BlogTagsProjectsSubscribe

Antivirus Definition Version Control for Microsoft Defender for Endpoint on Linux

June 12, 2022
🏷 Cyber Security

Join our Newsletter

Subscribe to get beginner friendly DevOps Guide.
    We won't send you spam. Unsubscribe at any time.

    Microsoft Defender for Endpoint on Linux (MDATP) has a built-in antivirus engine which will protect you from file-based attacks. By default, this antivirus will update its definition automatically whenever there is a new version released. However, the latest version may remove some important files, thus there is a need to stop the automatic version update and rollback to specific version.

    Check current MDATP antivirus version and configuration

    You can check MDATP's antivirus automatic update configuration and its version by typing

    mdatp health

    By default, MDATP's antivirus will update itself automatically. Check MDATP antivirus version and configuration Check MDATP antivirus version and configuration

    Stop MDATP antivirus definition automatic update

    To freeze or rollback the antivirus definition, you need to stop its automatic update first. Otherwise, the version will change after a while. To stop MDATP antivirus defintion automati update, you need to prepare a configuration file at /etc/opt/microsoft/mdatp/managed/mdatp_managed.json

    ...
  "cloudService": {
    ...
    "automaticDefinitionUpdateEnabled": true,
    ...
}
...

    Stop antivirus definition automatic update in configuration file Stop antivirus definition automatic update in configuration file

    Antivirus definition automatic update disabled Antivirus definition automatic update disabled

    Rollback MDATP antivirus definition to specific version

    To rollback MDATP antivirus definition, you need to stop its service first. Use below commands to stop the service & perform the rollback

    sudo systemctl stop mdatp.service
sudo mdatp definitions get --version [the version number that you would like to rollback to]
sudo systemctl start mdatp.service

    Here, we downgrade the antivirus definition from version 88083 to version 88082.

    Rollback MDATP antivirus definition version Rollback MDATP antivirus definition version

    MDATP antivirus definition version downgraded MDATP antivirus definition version downgraded

    Update MDATP antivirus definition to the latest version

    After the rollback, you may update MDATP antivirus definition to the latest version if you find the latest version won't hurt your app or you whitelist all impacted processes and files.

    Here, we update the antivirus definition to the latest version, 88083.

    sudo mdatp definitions update

    Update MDATP antivirus definition version Update MDATP antivirus definition version

    MDATP antivirus definition version updated MDATP antivirus definition version updated

    Conclusion

    By using MDATP configuration file and commands, we can stop its automatic definition update, rollback to specific version and update it to specific version

    Other articles you may be interested:

    1. Vulnerability Scanning with MDATP
    Subscribe