Microsoft Defender can now isolate Linux devices in the name of security

Microsoft has announced a public preview of a new feature of Microsoft Defender for Endpoint that makes it possible to isolate Linux devices.

The company explains that it is possible to isolate a Linux device using APIs, or via the Microsoft 365 Defender portal. The update means that in the event of a security breach it is now possible to cut off Linux devices from a network, just as it has been possible to do with Windows devices.

See also:

• Microsoft is working on a major Edge update known as Phoenix -- and you can try one of the best features right now!
• Microsoft Teams Rooms on Windows is getting an amazing new look
• The latest Windows 11 problem sees updates failing with 0x800f0988 and 0x800f0831 errors

In a blog post about the new capabilities, Microsoft says: "Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement". 

The company continues:

Just like in Windows devices, this device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, while continuing to monitor the device.

Microsoft points out that when isolating a device, only certain processes and web destinations are allowed. This means that devices behind a full VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated. The company recommends using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based protection-related traffic.

Another point made by the company is that exclusion is not supported for Linux isolation.

More information about how to manually isolate Linux devices, or to do so using APIs can be found here.

Image credit: monticello / depositphotos