This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
While organizations rely on Linux-based machines to run mission critical workloads, attackers are increasingly targeting these environments. Therefore, it's critical that endpoint security solutions can help organizations protect their multi-platform estate.
Today, we are excited to announce that a new, eBPF-based sensor for Microsoft Defender for Endpoint on Linux is now available in public preview.
The initial implementation of Defender for Endpoint on Linux relies on auditd as the primary event provider, but now organizations can use eBPF as an alternative technology. It delivers additional system stability and performance optimizations for all supported Linux-based machines.
Here are the key benefits of using eBPF as the primary supplementary event provider:
- Reduced system-wide auditd-related log noise
- Optimized system-wide event rules causing conflict between applications
- Reduced overhead for file event (file read/open) monitoring
- Improved event rate throughput
- Optimized performance for specific configurations
With eBPF, events previously obtained from the auditd event provider now flow from the eBPF sensor. This helps with system stability, improving CPU and memory utilization and reduces disk usage. In addition, the eBPF sensor uses capabilities of the Linux kernel without requiring the use of a kernel module that helps increase system stability.
The eBPF sensor will be automatically turned on and gradually rolled out across all insider machines over the coming days following this publication. You will need Microsoft Defender for Endpoint version 101.23062.0005 or later to experience the most recent improvements using the new sensor.
More information
- Check out our documentation to start using the eBPF-based sensor for Microsoft Defender for Endpoint on Linux.