are directly connected; everything is proxied/firewalled etc.
If you're expecting ANY of the A/V solutions out there to protect your systems, whether they're Windows/Linux/MacOS, you're going to be sadly disappointed when you get rooted.
MS is leaving a lot of deals on the table without offering a Linux Agent. They've been using other companies to fill the gap. It's not a good look when the sales guy has to recommend a tiny startup to cover your other platforms for ATP.
It's also worth noting that they encouraged startups to offer ATP support and then within a couple of years killed them by offering their own.
Microsoft is investing in cloud, and this is meant to help their cloud business. In essence, this initiative is about that, not happy people singing kumbaya.
I would not install this since it talks to Microsoft servers. I don't want "telemetry" sent to them.
Very nature of this kind of software. Over years I have never seen a proper antivirus software work without coming on my way. Of course I have not used all of them but only the most popular ones. Locking files, 100 percent cpu usage, false positives are some known issues. In the last 5-6 years I have never seen it correctly report a threat, but that is just for me. I am sure it is working fine for some.
We use BitDefender, and it once deleted the main .exe of an internal website (after several months of no issues with the same exe) mid-day. It also flagged that exe and made it nearly impossible to restore, even with the quarantine feature.
Trend Micro is really good, we had to use it and i was quite impressed on Linux and Windows (for a Antivirus), for the MS-Antivirus, just disable 'Automatic sample submission'
EDIT: But to be honest, Antivirus is just Old-school protection, it never detected anything outside 'already known viruses', Snort/Suricata on the other hand detected quite often that something is going on.
EDIT2: With "quite impressed" i mean, the performance was not much worse
Snort/Suricata (and other IDS solutions) also depends on signatures/patterns. It's not different in that sense - you still need to define what to look for.
Yes but not file based signatures, the big difference are Network behavior analysis and Anomaly detection...and the biggest plus, its not on the device that is under attack/infected.
>It's not different in that sense - you still need to define what to look for.
Absolutely correct, i said nothing else, just that i found much more this way than with a locally installed Antivirus, there is just one measurement for a real secure connected computer..that is cable out ;)
> Very nature of this kind of software. Over years I have never seen a proper antivirus software work without coming on my way. Of course I have not used all of them but only the most popular ones. Locking files, 100 percent cpu usage, false positives are some known issues. In the last 5-6 years I have never seen it correctly report a threat, but that is just for me. I am sure it is working fine for some.
We use https://www.crowdstrike.com/ and never had any issues so far. Very low CPU usage, no false positives. Not sure if it actually does anything ;).
Being able to submit samples and have them verified as known good or bad seems like a fantastic thing, especially when the default is reputation-based and not based on the code signing itself.
I mean, you don't have to if you don't want to. Disable automatic uploads, and don't upload them yourself. There, your problem is solved.
Those that want to contribute their samples in order to have them white/blacklisted can, but just because a feature is there doesn't mean somebody is forcing you to do it, nor that it's inherently bad because you're willingly uploading files to a 3rd party.
How, exactly, would you expect AV/security companies to be able to analyze samples that are actually relevant to their customers if they're not submitted? They would never be able to find nearly as much malware on their own.
They pretty much all do that if you want the full functionality. They’ll tell you if you disable that that you’re little better than having no product at all.
I don't think people ITT understand what Defender ATP is supposed to be. It's not just an AV, but rather also has the ability to do threat protection across all your assets in the company.
It can analyze an attackers moves within your network, figuring out what files they accessed, ways they pivoted, and other stuff. So not only would it detect that you got compromised, but the display will show you likely paths, names of users that are also compromised, mitigation steps, deployed persistence measures, etc.
So for Defender ATP to work optimally in a deployment that leverages linux nodes, or has users using linux as their daily driver, you need to support linux.
Your statement would have been valid a few years ago. But now all AV providers also offer what you are talking about. AV+EDR with advanced threat hunting UI. So when you say AV today you should really think the other stuff as well.
They provide it but often not in the same product capacity, a common structure would be Sophos & CarbonBlack - two separate products by different companies. Additionally they'd need a third product to cover the *nix estate.
Defender, in its current state, rolls all of the above into one at a relatively competitive price point. Additionally, it receives new detections built off all the telemetry they get as a result of Windows Defender existing on almost every Win10 OS on the planet.
This leveraging of data on such a scale is letting Microsoft quickly become the market leader for threat detection & response.
Thanks for the info. Yeah, I'm not up to speed on the latest in the defense world. Good to know. I just felt like I had to bring it up because (at the time of posting) people were exclusively discussing the merits of an AV on linux (which is debatable) vs the value of EDR in a corporate environment.
fixed it -- the product claims say "It can analyze an attackers moves within your network, figuring out what files they accessed, ways they pivoted, and other stuff."
Well, I downloaded the .deb file for MDATP, and right off the bat in the installation scripts, it's posting telemetry (literally, LogTelemetry in the scripts) to https://x.cp.wd.microsoft.com/api/report Then poking around in the giant .so and executable front end, you find a ton more.
What's it sending? Fucked if I know. I figured they couldn't help themselves, though.
I can see only one scenario where it makes sense for Microsoft to buy Canonical: to prevent Amazon or Google from acquiring them and doing something anti-competitive (or as much as can be done legally in that respect) and making life difficult for customers using Ubuntu on Azure.
The comparison of relevance is Github. Microsoft was using Github so much already that the prospect of someone else buying them was an issue (not to mention the joke that buying Github was cheaper than paying for Microsoft's growing use of the platform). In practice, has Microsoft done anything to Github that has limited them in any way? The biggest change is that Github has a super-rich benefactor and they can offer free accounts to everyone now... and their budget for hiring/retaining top talent has been boosted as well.
Microsoft has more than enough money to do the same with Canonical and if they do I think it will largely be a matter of making sure Canonical doesn't need to worry about finances anymore and can hire whomever they need to build and deliver features. And yes, it's possible that Azure Linux applications might be available on Ubuntu first but extending and extinguishing Ubuntu would be massively opposed to making money on Azure -- I don't see Microsoft doing that.
Why acquire Canonical when they can just create a Redmond Linux distro and cherry-pick the best aspects of RHEL, Debian, or Gentoo -- or just plain fork something out there now and add the option of Microsoft corporate support for any manager wanting to buy a throat to choke in case there's a production hiccup?
Or better yet: a Windows-like or Windows-compatible desktop that can run on any number of systems (and maybe corporate support is available for Debian, CentOS)? Let's not forget that the co-founder of Gnome has been working for Microsoft since 2016.
As far as I know, it's a corporate tier of the Defender only available to corporate volume license customers.
I guess it's similar to the way many vendors have a "EDR" version of the malware protection as opposed to the consumer version, which often reserve Linux protection for the former.
Yes, AT in itself is going to be shelf-ware soon. The data collected from Defender is much more useful in some of their other offerings such as in their newer SIEM.
An open source antivirus program is a bit oxymoronic. Sure, people can contribute new means of stopping more attacks, but it also shows attackers exactly how to evade it. So you'd be losing more than you'd gain in that situation.
Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.
Feels ironic for Microsoft to announce security tools for Linux. Have always thought MS should turn Windows back into a window manager, not a fully-fledged OS, and use Linux as the base under the hood.
Trying to bring the performance from Windows to Linux...love it ;)
EDIT: For the down-voter that was ironic, try copy lots of files from one Disk to another (in Windows) and during the copy-progress disable Defender...huge "performance" gain
Not own, but assimilate. Own the attention. GPL will have new perspectives after this is over with. For those of you who don't use Windows, try to uninstall the AV on windows 10. MSFT AV uses about 400 mb of ram on my Lenovo Flex 11 running windows 10. A bit of memory can be saved if you open admin powershell and run "Set-MpPreference -DisableRealtimeMonitoring 1"
