How to Install and Use Microsoft Defender in Linux

Defender On Linux Feature

While many Linux users outside of the enterprise may not understand the point of Microsoft tools on Linux, those on the inside will understand that they can be invaluable. The ability to integrate with Active Directory and much of the Microsoft ecosystem that has taken over the workplace is huge for desktop Linux, and it can make your favorite distro a more viable OS in the workplace. One of the most important parts of the enterprise is security. This tutorial shows you how to install and use Microsoft Defender on Linux to make sure your IT department can scan your machine for threats.

How to Install Microsoft Defender in Linux

In order to install Microsoft defender on Linux, the instructions differ from distro to distro. Microsoft hasn’t put their packages in the repository, so you’ll have to make sure the right dependencies are installed and add the repos.

RPM-Based Distros

You’ll need yum-utils or dnf-utils:

Defender On Linux Dnf Utils

To configure the Microsoft repos, the basic syntax of the Microsoft repos is as follows:

You can explore this mirror to see what you’d want. I’m going to be using prod.repo for the sake of consistency, as all distros have prod.repo or prod.list available. So, for my Fedora system, that command will be the following:

Defender On Linux Repo Add

For the CentOS system I’m using to model, the command would be the following:

I’m using the yum command because it’s targeted at RHEL, CentOS, and Oracle Linux, but you could also use dnf. You’ll also need to import Microsoft’s GPG key using the following command:

Defender On Linux Key Import

Run a quick update:

After that, you should be able to just install the package. The name is mdatp, or Microsoft Defender Advanced Threat Protection.

Defender On Linux Dnf Install

Debian/Ubuntu Systems

You’ll need a couple of additional dependencies:

Then you can follow basically the same process:

Install the repo, GPG key, any dependencies, and mdatp.

Using Microsoft Defender on Linux

Running Scans

One of the main things that you probably want to do is scan your system for threats. To do that, you open the terminal and type the following command:

Defender On Linux Full Scan Complete

This will scan as many files as it has access to (in my case 329,812) and report on any threats it knows of. You can also run quick or custom scans. The custom option allows you to specify a directory or a file or to ignore any exclusions that you’ve set previously. You could run a scan like this:

If you’ve set an exclusion like covered below, you could run the above scan.

Updating Signatures

To update the virus signatures on Microsoft Defender on Linux, update it just like any other package.

Setting Exclusions

To create exclusions so that files that are known to be good aren’t reported, you can do that a few ways. To exclude a file type, you can use a command like the following:

This will take all .png files and put them on the exclusion list. I wouldn’t necessarily recommend this, but if you have a particular file type that you create that you know will never need to be scanned, you can use that command to do that.

To create an exclusion for a directory, you can use a very similar command:

Now, whatever directory you just told mdatp to exclude won’t be scanned. This is helpful if you have some security testing tools on your system, as those contain virus signatures that can trip up antivirus software.

I hope you enjoyed this guide on installing and using Microsoft Defender on Linux. If you are not keen on using Microsoft Defender on Linux, check out some other antivirus software for Linux or learn how to scan for rootkits and viruses in Linux.

Related:

John Perkins John Perkins

John is a young technical professional with a passion for educating users on the best ways to use their technology. He holds technical certifications covering topics ranging from computer hardware to cybersecurity to Linux system administration.

4 comments

  1. “One of the most important parts of the enterprise is security.”
    And that is why most of the world’s servers are running some kind of *nix O/S rather than Microsoft products. More and more enterprises are switching to *nix every day.

  2. updated my mdatp on rhel7 and now it is seeing about 250000 less files.
    Config and exclusion list seems identical.

    Any idea what else to check

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.