Defender for Endpoint / Defender for Servers – Linux – Real-time protection is turned off by default – check if your Linux workload are safe #1

It was a total surprise for me… without any warning… just info from: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide

July-2023 Build: 101.23062.0010 | Release version: 30.123062.0010.0

 

  • Other fixes and improvements
    • From this version, enforcementLevel are in passive mode by default giving admins more control over where they want ‘RTP on’ within their estate
    • This change only applies to fresh MDE deployments, for example, servers where Defender for Endpoint is being deployed for the first time. In update scenarios, servers that have Defender for Endpoint deployed with RTP ON, continue operating with RTP ON even post update to version 101.23062.0010

 

 

July-2023 Build: 101.23062.0010 | Release version: 30.123062.0010.0

 

Available in Defender for Endpoint version 101.10.72 or higher. Default is changed from real_time to passive for Endpoint version 101.23062.0001 or higher.

 

  • Passive (passive): Runs the antivirus engine in passive mode. In this:
    • Real-time protection is turned off: Threats are not remediated by Microsoft Defender Antivirus.
    • On-demand scanning is turned on: Still use the scan capabilities on the endpoint.
    • Automatic threat remediation is turned off: No files will be moved and security admin is expected to take required action.
    • Security intelligence updates are turned on: Alerts will be available on security admins tenant.

Interesting fix and improvement… it means that eventually the attacker will be not blocked… So if you deploy MDE after July please check your settings. The good question is how… Microsoft is talking about Ansible, Puppet, and Chef for managing the defender.

 

The other option can be Azure RunCommand (via Azure Devops / Azure Automation / Auzre Function):

$vm=”$(VM)”
write-host $vm
Invoke-AzVmRunCommand -ResourceGroupName “$(ResourceGroupName)” -VMName $vm -CommandId “RunPowerShellScript” -ScriptPath “$(System.DefaultWorkingDirectory)\_project\scripts\xxx.ps1”

Or the future is manage at scale by using Azure Policy Guest Configuration.

https://cloudbrothers.info/en/azure-persistence-azure-policy-guest-configuration/

Unfortunately, I was not able to find ready to use Policy. So we need to write our own (How to install the machine configuration authoring module – Azure Automanage | Microsoft Learn), what can be not so easy, but stay tuned…