
Microsoft Defender ATP for Linux is now generally available - doener
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/microsoft-defender-atp-for-linux-is-now-generally-available/ba-p/1482344
======
skinney6
I'm at a loss trying to capture the absurdity of this, but I'll try.. Smith
finally escaped Oceania and made a nice home for himself in a free land with
free peoples. One day agents from Oceania show up at his door. "No hard
feelings bud. In fact we brought a gift. We think it will help you. We want to
install these little black boxes all throughout your home." Smith is all ...
"ok".

~~~
detaro
It's probably more "Our customers have policies/certifications requiring they
have antivirus software everywhere, even if that's stupid. We could tell those
customers that we can't offer a solution and they'll go somewhere else. Or we
could make the thing they 'need' and get their business". Not very absurd at
all.

~~~
ancarda
Can those customers not install ClamAV? Does that not count as anti-virus?

~~~
jorangreef
If you were to test ClamAV on a few thousand malware samples you would
probably find that the detection rate would be in the low single digits.

At the same time, ClamAV has a terrifying CVE track record.

There's no upside, and all downside.

~~~
jka
As I understand it, Microsoft Defender may not be open source, so you have to
trust that what you're running really is Microsoft Defender and that it's
behaving correctly.

Given that, a possible upside with ClamAV could be that you could verify the
behaviour of the processes on the installed systems, to make sure you're up-
to-date and have the correct software and signatures installed.

That's not unreasonable - Microsoft's software delivery pipeline should be
trustworthy and their security reputation could be damaged if an issue were
discovered here.

~~~
acdha
> Microsoft Defender may not be open source, so you have to trust that what
> you're running really is Microsoft Defender and that it's behaving
> correctly.

That’s true of everything installed on a system - if you don’t control the
software you’re running, Defender is the least of your worries. Unless you’re
doing a full analysis of every binary you’re trusting the source.

------
cik
Whilst I've never been a Microsoft user, it's refreshing to see these moves.
For decades they've been an opponent of anything being OSS, let alone running
on OSS. While the move isn't for everyone (heck, not me) it's still a very
positive step, pretty much in line with Nadella's underlying strategy vis-a-
vis Microsoft's newfound growth.

Security mandates such as PCI mandate running anti-virus and friends on a per
host basis. They demand a 24-hour event review, FIM, etc. If tools like this
come to Linux, it'll make it significantly easier for many organizations to
start complying with these mandates. To be clear - these organizations already
take security at best as a suggestion - these tools help reduce the barrier to
entry so that at least the basics can be addressed.

I'd imagine that well over 95% of Linux users would never run Microsoft tools
on Linux. At the same time, for those Windows shops that are experimenting
with Linux, or need to support a few workloads, can't afford the dedicated
expertise (yet) this is definitely a step forward to help them.

~~~
TheRealDunkirk
> If tools like this come to Linux, it'll make it significantly easier for
> many organizations to start complying with these mandates.

You said a lot more than you probably intended. Microsoft created the
Microsoft-loving, Linux-hating trade press in the 90's. Consultancies fell
into line, and started pushing the theory to uncritical IT management that if
you had a computer connected to the corporate network, it had to run a virus
scanner. Period; full stop. Regardless of operating system.

I've never met anyone in corporate IT who actually does the math, and
determines whether a particular threat vector is worth the cost of the
preventative measure. The philosophy in the 3 Fortune 250's I've worked for
has been: if it exists, it must be purchased/used/applied. In the 90's, yes,
every WINDOWS computer connected to the corporate network needed the corporate
AV running on it. Linux? Mac? Not so much. Even if they managed to get
compromised, the chance that they would infect a neighboring computer were
very small. These odds didn't justify the expense or the hassle of needing
them to slaved into the corporate AV solution, no matter how much Microsoft
diverted attention away from the very special problem that Windows has always
posed from a security standpoint, how much they paid the trade press to paper
over it, and how much they partnered with consultancies to push that line.
They didn't care about the mainframe, did they? They didn't care about the
Unix workstations, either. But Linux? It was the devil.

We have come full circle. Microsoft is trying their hardest to astroturf the
message that WSL enables a lot of development workflows for which Windows has
been a poor choice of late, and this requires them to "love Linux." So now
Microsoft MUST release their Defender product for Linux, in order to be taken
seriously BY THE VERY CULTURE THEY CREATED. As a guy who run Linux on the
desktop for 19 years, and got my corporate IT (in the 90's) to consider Linux
all the way to the point of them looking into a virus scanner for it (finding
that Symantec didn't support it, and dropping the idea), the irony here is
both delicious and sickening at the same time.

As I keep saying, I'll believe Microsoft "loves" Linux they day they create
Office and an AD client for it.

~~~
ogre_codes
> As I keep saying, I'll believe Microsoft "loves" Linux they day they create
> Office and an AD client for it.

Microsoft is a company, suggesting a company "Loves" anything is a misnomer. I
say this because I sort of disagree here, but only kind-of.

Microsoft embraces ("Loves") the parts of Linux which are compatible with
Microsoft's strategy. Linux on Azure is getting quite huge, it's the
difference between Azure existing as a profitable business for Microsoft and
Azure being a cost center. Microsoft does a fair amount to embrace Linux on
the server, they support Docker, they do a lot of work with Node, and have a
fair number of people onboard doing Linux specific _stuff_.

Linux AD & Office are only really important to desktop deployments and
Microsoft has zero strategic interest in the Linux Desktop. If Microsoft were
to port Office & AD to Linux Desktop, it would be an act of charity. If
Microsoft is doing charity work, there are a lot of projects I'd like to see
them invest in before AD and Office on Linux.

~~~
deeter72
I believe porting MS Office to Linux would be a death sentence as all
companies would install Ubuntu and Office and call it a day.

~~~
pbar
And interrupt their mostly nontechnical employees’ productivity to learn a new
OS, for a negligible cost savings? Good luck getting that past a board of
directors.

------
ecf
Previous startup I was at had deployed the MacOS version of this and the
entire Eng department had to petition to get it removed.

It randomly picks files to send to MS for analysis and hijacks 50%+ of the CPU
to do it.

I legitimately don’t understand what it’s trying to accomplish other than
another being a telemetry vacuum for MS.

~~~
mrath
Very nature of this kind of software. Over years I have never seen a proper
antivirus software work without coming on my way. Of course I have not used
all of them but only the most popular ones. Locking files, 100 percent cpu
usage, false positives are some known issues. In the last 5-6 years I have
never seen it correctly report a threat, but that is just for me. I am sure it
is working fine for some.

~~~
oweiler
> Very nature of this kind of software. Over years I have never seen a proper
> antivirus software work without coming on my way. Of course I have not used
> all of them but only the most popular ones. Locking files, 100 percent cpu
> usage, false positives are some known issues. In the last 5-6 years I have
> never seen it correctly report a threat, but that is just for me. I am sure
> it is working fine for some.

We use [https://www.crowdstrike.com/](https://www.crowdstrike.com/) and never
had any issues so far. Very low CPU usage, no false positives. Not sure if it
actually does anything ;).

~~~
ubercow13
Does anyone know how it works with such low overhead? What's it doing
differently?

------
deadso
I don't think people ITT understand what Defender ATP is supposed to be. It's
not just an AV, but rather also has the ability to do threat protection across
all your assets in the company.

It can analyze an attackers moves within your network, figuring out what files
they accessed, ways they pivoted, and other stuff. So not only would it detect
that you got compromised, but the display will show you likely paths, names of
users that are also compromised, mitigation steps, deployed persistence
measures, etc.

So for Defender ATP to work optimally in a deployment that leverages linux
nodes, or has users using linux as their daily driver, you need to support
linux.

~~~
mrits
Your statement would have been valid a few years ago. But now all AV providers
also offer what you are talking about. AV+EDR with advanced threat hunting UI.
So when you say AV today you should really think the other stuff as well.

~~~
TA43
They provide it but often not in the same product capacity, a common structure
would be Sophos & CarbonBlack - two separate products by different companies.
Additionally they'd need a third product to cover the *nix estate.

Defender, in its current state, rolls all of the above into one at a
relatively competitive price point. Additionally, it receives new detections
built off all the telemetry they get as a result of Windows Defender existing
on almost every Win10 OS on the planet.

This leveraging of data on such a scale is letting Microsoft quickly become
the market leader for threat detection & response.

------
fmakunbound
Well, I downloaded the .deb file for MDATP, and right off the bat in the
installation scripts, it's posting telemetry (literally, LogTelemetry in the
scripts) to
[https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report)
Then poking around in the giant .so and executable front end, you find a ton
more.

What's it sending? Fucked if I know. I figured they couldn't help themselves,
though.

------
trollied
I swear Microsoft are slowly putting all of the pieces in place for Windows
LX, which will be a Linux distribution.

~~~
tw04
If they truly wanted to go that route I think they’d just acquire canonical.

~~~
jedieaston
Why do you have to jinx it?

~~~
shaan7
Now we has. We're all doomed.

------
cordite
This requires a “Microsoft Defender ATP for Servers” license. But it isn’t
clear on how to obtain that

~~~
unsignedint
As far as I know, it's a corporate tier of the Defender only available to
corporate volume license customers.

I guess it's similar to the way many vendors have a "EDR" version of the
malware protection as opposed to the consumer version, which often reserve
Linux protection for the former.

~~~
mrits
Yes, AT in itself is going to be shelf-ware soon. The data collected from
Defender is much more useful in some of their other offerings such as in their
newer SIEM.

------
ancarda
Is it open source? I can't find a GitHub link so I'm guessing it's not

~~~
aewens
An open source antivirus program is a bit oxymoronic. Sure, people can
contribute new means of stopping more attacks, but it also shows attackers
exactly how to evade it. So you'd be losing more than you'd gain in that
situation.

~~~
RMPR
Security through obscurity (or security by obscurity) is the reliance in
security engineering on design or implementation secrecy as the main method of
providing security to a system or component. Security experts have rejected
this view as far back as 1851, and advise that obscurity should never be the
only security mechanism.

[https://en.wikipedia.org/wiki/Security_through_obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity)

Edit: Link

------
microcolonel
What does this actually do? The marketing material is decidedly vague.

------
mike503
Feels ironic for Microsoft to announce security tools for Linux. Have always
thought MS should turn Windows back into a window manager, not a fully-fledged
OS, and use Linux as the base under the hood.

------
1MachineElf
Seems like offsetting the potential for one kind of spyware in exchange for
another.

------
MintelIE
What is this even? Like Snort? I haven't been knowledgeable about the Windows
ecosystem since the Web 1.0 days.

------
nix23
Trying to bring the performance from Windows to Linux...love it ;)

EDIT: For the down-voter that was ironic, try copy lots of files from one Disk
to another (in Windows) and during the copy-progress disable Defender...huge
"performance" gain

------
jksmith
If MSFT figures out how to make this uninstallable on Linux, I will stop using
computers.

~~~
smcl
You mean non-uninstallable?

~~~
mrits
No, he's a HUGE Microsoft fan :)

