Very nature of this kind of software. Over years I have never seen a proper antivirus software work without coming on my way. Of course I have not used all of them but only the most popular ones. Locking files, 100 percent cpu usage, false positives are some known issues. In the last 5-6 years I have never seen it correctly report a threat, but that is just for me. I am sure it is working fine for some.
We use BitDefender, and it once deleted the main .exe of an internal website (after several months of no issues with the same exe) mid-day. It also flagged that exe and made it nearly impossible to restore, even with the quarantine feature.
> Very nature of this kind of software. Over years I have never seen a proper antivirus software work without coming on my way. Of course I have not used all of them but only the most popular ones. Locking files, 100 percent cpu usage, false positives are some known issues. In the last 5-6 years I have never seen it correctly report a threat, but that is just for me. I am sure it is working fine for some.
We use https://www.crowdstrike.com/ and never had any issues so far. Very low CPU usage, no false positives. Not sure if it actually does anything ;).
Trend Micro is really good, we had to use it and i was quite impressed on Linux and Windows (for a Antivirus), for the MS-Antivirus, just disable 'Automatic sample submission'
EDIT: But to be honest, Antivirus is just Old-school protection, it never detected anything outside 'already known viruses', Snort/Suricata on the other hand detected quite often that something is going on.
EDIT2: With "quite impressed" i mean, the performance was not much worse
Snort/Suricata (and other IDS solutions) also depends on signatures/patterns. It's not different in that sense - you still need to define what to look for.
Yes but not file based signatures, the big difference are Network behavior analysis and Anomaly detection...and the biggest plus, its not on the device that is under attack/infected.
>It's not different in that sense - you still need to define what to look for.
Absolutely correct, i said nothing else, just that i found much more this way than with a locally installed Antivirus, there is just one measurement for a real secure connected computer..that is cable out ;)
They pretty much all do that if you want the full functionality. They’ll tell you if you disable that that you’re little better than having no product at all.
Being able to submit samples and have them verified as known good or bad seems like a fantastic thing, especially when the default is reputation-based and not based on the code signing itself.
I mean, you don't have to if you don't want to. Disable automatic uploads, and don't upload them yourself. There, your problem is solved.
Those that want to contribute their samples in order to have them white/blacklisted can, but just because a feature is there doesn't mean somebody is forcing you to do it, nor that it's inherently bad because you're willingly uploading files to a 3rd party.
How, exactly, would you expect AV/security companies to be able to analyze samples that are actually relevant to their customers if they're not submitted? They would never be able to find nearly as much malware on their own.
As far as I know, it's a corporate tier of the Defender only available to corporate volume license customers.
I guess it's similar to the way many vendors have a "EDR" version of the malware protection as opposed to the consumer version, which often reserve Linux protection for the former.
Yes, AT in itself is going to be shelf-ware soon. The data collected from Defender is much more useful in some of their other offerings such as in their newer SIEM.
Why acquire Canonical when they can just create a Redmond Linux distro and cherry-pick the best aspects of RHEL, Debian, or Gentoo -- or just plain fork something out there now and add the option of Microsoft corporate support for any manager wanting to buy a throat to choke in case there's a production hiccup?
Or better yet: a Windows-like or Windows-compatible desktop that can run on any number of systems (and maybe corporate support is available for Debian, CentOS)? Let's not forget that the co-founder of Gnome has been working for Microsoft since 2016.
I can see only one scenario where it makes sense for Microsoft to buy Canonical: to prevent Amazon or Google from acquiring them and doing something anti-competitive (or as much as can be done legally in that respect) and making life difficult for customers using Ubuntu on Azure.
The comparison of relevance is Github. Microsoft was using Github so much already that the prospect of someone else buying them was an issue (not to mention the joke that buying Github was cheaper than paying for Microsoft's growing use of the platform). In practice, has Microsoft done anything to Github that has limited them in any way? The biggest change is that Github has a super-rich benefactor and they can offer free accounts to everyone now... and their budget for hiring/retaining top talent has been boosted as well.
Microsoft has more than enough money to do the same with Canonical and if they do I think it will largely be a matter of making sure Canonical doesn't need to worry about finances anymore and can hire whomever they need to build and deliver features. And yes, it's possible that Azure Linux applications might be available on Ubuntu first but extending and extinguishing Ubuntu would be massively opposed to making money on Azure -- I don't see Microsoft doing that.
An open source antivirus program is a bit oxymoronic. Sure, people can contribute new means of stopping more attacks, but it also shows attackers exactly how to evade it. So you'd be losing more than you'd gain in that situation.
Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism.
I'm at a loss trying to capture the absurdity of this, but I'll try..
Smith finally escaped Oceania and made a nice home for himself in a free land with free peoples. One day agents from Oceania show up at his door. "No hard feelings bud. In fact we brought a gift. We think it will help you. We want to install these little black boxes all throughout your home."
Smith is all ... "ok".
It's probably more "Our customers have policies/certifications requiring they have antivirus software everywhere, even if that's stupid. We could tell those customers that we can't offer a solution and they'll go somewhere else. Or we could make the thing they 'need' and get their business". Not very absurd at all.
Fun fact that doesn't actually pass on pci-dss1 audit. You need a commercial antivirus with active subscription and centralized monitoring of that.
Also I'm guessing it's easier for admins of mixed infra to have a single threat definition (ie. So your storage server catches the same threats as your endpoints)
It's not necessarily ignorance, but also risk management. Who is the CIO to say that Linux is exempted from that condition? He'd need a stack of evidence that it's not commonly affected, which would need to be kept up to date .
A CSO/CISO should be aware of what the threats to their environment are. Otherwise how can they effectively mitigate the risk? They should rely upon SMEs who can keep them abreast of changes in threat models.
As I understand it, Microsoft Defender may not be open source, so you have to trust that what you're running really is Microsoft Defender and that it's behaving correctly.
Given that, a possible upside with ClamAV could be that you could verify the behaviour of the processes on the installed systems, to make sure you're up-to-date and have the correct software and signatures installed.
That's not unreasonable - Microsoft's software delivery pipeline should be trustworthy and their security reputation could be damaged if an issue were discovered here.
> Microsoft Defender may not be open source, so you have to trust that what you're running really is Microsoft Defender and that it's behaving correctly.
That’s true of everything installed on a system - if you don’t control the software you’re running, Defender is the least of your worries. Unless you’re doing a full analysis of every binary you’re trusting the source.
God I wish - central management and logging is mandatory under all of these compliance regimes.
We’re in the middle of adopting HiTrust and I’ve been forced to install Cisco AMP on all of my servers. The product is absolute garbage and frequently eats up all available RAM, causing itself to crash and leave a core dump filling up my root partition.
The worst part? AMP on Linux is literally ClamAV plus a kernel module to monitor file access, network connections and process creation.
We've deployed AMP across our RHEL environment, and experienced the exact issues you've described. Cisco's general remediation is to increase the exclusion policy til the core dumps stop occurring. On some systems, AMP is barely monitoring any filesystems...
I've experienced this at one workplace, and I had to install some anti-virus software on my Linux workstation. But it already existed. (It may have even been open source.) I'm not sure how it helps Microsoft to also introduce a product for this.
> I'm not sure how it helps Microsoft to also introduce a product for this.
People don't give Microsoft money for a product that's not by Microsoft. If Microsoft offers one, and can even claim that they cover all platforms with one overarching offering, companies pay them for it.
You may not want a product like this on Linux. But if you do business in the DoD supply chain, even way down the chain, then you will be required to do so.
I work at a similar cybersecurity company and I can almost guarantee this is the case. Company policy will be to put an AV on everything, and the CSO/procurement always prefer a one size fits all solution so they only have to deal with one vendor. How well it works on Linux is secondary to the fact that it makes it easy for them to hit all the checkboxes in compliance reports.
This is absolutely the reality. Spot on mate. I am one of those people ensuring compliance. Even though it doesn't matter, I guess it's a compliance thing. For some businesses GRC matters!
In my experience, Trend Micro's antivirus is bullshit not only on Windows but also on Linux. I'm happy if MS Defender for Linux is available and corp adopted it.
The Linux ecoystem has consistently p it their fingers in their ears and stop informing the very real and long outstanding problems of malware and apts
What about it? Are those applicable to my reply at all?so worst case scenario Microsoft took the scamiest approach to it possible but it still defeats something. Vs no protection at all because Linux users blatantly ignore apts
Those are the options. Head completely in sand or get some sand in your eyes
Had to double check if we were reading the same post. This isn't meant for home users. It costs a lot of money and is targeting enterprise users. Defender ATP is like Carbonblack or Crowdstrike falcon which support windows and Linux. MS finally supports Linux to compete better. It's a great product but you need E5 license for it.
Defender ATP is closer to an EDR tool, which means it's designed for detection and response teams, not individual users. It'll take more a reporting and contextualizing approach than an av that is typically blocking.
It's not an antivirus, it doesn't care about binary signatures. It looks attack patterns based on known attacker behavior.
A good linux example would be httpd starting netcat that connects to a remote port. Or firefox spawning a bash shell. For windows a simple example would be when an office app starts wscript or powershell and that child process schedules taks, wmi, downloads a payload,etc... Those are simple examples but they track more complex attack scenarios, for cloud hosted solutions like defender atp and crowdstrike they also collect everything that happens on every device of every customer, so if they find new malware or an attacker with a certain TTP on one device, they will deploy rules to catch that for all their customers.
Not own, but assimilate. Own the attention. GPL will have new perspectives after this is over with. For those of you who don't use Windows, try to uninstall the AV on windows 10. MSFT AV uses about 400 mb of ram on my Lenovo Flex 11 running windows 10. A bit of memory can be saved if you open admin powershell and run "Set-MpPreference -DisableRealtimeMonitoring 1"
Whilst I've never been a Microsoft user, it's refreshing to see these moves. For decades they've been an opponent of anything being OSS, let alone running on OSS. While the move isn't for everyone (heck, not me) it's still a very positive step, pretty much in line with Nadella's underlying strategy vis-a-vis Microsoft's newfound growth.
Security mandates such as PCI mandate running anti-virus and friends on a per host basis. They demand a 24-hour event review, FIM, etc. If tools like this come to Linux, it'll make it significantly easier for many organizations to start complying with these mandates. To be clear - these organizations already take security at best as a suggestion - these tools help reduce the barrier to entry so that at least the basics can be addressed.
I'd imagine that well over 95% of Linux users would never run Microsoft tools on Linux. At the same time, for those Windows shops that are experimenting with Linux, or need to support a few workloads, can't afford the dedicated expertise (yet) this is definitely a step forward to help them.
> If tools like this come to Linux, it'll make it significantly easier for many organizations to start complying with these mandates.
You said a lot more than you probably intended. Microsoft created the Microsoft-loving, Linux-hating trade press in the 90's. Consultancies fell into line, and started pushing the theory to uncritical IT management that if you had a computer connected to the corporate network, it had to run a virus scanner. Period; full stop. Regardless of operating system.
I've never met anyone in corporate IT who actually does the math, and determines whether a particular threat vector is worth the cost of the preventative measure. The philosophy in the 3 Fortune 250's I've worked for has been: if it exists, it must be purchased/used/applied. In the 90's, yes, every WINDOWS computer connected to the corporate network needed the corporate AV running on it. Linux? Mac? Not so much. Even if they managed to get compromised, the chance that they would infect a neighboring computer were very small. These odds didn't justify the expense or the hassle of needing them to slaved into the corporate AV solution, no matter how much Microsoft diverted attention away from the very special problem that Windows has always posed from a security standpoint, how much they paid the trade press to paper over it, and how much they partnered with consultancies to push that line. They didn't care about the mainframe, did they? They didn't care about the Unix workstations, either. But Linux? It was the devil.
We have come full circle. Microsoft is trying their hardest to astroturf the message that WSL enables a lot of development workflows for which Windows has been a poor choice of late, and this requires them to "love Linux." So now Microsoft MUST release their Defender product for Linux, in order to be taken seriously BY THE VERY CULTURE THEY CREATED. As a guy who run Linux on the desktop for 19 years, and got my corporate IT (in the 90's) to consider Linux all the way to the point of them looking into a virus scanner for it (finding that Symantec didn't support it, and dropping the idea), the irony here is both delicious and sickening at the same time.
As I keep saying, I'll believe Microsoft "loves" Linux they day they create Office and an AD client for it.
I wonder how much work would have to go into porting Office to Linux. My first thought is that since they've had it on MacOS for years now, it (hopefully) uses some portable UNIX libraries, but who knows. Linux still has a pretty small desktop market, and those who are on Linux are already used to (Libre|Open)Office or GoogleDocs. I'd like if Office came to Linux for the purposes of getting more people to potentially switch, but I don't know if it would be worth while for them financially.
Adobe too. Man would it be fantastic to see Adobe add support. Same thought pops in my head: they're already running on UNIX, how much would be required to port to Linux? Probably more than I expect.
Porting? Who talked about porting? Why do you (and they) voluntarily ignore 20+ years of Wine?
99% of the (few) Windows programs I still routinely use work perfectly fine under Wine. I can even run my old Windows 3.1 (16 bit) stuff on 64 bit Ubuntu, which I couldn't run on Windows 10. Heck when I was a Linux newbie, I was amazed to find Windows programs that didn't support Windows XP links were nicely following Ext symlinks!
Office doesn't play nice on Wine? Seriously, if Valve can get stuff working on Proton that requires DRM, DirectX etc. it doesn't look like fixing existing issues to make Office work 100% under Wine is beyond reach for Microsoft. Heck, we're talking about the same corporation capable of giving us the WSL!
Recently, I was using Mikrotik Winbox for the first time under Ubuntu. I was shocked how easy it was to make it run (apt install wine-stable, wine winbox.exe) and how well it worked.
> Porting? Who talked about porting? Why do you (and they) voluntarily ignore 20+ years of Wine?
Indeed. I was happily using Codeweaver's Crossover product to run Office 2000 (on RedHat 6.2 with Ximian Desktop, IIC) before Microsoft realized this loophole produced a flawless experience, and then changed the binaries to purposely frustrate this solution going forward. Nothing every worked quite right after that. Eventually, Evolution had a usable Exchange integration, and OpenOffice wasn't completely useless, so I simply stopped caring.
Endpoint protection- aka enterprise antivirus / hacking- has become a very big market over the past few years, And linux is a massive player in the server and cloud space. They would be fools to ignore it, no other conspiracy needed.
> As I keep saying, I'll believe Microsoft "loves" Linux they day they create Office and an AD client for it.
Exactly. Everything else is just a marketing gimmick. They don't even support interoperability between OOXML, thus crippling every other "enterprisey" user who might want to have usable content/data between their co-workers who might be using Windows
- paint the picture that "MS <3 linux! Techbros, dont'cha see! Yeah!"
- thus counter the "Hard for Ubuntu/Fedora/Linux users to use MS Apps!" argument by going "Know what, Ubuntu is within Windoze! No need to dual boot now! Wow! Such advancement!" and find a way to safeguard and maximize license/OS-aaS revenue
- no need to ever invest in interoperability for OOXML and such defined standards (this is a great lesson they have learnt from the LDAP-MSAD story)
- no need to bother much the "situation" of dual-boot - now there's a better way, by saying, "you could run Linux within, with full native suppirt, and no need to go out-of-band from your corporate security and compliance baselines! So much win, ya'see!"
Look beyond the gimmicks, and one could see it's just the same objective - just a different approach now.
Not just "Windows on every desktop" but rather, "all data-processings units in the world to directly be leading in one way or other to cause some kida revenue flow for MS"
I mean, they are in the middle of rewriting Office to use react native, specifically for cross platform compatibility. And Teams already has a linux client.
Regarding AD clients, what are you looking for that's not well covered by LDAP clients and all the AAD connection capabilities built into Azure? AKS runs RBAC based on bindings to AAD. Certainly for any server workloads, AD integrations are well covered.
Perhaps the clarification Yu out need is, microsoft loves Linux on the server. They don't particularly care about linux on the desktop.
> As I keep saying, I'll believe Microsoft "loves" Linux they day they create Office and an AD client for it.
Microsoft is a company, suggesting a company "Loves" anything is a misnomer. I say this because I sort of disagree here, but only kind-of.
Microsoft embraces ("Loves") the parts of Linux which are compatible with Microsoft's strategy. Linux on Azure is getting quite huge, it's the difference between Azure existing as a profitable business for Microsoft and Azure being a cost center. Microsoft does a fair amount to embrace Linux on the server, they support Docker, they do a lot of work with Node, and have a fair number of people onboard doing Linux specific stuff.
Linux AD & Office are only really important to desktop deployments and Microsoft has zero strategic interest in the Linux Desktop. If Microsoft were to port Office & AD to Linux Desktop, it would be an act of charity. If Microsoft is doing charity work, there are a lot of projects I'd like to see them invest in before AD and Office on Linux.
And interrupt their mostly nontechnical employees’ productivity to learn a new OS, for a negligible cost savings? Good luck getting that past a board of directors.
For Microsoft? Windows has been on decline in importance at Microsoft for some time.
For Windows? Nah, too many Fortune 500 businesses rely on software running on Windows for day to day operations. While it's hard to see from the consumer/ web/ developer side of the world, Win32 still dominates. Lots of vertical industry specific software which won't be replaced for quite some time.
MS is leaving a lot of deals on the table without offering a Linux Agent. They've been using other companies to fill the gap. It's not a good look when the sales guy has to recommend a tiny startup to cover your other platforms for ATP.
It's also worth noting that they encouraged startups to offer ATP support and then within a couple of years killed them by offering their own.
Most PCI audits don't require A/V on Linux/nix types systems. The majority of assessors don't ding you if you don't deploy, and the DSS standard is pretty clear:
5.1 Deploy anti-virus software on all systems commonly affected* by malicious software (particularly personal computers and servers).
Since the majority of *nix servers aren't commonly affected, there's no reason/requirement to deploy A/V. Now this doesn't mean your boss won't require it, "just to be sure."
you're a fool if you think Linux systems are not commonly affected. most compliance requirements do require you to have av on Linux too.
as someone in the security industry, my experience is that Linux servers are clearly more frequently affected than osx, and there are very few people left who would say osx doesn't have malware still.
just because a large compiled library of code doesn't exist and isn't commonly passed around doesn't mean it's malware free or even malware light.
compiled sttaic malware isn't common because it doesn't have to. rce is done on Linux systems an overwhelming majority of the time using native applications in the way they are meant to be used, just by the wrong people. (the attacker). the lack of quality security tool for the Linux environment is THE biggest concern mature security teams struggle with.
Linux is the most common internet facing os platform, and I'm here to tell you, if it's internet facing, it have threat actors targeting AND affecting it. the only reason Linux hasn't surpassed windows in how frequently is it the victim of malware/attacks is because of workstations.
Not a fool, just someone with over 20 years experience, who has gone through multiple PCI audits and never once met an assessor who thought it was required.
And if you're managing your servers properly, A/V is unnecessary; first there are few viruses and malware that affect *nix, second, if you can't control code deployment on your systems, you're in the wrong business.
None of our systems providing Internet services are directly connected; everything is proxied/firewalled etc.
If you're expecting ANY of the A/V solutions out there to protect your systems, whether they're Windows/Linux/MacOS, you're going to be sadly disappointed when you get rooted.
Microsoft is investing in cloud, and this is meant to help their cloud business. In essence, this initiative is about that, not happy people singing kumbaya.
I would not install this since it talks to Microsoft servers. I don't want "telemetry" sent to them.
Trying to bring the performance from Windows to Linux...love it ;)
EDIT: For the down-voter that was ironic, try copy lots of files from one Disk to another (in Windows) and during the copy-progress disable Defender...huge "performance" gain
Well, I downloaded the .deb file for MDATP, and right off the bat in the installation scripts, it's posting telemetry (literally, LogTelemetry in the scripts) to https://x.cp.wd.microsoft.com/api/report Then poking around in the giant .so and executable front end, you find a ton more.
What's it sending? Fucked if I know. I figured they couldn't help themselves, though.
I don't think people ITT understand what Defender ATP is supposed to be. It's not just an AV, but rather also has the ability to do threat protection across all your assets in the company.
It can analyze an attackers moves within your network, figuring out what files they accessed, ways they pivoted, and other stuff. So not only would it detect that you got compromised, but the display will show you likely paths, names of users that are also compromised, mitigation steps, deployed persistence measures, etc.
So for Defender ATP to work optimally in a deployment that leverages linux nodes, or has users using linux as their daily driver, you need to support linux.
fixed it -- the product claims say "It can analyze an attackers moves within your network, figuring out what files they accessed, ways they pivoted, and other stuff."
Your statement would have been valid a few years ago. But now all AV providers also offer what you are talking about. AV+EDR with advanced threat hunting UI. So when you say AV today you should really think the other stuff as well.
Thanks for the info. Yeah, I'm not up to speed on the latest in the defense world. Good to know. I just felt like I had to bring it up because (at the time of posting) people were exclusively discussing the merits of an AV on linux (which is debatable) vs the value of EDR in a corporate environment.
They provide it but often not in the same product capacity, a common structure would be Sophos & CarbonBlack - two separate products by different companies. Additionally they'd need a third product to cover the *nix estate.
Defender, in its current state, rolls all of the above into one at a relatively competitive price point. Additionally, it receives new detections built off all the telemetry they get as a result of Windows Defender existing on almost every Win10 OS on the planet.
This leveraging of data on such a scale is letting Microsoft quickly become the market leader for threat detection & response.
Feels ironic for Microsoft to announce security tools for Linux. Have always thought MS should turn Windows back into a window manager, not a fully-fledged OS, and use Linux as the base under the hood.
105 comments
[ 5.6 ms ] story [ 178 ms ] threadIt randomly picks files to send to MS for analysis and hijacks 50%+ of the CPU to do it.
I legitimately don’t understand what it’s trying to accomplish other than another being a telemetry vacuum for MS.
We use https://www.crowdstrike.com/ and never had any issues so far. Very low CPU usage, no false positives. Not sure if it actually does anything ;).
EDIT: But to be honest, Antivirus is just Old-school protection, it never detected anything outside 'already known viruses', Snort/Suricata on the other hand detected quite often that something is going on.
EDIT2: With "quite impressed" i mean, the performance was not much worse
>It's not different in that sense - you still need to define what to look for.
Absolutely correct, i said nothing else, just that i found much more this way than with a locally installed Antivirus, there is just one measurement for a real secure connected computer..that is cable out ;)
This is irritating but as mentioned a not unusual side effect. A good thing is they have sample submission that was fast and efficient.
Wait...you think that is something good, they criticized Kaspersky exactly for that.
Why do you think it's not?
Those that want to contribute their samples in order to have them white/blacklisted can, but just because a feature is there doesn't mean somebody is forcing you to do it, nor that it's inherently bad because you're willingly uploading files to a 3rd party.
How, exactly, would you expect AV/security companies to be able to analyze samples that are actually relevant to their customers if they're not submitted? They would never be able to find nearly as much malware on their own.
I guess it's similar to the way many vendors have a "EDR" version of the malware protection as opposed to the consumer version, which often reserve Linux protection for the former.
Or better yet: a Windows-like or Windows-compatible desktop that can run on any number of systems (and maybe corporate support is available for Debian, CentOS)? Let's not forget that the co-founder of Gnome has been working for Microsoft since 2016.
The comparison of relevance is Github. Microsoft was using Github so much already that the prospect of someone else buying them was an issue (not to mention the joke that buying Github was cheaper than paying for Microsoft's growing use of the platform). In practice, has Microsoft done anything to Github that has limited them in any way? The biggest change is that Github has a super-rich benefactor and they can offer free accounts to everyone now... and their budget for hiring/retaining top talent has been boosted as well.
Microsoft has more than enough money to do the same with Canonical and if they do I think it will largely be a matter of making sure Canonical doesn't need to worry about finances anymore and can hire whomever they need to build and deliver features. And yes, it's possible that Azure Linux applications might be available on Ubuntu first but extending and extinguishing Ubuntu would be massively opposed to making money on Azure -- I don't see Microsoft doing that.
What about just the last letter: Windows X
Of course Windows 10 is the last major version of Windows, so you got to have that in the name: Windows 10X
https://devblogs.microsoft.com/directx/directx-heart-linux/
https://www.wired.com/2005/02/microsoft-5/
https://www.clamav.net/
https://en.wikipedia.org/wiki/Security_through_obscurity
Edit: Link
Also I'm guessing it's easier for admins of mixed infra to have a single threat definition (ie. So your storage server catches the same threats as your endpoints)
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
It's typically an ignorant CISO/CSO who wants to mark a checkbox...
Easier just to say "AV on everything".
At the same time, ClamAV has a terrifying CVE track record.
There's no upside, and all downside.
ClamAV: https://www.cvedetails.com/product/15657/Clamav-Clamav.html?...
Norton AV: https://www.cvedetails.com/product/398/Symantec-Norton-Antiv...
Windows Defender: https://www.cvedetails.com/product/9767/Microsoft-Windows-De...
It may be safer to say that the CVE record for most AV software isn't great.
Given that, a possible upside with ClamAV could be that you could verify the behaviour of the processes on the installed systems, to make sure you're up-to-date and have the correct software and signatures installed.
That's not unreasonable - Microsoft's software delivery pipeline should be trustworthy and their security reputation could be damaged if an issue were discovered here.
That’s true of everything installed on a system - if you don’t control the software you’re running, Defender is the least of your worries. Unless you’re doing a full analysis of every binary you’re trusting the source.
We’re in the middle of adopting HiTrust and I’ve been forced to install Cisco AMP on all of my servers. The product is absolute garbage and frequently eats up all available RAM, causing itself to crash and leave a core dump filling up my root partition.
The worst part? AMP on Linux is literally ClamAV plus a kernel module to monitor file access, network connections and process creation.
People don't give Microsoft money for a product that's not by Microsoft. If Microsoft offers one, and can even claim that they cover all platforms with one overarching offering, companies pay them for it.
You may not want a product like this on Linux. But if you do business in the DoD supply chain, even way down the chain, then you will be required to do so.
If you’re not vulnerable and don’t need the badge you can’t be taken seriously.
It’s all very amusing!
Though I have a hunch this won't be free software and will have all kinds of telemetry you can't disable.
The Linux ecoystem has consistently p it their fingers in their ears and stop informing the very real and long outstanding problems of malware and apts
Those are the options. Head completely in sand or get some sand in your eyes
A good linux example would be httpd starting netcat that connects to a remote port. Or firefox spawning a bash shell. For windows a simple example would be when an office app starts wscript or powershell and that child process schedules taks, wmi, downloads a payload,etc... Those are simple examples but they track more complex attack scenarios, for cloud hosted solutions like defender atp and crowdstrike they also collect everything that happens on every device of every customer, so if they find new malware or an attacker with a certain TTP on one device, they will deploy rules to catch that for all their customers.
Security mandates such as PCI mandate running anti-virus and friends on a per host basis. They demand a 24-hour event review, FIM, etc. If tools like this come to Linux, it'll make it significantly easier for many organizations to start complying with these mandates. To be clear - these organizations already take security at best as a suggestion - these tools help reduce the barrier to entry so that at least the basics can be addressed.
I'd imagine that well over 95% of Linux users would never run Microsoft tools on Linux. At the same time, for those Windows shops that are experimenting with Linux, or need to support a few workloads, can't afford the dedicated expertise (yet) this is definitely a step forward to help them.
You said a lot more than you probably intended. Microsoft created the Microsoft-loving, Linux-hating trade press in the 90's. Consultancies fell into line, and started pushing the theory to uncritical IT management that if you had a computer connected to the corporate network, it had to run a virus scanner. Period; full stop. Regardless of operating system.
I've never met anyone in corporate IT who actually does the math, and determines whether a particular threat vector is worth the cost of the preventative measure. The philosophy in the 3 Fortune 250's I've worked for has been: if it exists, it must be purchased/used/applied. In the 90's, yes, every WINDOWS computer connected to the corporate network needed the corporate AV running on it. Linux? Mac? Not so much. Even if they managed to get compromised, the chance that they would infect a neighboring computer were very small. These odds didn't justify the expense or the hassle of needing them to slaved into the corporate AV solution, no matter how much Microsoft diverted attention away from the very special problem that Windows has always posed from a security standpoint, how much they paid the trade press to paper over it, and how much they partnered with consultancies to push that line. They didn't care about the mainframe, did they? They didn't care about the Unix workstations, either. But Linux? It was the devil.
We have come full circle. Microsoft is trying their hardest to astroturf the message that WSL enables a lot of development workflows for which Windows has been a poor choice of late, and this requires them to "love Linux." So now Microsoft MUST release their Defender product for Linux, in order to be taken seriously BY THE VERY CULTURE THEY CREATED. As a guy who run Linux on the desktop for 19 years, and got my corporate IT (in the 90's) to consider Linux all the way to the point of them looking into a virus scanner for it (finding that Symantec didn't support it, and dropping the idea), the irony here is both delicious and sickening at the same time.
As I keep saying, I'll believe Microsoft "loves" Linux they day they create Office and an AD client for it.
Adobe too. Man would it be fantastic to see Adobe add support. Same thought pops in my head: they're already running on UNIX, how much would be required to port to Linux? Probably more than I expect.
99% of the (few) Windows programs I still routinely use work perfectly fine under Wine. I can even run my old Windows 3.1 (16 bit) stuff on 64 bit Ubuntu, which I couldn't run on Windows 10. Heck when I was a Linux newbie, I was amazed to find Windows programs that didn't support Windows XP links were nicely following Ext symlinks!
Office doesn't play nice on Wine? Seriously, if Valve can get stuff working on Proton that requires DRM, DirectX etc. it doesn't look like fixing existing issues to make Office work 100% under Wine is beyond reach for Microsoft. Heck, we're talking about the same corporation capable of giving us the WSL!
> Adobe too.
And Autodesk too.
Indeed. I was happily using Codeweaver's Crossover product to run Office 2000 (on RedHat 6.2 with Ximian Desktop, IIC) before Microsoft realized this loophole produced a flawless experience, and then changed the binaries to purposely frustrate this solution going forward. Nothing every worked quite right after that. Eventually, Evolution had a usable Exchange integration, and OpenOffice wasn't completely useless, so I simply stopped caring.
Exactly. Everything else is just a marketing gimmick. They don't even support interoperability between OOXML, thus crippling every other "enterprisey" user who might want to have usable content/data between their co-workers who might be using Windows
MS-Uservoice has ~500 comments on this topic since 2018, and no word from MS till now. [ https://office365.uservoice.com/forums/264636-general/sugges... ]
Guess they figured out WSL is an easy ticket to
- paint the picture that "MS <3 linux! Techbros, dont'cha see! Yeah!" - thus counter the "Hard for Ubuntu/Fedora/Linux users to use MS Apps!" argument by going "Know what, Ubuntu is within Windoze! No need to dual boot now! Wow! Such advancement!" and find a way to safeguard and maximize license/OS-aaS revenue
- no need to ever invest in interoperability for OOXML and such defined standards (this is a great lesson they have learnt from the LDAP-MSAD story)
- no need to bother much the "situation" of dual-boot - now there's a better way, by saying, "you could run Linux within, with full native suppirt, and no need to go out-of-band from your corporate security and compliance baselines! So much win, ya'see!"
Look beyond the gimmicks, and one could see it's just the same objective - just a different approach now.
Not just "Windows on every desktop" but rather, "all data-processings units in the world to directly be leading in one way or other to cause some kida revenue flow for MS"
Regarding AD clients, what are you looking for that's not well covered by LDAP clients and all the AAD connection capabilities built into Azure? AKS runs RBAC based on bindings to AAD. Certainly for any server workloads, AD integrations are well covered.
Perhaps the clarification Yu out need is, microsoft loves Linux on the server. They don't particularly care about linux on the desktop.
Microsoft is a company, suggesting a company "Loves" anything is a misnomer. I say this because I sort of disagree here, but only kind-of.
Microsoft embraces ("Loves") the parts of Linux which are compatible with Microsoft's strategy. Linux on Azure is getting quite huge, it's the difference between Azure existing as a profitable business for Microsoft and Azure being a cost center. Microsoft does a fair amount to embrace Linux on the server, they support Docker, they do a lot of work with Node, and have a fair number of people onboard doing Linux specific stuff.
Linux AD & Office are only really important to desktop deployments and Microsoft has zero strategic interest in the Linux Desktop. If Microsoft were to port Office & AD to Linux Desktop, it would be an act of charity. If Microsoft is doing charity work, there are a lot of projects I'd like to see them invest in before AD and Office on Linux.
For Microsoft? Windows has been on decline in importance at Microsoft for some time.
For Windows? Nah, too many Fortune 500 businesses rely on software running on Windows for day to day operations. While it's hard to see from the consumer/ web/ developer side of the world, Win32 still dominates. Lots of vertical industry specific software which won't be replaced for quite some time.
It's also worth noting that they encouraged startups to offer ATP support and then within a couple of years killed them by offering their own.
5.1 Deploy anti-virus software on all systems commonly affected* by malicious software (particularly personal computers and servers).
Since the majority of *nix servers aren't commonly affected, there's no reason/requirement to deploy A/V. Now this doesn't mean your boss won't require it, "just to be sure."
as someone in the security industry, my experience is that Linux servers are clearly more frequently affected than osx, and there are very few people left who would say osx doesn't have malware still.
just because a large compiled library of code doesn't exist and isn't commonly passed around doesn't mean it's malware free or even malware light.
compiled sttaic malware isn't common because it doesn't have to. rce is done on Linux systems an overwhelming majority of the time using native applications in the way they are meant to be used, just by the wrong people. (the attacker). the lack of quality security tool for the Linux environment is THE biggest concern mature security teams struggle with.
Linux is the most common internet facing os platform, and I'm here to tell you, if it's internet facing, it have threat actors targeting AND affecting it. the only reason Linux hasn't surpassed windows in how frequently is it the victim of malware/attacks is because of workstations.
And if you're managing your servers properly, A/V is unnecessary; first there are few viruses and malware that affect *nix, second, if you can't control code deployment on your systems, you're in the wrong business.
None of our systems providing Internet services are directly connected; everything is proxied/firewalled etc.
If you're expecting ANY of the A/V solutions out there to protect your systems, whether they're Windows/Linux/MacOS, you're going to be sadly disappointed when you get rooted.
I would not install this since it talks to Microsoft servers. I don't want "telemetry" sent to them.
EDIT: For the down-voter that was ironic, try copy lots of files from one Disk to another (in Windows) and during the copy-progress disable Defender...huge "performance" gain
What's it sending? Fucked if I know. I figured they couldn't help themselves, though.
It can analyze an attackers moves within your network, figuring out what files they accessed, ways they pivoted, and other stuff. So not only would it detect that you got compromised, but the display will show you likely paths, names of users that are also compromised, mitigation steps, deployed persistence measures, etc.
So for Defender ATP to work optimally in a deployment that leverages linux nodes, or has users using linux as their daily driver, you need to support linux.
Defender, in its current state, rolls all of the above into one at a relatively competitive price point. Additionally, it receives new detections built off all the telemetry they get as a result of Windows Defender existing on almost every Win10 OS on the planet.
This leveraging of data on such a scale is letting Microsoft quickly become the market leader for threat detection & response.