Skip links

Microsoft upgrades Defender to lock down Linux gear for its own good

Organizations using Microsoft’s Defender for Endpoint will now be able to isolate Linux devices from their networks to contain intrusions and whatnot.

The device isolation capability is in public preview and mirrors what the product already does for Windows systems.

“Some attack scenarios may require you to isolate a device from the network,” Microsoft wrote in a blog post. “This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. Just like in Windows devices, this device isolation feature.”

Intruders won’t be able to connect to the device or run operations like assuming unauthorized control of the system or stealing sensitive data, Microsoft claims.

According to the vendor, when the device is isolated, it is limited in the processes and web destinations that are allowed. That means if they’re behind a full VPN tunnel, they won’t be able to reach Microsoft’s Defender for Endpoint cloud services.

Microsoft recommends that enterprises use a split-tunneling VPN for cloud-based traffic for both Defender for Endpoint and Defender Antivirus. Once the situation that caused the isolation is cleared up, organizations will be able to reconnect the device to the network.

Isolating the system is done via APIs. Users can get to the device page of the Linux systems through the Microsoft 365 Defender portal, where they will see an “Isolate Device” tab in the upper right among other response actions. Microsoft has outlined the APIs for both isolating the device and releasing it from lock down.

Linux devices that can use the Defender for Endpoint include Red Hat Enterprise Linux (RHEL), CentOS, Ubuntu, Desbian, SUSE Linux, Oracle Linux, Amazon Web Services (AWS) Linux, and Fedora.

The Linux device isolation is the latest recent security feature Microsoft has put into the cloud service. Earlier this month, the company expanded the tamper protection for Defender for Endpoint to include antivirus exclusions.

This is all part of a wider pattern of beefing up Defender with an eye on open source. At its Ignite show in October 2022, Microsoft announced it was integrating the Zeek open-source network monitoring platform as a component of Defender for Endpoint for deep packet inspection of network traffic.  

Also at the event, Redmond spoke about the new capabilities aimed at allowing security operations teams to detect command-and-control (C2) attacks earlier, enabling them to limit the spread of the damage and removing malicious binaries.

The new functionality also comes just more than two weeks after updates to Defender for Endpoint threw a scare into security pros – on Friday the 13th – by inadvertently removing icons and application shortcuts from the desktop, Taskbar, and Start Menu in Windows 10 and 11 systems. Microsoft fixed the issue, but still left users with some files being permanently deleted. ®