Reading Time: 3 minutes

• Architecture
• Server-side installation
  • Prerequisites
  • Files download
  • Configuration
  • Crontab for master updates
  • Expose the service for other assets
  • Install Apache web server
  • Configure firewall
  • Configure Apache
  • Restart Apache
  • Automate file copy to www
  • Create crontab for automation
• Client configuration
  • Configuration proposal at MDE level
  • Settings validation
  • Crontab for client updates

A while ago (April 2024), Microsoft added a new feature for Linux – Offline Security Updates [link].

I used their guide, but found out it is a bit incomplete and I did some digging to get the service up and running.

I will try to add all the steps here so I hope I will be the only one facing this issue 😊

Architecture:

Server-side installation

Prerequisites

Defender for Endpoint version “101.24022.0001” or higher needs to be installed on the Linux endpoints.

The Linux endpoints need to have connectivity to the Mirror Server.

The Mirror Server needs to have access to the following URLs:

• https://github.com/microsoft/mdatp-xplat.git
• https://go.microsoft.com/fwlink/?linkid=2144709

Files download

• Download the zip file of the repo from here
• Copy the zip file to the folder where you want to keep the script
• Extract the zip

After downloaded zip file, the local directory structure should be as follows:

user@vmdefsign:~/mdatp-xplat$ tree linux/definition_downloader/
linux/definition_downloader/
├── README.md
├── settings.json
├── settings.ps1
├── xplat_offline_updates_download.ps1
└── xplat_offline_updates_download.sh
0 directories, 5 files

Configuration

Use your favorite text editor and open settings.json in order to edit it;

ex:

nano settings.json

Default configuration:

{
"downloadFolder": "/tmp/wdav-update",
"downloadLinuxUpdates": true,
"logFilePath": "/tmp/mdatp_offline_updates.log",
"downloadMacUpdates": true,
"downloadPreviewUpdates": false,
"backupPreviousUpdates": true
}

 New configuration:

{
"downloadFolder": "/tmp/wdav-update",
"downloadLinuxUpdates": true,
"logFilePath": "/tmp/mdatp_offline_updates.log",
"downloadMacUpdates": false,
"downloadPreviewUpdates": false,
"backupPreviousUpdates": true
}

 

Crontab for master updates

Set a crontab to run the script daily at 10:00 AM using the following commands:

crontab -e

0 10 * * * /bin/bash /home/definition_downloader/xplat_offline_updates_download.sh

Expose the service for other assets

Install Apache Web Server

sudo apt update
sudo apt install apache2

Configure firewall

sudo ufw allow 'Apache'

This will allow traffic to reach your Apache server.

Configure Apache

sudo nano /etc/apache2/sites-available/000-default.conf

Inside the <VirtualHost> block, set the desired port

Ex:

<VirtualHost *:8000>

Add another listener, if needed.

sudo nano /etc/apache2/ports.conf

Ex:

Listen 8000

Restart Apache

sudo systemctl restart apache2

Automate file copy to www

Create a bash script that contains the following commands:

nano up.sh

#!/bin/bash
rm -rf /var/www/html/linux/
echo "Linux folder removed"
# Copy all contents from /tmp/wdav-update/ to /var/www/html/
cp -a /tmp/wdav-update/. /var/www/html/
echo "New updates copied"
# Change permissions of /var/www to 777
chmod -R 777 /var/www
echo "Permissions added"

Create crontab for automation

crontab -e

2 10 * * * /bin/bash /home/mdatp/linux/definition_downloader/up.sh

Client configuration

Configuration proposal at MDE level

The following configuration should be added into the client’s path:

sudo nano /etc/opt/microsoft/mdatp/managed/mdatp_managed.json

{ 
   "antivirusEngine":{ 
     "behaviorMonitoring":"enabled", 
     "enforcementLevel":"real_time", 
     "scanAfterDefinitionUpdate":true, 
     "scanArchives":true, 
     "offlineDefinitionUpdateUrl": "http://vmdefsign:8000/linux/production", 
     "offlineDefintionUpdateFallbackToCloud":false, 
     "offlineDefinitionUpdate": "enabled", 
     "maximumOnDemandScanThreads":1, 
     "exclusionsMergePolicy":"admin_only", 
   "disallowedThreatActions":[ 
       "allow", 
       "restore" 
      ], 
   "threatTypeSettingsMergePolicy":"admin_only", 
   "threatTypeSettings":[ 
         { 
         "key":"potentially_unwanted_application", 
         "value":"block" 
         } 
      ] 
   }, 
   "cloudService":{ 
      "enabled":false, 
      "automaticDefinitionUpdateEnabled":false, 
      "diagnosticLevel":"optional", 
      "automaticSampleSubmissionConsent":"none", 
   }, 
"features": { 
"offlineDefinitionUpdateVerifySig": "enabled" 
}, 
"edr": { 
      "tags": [ 
                { 
                "key": "GROUP", 
                "value": "AddRelevantTAG" 
                } 
              ] 
          } 
} 

Settings validation

Run command:

mdatp health --details definitions

Expected output:

user@vmdefsign:~$ mdatp health --details definitions
automatic_definition_update_enabled         : true [managed]
definitions_updated                         : Mar 14, 2024 at 12:13:17 PM
definitions_updated_minutes_ago             : 2
definitions_version                         : "1.407.417.0"
definitions_status                          : "up_to_date"
offline_definition_url_configured           : "http:// vmdefsign:8000/linux/production/" [managed]
offline_definition_update                   : "enabled" [managed]
offline_definition_update_verify_sig        : "enabled"
offline_definition_update_fallback_to_cloud : false[managed]

Crontab for client updates

Set a crontab to run the script daily at 10:30 AM using the following commands:

crontab -e

30 10 * * * /bin/bash mdatp definitions update

Please let me know what you feel about this topic and if additional information is needed.

Thank you!