Monday, April 25, 2022

Enhanced antimalware engine capabilities for Linux and macOS

We are announcing a significant upgrade to our next-generation protection on Linux and macOS with a new, enhanced engine – now available in public preview!

The Microsoft Defender Antivirus antimalware engine is a key component of next-generation protection. This protection brings machine learning, big-data analysis, in-depth threat research, and the Microsoft cloud infrastructure, to protect devices (or endpoints) in your organization.


The main benefits of this major update include performance and prevention improvements, as well as adding support for custom file indicators on macOS and Linux.


After the public preview phase, during general availability the new engine will be gradually rolled out to all devices.

IMPORTANT: Ensure you are applying regular updates. Soon after general availability, app/platform versions older than 101.56.62 (released in January 2022) will stop getting security intelligence updates. Make sure to review the "key changes to look out for" section below.


What to expect with this enhancement:

  • Better support for protection against known and unknown malware with client-side machine-learning models, heuristics, and correlation between static signals.
  • Enhanced cloud-delivered protection with support for metadata-based  machine-learning models, file classifications and reputation-based  machine-learning models, and more.
  • Emergency security intelligence updates are now available through cloud-delivered protection that can help protect against malware outbreaks.
  • Better support for false positive and false negative prevention.
  • IMPORTANT: Threat naming and definition version nomenclature will change for the purpose of consistency across all platforms and aligning to our overall naming conventions. For more information about how Microsoft names malware, see: Malware names | Microsoft Docs.
  • Reduced memory and CPU footprints
  • Improved behavior monitoring with lower resource consumption is now available to all our customers as a configurable component for Linux (if enabled).
  • Memory scanning, providing better coverage for fileless attacks (Linux).
  • Reduced overall package size, significantly reduced security intelligence update download sizes.
  • Custom file indicators are now available with “audit”, “allow”, “block & remediate” action . The certificate indicator type will be added at a later date.


As a preview entry prerequisite, ensure the following requirements are fulfilled:

  1. Preview features must be enabled on your tenant. See Turn on preview features for more information
  2. The device must be in the insiders-fast or insiders-slow channel on Linux, Beta or Preview on macOS.
  3. If your organization has preview features enabled in your tenant, please ensure that machines participating in these channels are always on the latest version to take the latest fixes and improvements. 
  4. The minimum Microsoft Defender for Endpoint version number must be 101.56.62 and for down-level servers (RHEL 6.x and CentOS 6.x) it must be 101.62.64.


Key changes to look out for

Custom file indicators

A key feature of the new antimalware engine is the ability to create custom file indicators. You may already have experience with custom file indicators on Windows. The existing three indicator response actions are “allow,” “alert only,” and “alert and block.” These actions are now supported on macOS and Linux.


Note that warn and block indicator types are currently not supported for Linux & macOS. This is visually indicated in the Microsoft 365 Defender portal. In addition, if you have previously created non-scoped custom file indicators (targeted to all devices) in your environment, the indicators will also start applying to any device that is running the new antimalware engine.


Threat nomenclature

The change in threat / malware name is changing to ensure consistency with the standard naming scheme followed across all platforms, including Windows. This is part of the effort for aligning our nomenclature across all platforms and having a standardized naming mechanism.


Threat names will now follow this format:

<Category>.<Platform>.<Family>.<Variant> ---> [Threat Type]:[Platform]/[Malware Family].[Variant]?![Suffixes]?



Previous engine syntax

New engine syntax


























Microsoft Defender for Endpoint threat list output


Some examples of the updated threat names when displayed through command line:

Screenshot of a detected Linux threat with new naming conventionScreenshot of a detected Linux threat with new naming convention


Screenshot of a Trojan detected with new threat naming conventionScreenshot of a Trojan detected with new threat naming convention


User Interface (macOS)

The following screenshot shows alerts will use the updated threat names in the user interface:


Screenshot from macOS UI showing new threat nameScreenshot from macOS UI showing new threat name


Microsoft 365 Defender portal

Alerts will use the updated threat names in the Microsoft 365 Defender portal.

For example:

Screenshot showing an alert in the portal with the new naming conventionScreenshot showing an alert in the portal with the new naming convention


Screenshot showing an alert example in the portal with the new naming conventionScreenshot showing an alert example in the portal with the new naming convention


Version numbers

The format of ‘Security intelligence version’ under the About tab and Virus and threat protection updates in the macOS Microsoft Defender interface and using the Linux command line interface will now display a different version numbering scheme.

Security Intelligence/definitions version example: 1.355.2459.0

Engine version example: 1.1.18900.3


Comparison of old version name vs new version name displayComparison of old version name vs new version name display


Comparison of old client version name vs new version name on macOS UIComparison of old client version name vs new version name on macOS UI



Comparison of old engine version name vs new version name on Linux agentComparison of old engine version name vs new version name on Linux agent


Exceptions / Rules configured based on threat names

In the previous engine capability, if any rule has been configured (using “mdatp threat allowed” command) to allow threats based on the threat family name, those rules will not be in effect with the new engine. New rules will have to be created with the corresponding new threat family names. For example, in case of EICAR threats:


Screenshot of threat exclusion command changesScreenshot of threat exclusion command changes


IMPORTANT: Action might be needed
Threat exclusions defined using the old naming convention will need to be updated. In addition, if you have any scheduled queries based on the threat name, you may need to revise them.

Note: In addition to setting exclusions for files that may no longer be covered by allowed threat configuration, you can now also use custom file indicators with the “Allow" action type as a mitigation.


We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft 365 security center.

Posted at