You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This document describes the Offline Security Intelligence Update feature of Microsoft Defender for Endpoint on Linux.
30
+
## How offline security intelligence updates work
31
31
32
-
This feature enables an organization to update the security intelligence (also referred to as "definitions" or "signatures" in this document) on Linux endpoints with limited or no exposure to the internet using a local hosting server (termed as*mirror server* in this document).
32
+
This article describes how to configure offline security intelligence updates in Defender for Endpoint on Linux. This capability enables you to update security intelligence (also referred to as *definitions* or *signatures*) on Linux devices that have limited or no exposure to the internet. With this configuration, you use a local hosting server, called a*mirror server*, that connects to the Microsoft cloud to download security intelligence updates. Other Linux devices pull these updates from your mirror server at predefined intervals.
33
33
34
-
Mirror server is any server in the customer's environment that can connect to the Microsoft cloud to download the signatures. Other Linux endpoints pull the signatures from the mirror server at a predefined interval.
34
+
## Benefits of using offline security intelligence updates
35
35
36
36
Key benefits include:
37
37
38
-
-Ability to control and manage the frequency of signature downloads on the local server and the frequency at which endpoints pull the signatures from the local server.
39
-
-Addition of an extra layer of protection and control as the downloaded signatures can be tested on a test device before being propagated to the entire fleet.
40
-
-Reduction of network bandwidth as now only one local server will poll MS cloud to get the latest signatures on behalf of your entire fleet.
41
-
-Ability of the local server to run any of the three OS - Windows, Mac, Linux; no requirement to install Defender for Endpoint.
42
-
-Provision for the most up-to-date antivirus protection as signatures are always downloaded along with the latest compatible AV engine.
43
-
-Migration of signature with n-1 version to a backup folder on the local server, in each iteration. Provision to pull the n-1 signature version from the backup folder to your endpoints, if there's any issue with the latest signature.
44
-
-Option to fall back to online updates from Microsoft cloud (traditional method), in the event of a rare occasion of an offline update failure.
38
+
-Your security team can control and manage the frequency of signature downloads on the local server and the frequency at which endpoints pull signatures from the local server.
39
+
-You have an extra layer of protection and control as the downloaded signatures can be tested on a test device before they're propagated to the entire fleet.
40
+
-You need less network bandwidth, because only one local server gets the latest updates from the Microsoft cloud on behalf of your entire fleet.
41
+
-Your mirror server can run Windows, Mac, or Linux, and you don't have to install Defender for Endpoint on that server.
42
+
-You get the most up-to-date antivirus protection, because signatures are always downloaded along with the latest compatible antivirus engine.
43
+
-Older versions of signatures (`n-1`) are moved to a backup folder on your mirror server in each iteration. If there's an issue with the latest updates, you can pull the `n-1` signature version from the backup folder to your devices.
44
+
-In the rare event an offline update fails, you can configure a fallback option to get online updates from the Microsoft cloud.
45
45
46
46
## How offline security intelligence update works
47
47
48
-
-Organizations need to set up a mirror server, which is a local Web/NFS server that's reachable by the Microsoft cloud.
49
-
- Signatures are downloaded from Microsoft cloud on this mirror server by executing a script using cron job/task scheduler on the local server.
50
-
- Linux endpoints running Defender for Endpoint pull the downloaded signatures from this mirror server at a user-defined time interval.
51
-
- Signatures pulled on the Linux endpoints from the local server are first verified before getting loaded into the AV engine.
52
-
- To trigger and configure the update process, update the managed config json file on the Linux endpoints.
53
-
-The status of the update can be seen on the mdatp CLI.
48
+
-You set up a mirror server, which is a local Web or NFS server that's reachable by the Microsoft cloud.
49
+
- Signatures are downloaded from Microsoft cloud on this mirror server by executing a script using cron job or task scheduler on the local server.
50
+
- Linux endpoints running Defender for Endpoint pull the downloaded signatures from the mirror server at a pre-defined time interval.
51
+
- Signatures pulled onto Linux devices from the local server are first verified before they're loaded into the antivirus engine.
52
+
- To start and configure the update process, you can update the managed configuration json file on your Linux devices.
53
+
-You can view the status of updates in the mdatp CLI.
54
54
55
55
:::image type="content" source="./media/offline-update-diag-1.png" alt-text="Process flow diagram on the Mirror Server for downloading the security intelligence updates" lightbox="./media/offline-update-diag-2.png":::
0 commit comments