Merge pull request #1653 from meghapriyams/docs-editor/microsoft-defender-endpoint-li-1729475554

Update microsoft-defender-endpoint-linux.md

Author: denisebmsft

defender-endpoint/microsoft-defender-endpoint-linux.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 10/21/2024
 ---
 
 # Microsoft Defender for Endpoint on Linux
@@ -24,7 +24,6 @@ ms.date: 10/11/2024
 
 **Applies to:**
 
-- Microsoft Defender for Servers
 - Microsoft Defender XDR
 
 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
@@ -41,11 +40,10 @@ Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint det
 ### Prerequisites
 
 - Access to the Microsoft Defender portal
-- Linux distribution using the [systemd](https://systemd.io/) system manager
+- Linux distribution using the [systemd](https://systemd.io/)system manager
 
   > [!NOTE]
   > Linux distribution using system manager, except for RHEL/CentOS 6.x support both SystemV and Upstart.
-
 - Beginner-level experience in Linux and BASH scripting
 - Administrative privileges on the device (for manual deployment)
 
@@ -76,12 +74,17 @@ In general you need to take the following steps:
 ### System requirements
 
 - Disk space: 2 GB
+
   > [!NOTE]
   > An additional 2 GB disk space might be needed if cloud diagnostics are enabled for crash collections. Please make sure that you have free disk space in /var.
+
 - Cores: 2 minimum, 4 preferred
+
   > [!NOTE]
   > If you are on Passive or RTP ON mode, 2 Cores are minimum and 4 Cores are preferred. If you are turning on BM, then a minimum of 4 Cores is required.
+
 - Memory: 1 GB minimum, 4 preferred
+
 - List of supported Linux server distributions and x64 (AMD64/EM64T) and x86_64 versions:
   - Red Hat Enterprise Linux 6.7 or higher (In preview)
   - Red Hat Enterprise Linux 7.2 or higher
@@ -108,87 +111,38 @@ In general you need to take the following steps:
   - Alma 8.4 and higher
   - Alma 9.2 and higher 
   - Mariner 2
-
-    > [!NOTE]
-    > Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).
-    > With RHEL 6 support for 'extended end of life' coming to an end by June 30, 2024; Defender for Endpoint on Linux support for RHEL 6 will also be deprecated by June 30, 2024
-    > Defender for Endpoint on Linux version `101.23082.0011` is the last Defender for Endpoint on Linux release supporting RHEL 6.7 or higher versions (does not expire before June 30, 2024). Customers are advised to plan upgrades to their RHEL 6 infrastructure aligned with guidance from Red Hat.
-    > Microsoft Defender Vulnerablity Management is not supported on Rocky and Alma currently.
-
-- List of supported kernel versions
-
-   > [!NOTE]
-   > Microsoft Defender for Endpoint on Red Hat Enterprise Linux and CentOS - 6.7 to 6.10 is a Kernel based solution. You must verify that the kernel version is supported before updating to a newer kernel version.
-   > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or greater than 3.10.0-327.
-
-  - The `fanotify` kernel option must be enabled
-
-  - Red Hat Enterprise Linux 6 and CentOS 6:
-    - For 6.7: 2.6.32-573.* (except 2.6.32-573.el6.x86_64)
-    - For 6.8: 2.6.32-642.*
-    - For 6.9: 2.6.32-696.* (except 2.6.32-696.el6.x86_64)
-    - For 6.10: 
-      - 2.6.32-754.10.1.el6.x86_64
-      - 2.6.32-754.11.1.el6.x86_64
-      - 2.6.32-754.12.1.el6.x86_64
-      - 2.6.32-754.14.2.el6.x86_64
-      - 2.6.32-754.15.3.el6.x86_64
-      - 2.6.32-754.17.1.el6.x86_64
-      - 2.6.32-754.18.2.el6.x86_64
-      - 2.6.32-754.2.1.el6.x86_64
-      - 2.6.32-754.22.1.el6.x86_64
-      - 2.6.32-754.23.1.el6.x86_64
-      - 2.6.32-754.24.2.el6.x86_64
-      - 2.6.32-754.24.3.el6.x86_64
-      - 2.6.32-754.25.1.el6.x86_64
-      - 2.6.32-754.27.1.el6.x86_64
-      - 2.6.32-754.28.1.el6.x86_64
-      - 2.6.32-754.29.1.el6.x86_64
-      - 2.6.32-754.29.2.el6.x86_64
-      - 2.6.32-754.3.5.el6.x86_64
-      - 2.6.32-754.30.2.el6.x86_64
-      - 2.6.32-754.33.1.el6.x86_64
-      - 2.6.32-754.35.1.el6.x86_64
-      - 2.6.32-754.39.1.el6.x86_64
-      - 2.6.32-754.41.2.el6.x86_64
-      - 2.6.32-754.43.1.el6.x86_64
-      - 2.6.32-754.47.1.el6.x86_64
-      - 2.6.32-754.48.1.el6.x86_64
-      - 2.6.32-754.49.1.el6.x86_64
-      - 2.6.32-754.6.3.el6.x86_64
-      - 2.6.32-754.9.1.el6.x86_64
-
-   > [!NOTE]
-   > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
+    
+  > [!NOTE]
+  > Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).
+  > After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that which are listed in this section are provided for technical upgrade support only.
+  > Microsoft Defender Vulnerablity Management is not supported on Rocky and Alma currently.
+  > Microsoft Defender for Endpoint for all other supported distributions and versions is kernel-version-agnostic. With a minimal requirement for the kernel version to be at or greater than 3.10.0-327.
 
   > [!CAUTION]
   > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. If there are any other applications on the system that use `fanotify` in blocking mode, applications are listed in the `conflicting_applications` field of the `mdatp health` command output. The Linux **FAPolicyD** feature uses `fanotify` in blocking mode, and is therefore unsupported when running Defender for Endpoint in active mode. You can still safely take advantage of Defender for Endpoint on Linux EDR functionality after configuring the antivirus functionality Real Time Protection Enabled to [Passive mode](linux-preferences.md#enforcement-level-for-antivirus-engine).
 
 - List of supported filesystems for RTP, Quick, Full and Custom Scan.
-  
-  |RTP, Quick, Full Scan| Custom Scan|
-  |---|---|
-  |btrfs|All filesystems supported for RTP, Quick, Full Scan|
-  |ecryptfs|Efs|
-  |ext2|S3fs|
-  |ext3|Blobfuse|
-  |ext4|Lustr|
-  |fuse|glustrefs|
-  |fuseblk|Afs|
-  |jfs|sshfs|
-  |nfs (v3 only)|cifs|
-  |overlay|smb|
-  |ramfs|gcsfuse|
-  |reiserfs|sysfs|
-  |tmpfs|
-  |udf|
-  |vfat|
-  |xfs|
-
-
-After you've enabled the service, you need to configure your network or firewall to allow outbound connections between it and your endpoints.
-
-- Audit framework (`auditd`) must be enabled.
+
+   |RTP, Quick, Full Scan| Custom Scan|
+   |---|---|
+   |`btrfs`|All filesystems supported for RTP, Quick, Full Scan|
+   |`ecryptfs`|`Efs`|
+   |`ext2`|`S3fs`|
+   |`ext3`|`Blobfuse`|
+   |`ext4`|`Lustr`|
+   |`fuse`|`glustrefs`|
+   |`fuseblk`|`Afs`|
+   |`jfs`|`sshfs`|
+   |`nfs` (v3 only)|`cifs`|
+   |`overlay`|`smb`|
+   |`ramfs`|`gcsfuse`|
+   |`reiserfs`|`sysfs`|
+   |`tmpfs`||
+   |`udf`||
+   |`vfat`||
+   |`xfs`||
+    
+- Audit framework (`auditd`) must be enabled if you are using auditd as your primary event provider.
 
   > [!NOTE]
   > System events captured by rules added to `/etc/audit/rules.d/` will add to `audit.log`(s) and might affect host auditing and upstream collection. Events added by Microsoft Defender for Endpoint on Linux will be tagged with `mdatp` key.
@@ -197,17 +151,16 @@ After you've enabled the service, you need to configure your network or firewall
 
 ### External package dependency
 
-The following external package dependencies exist for the mdatp package:
+If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies. The following external package dependencies exist for the mdatp package:
 
-- The mdatp RPM package requires `glibc >= 2.17`, `audit`, `policycoreutils`, `semanage` `selinux-policy-targeted`, `mde-netfilter`
-- For RHEL6 the mdatp RPM package requires `audit`, `policycoreutils`, `libselinux`, `mde-netfilter`
-- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `auditd`, `mde-netfilter`
+- The mdatp RPM package requires `glibc >= 2.17`, `audit`, `policycoreutils`, `semanage` `selinux-policy-targeted`, and `mde-netfilter`
+- For RHEL6 the mdatp RPM package requires `audit`, `policycoreutils`, `libselinux`, and `mde-netfilter`
+- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `auditd`, and `mde-netfilter`
 
 The mde-netfilter package also has the following package dependencies:
-- For DEBIAN the mde-netfilter package requires `libnetfilter-queue1`, `libglib2.0-0`
-- For RPM the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, `glib2`
 
-If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies.
+- For DEBIAN the mde-netfilter package requires `libnetfilter-queue1`, and `libglib2.0-0`
+- For RPM the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, and `glib2`
 
 ### Configuring Exclusions
 
@@ -226,7 +179,6 @@ If a proxy or firewall is blocking anonymous traffic, make sure that anonymous t
 
 > [!WARNING]
 > PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
->
 > SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint on Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
 
 For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux](linux-support-connectivity.md).
@@ -250,7 +202,9 @@ High I/O workloads from certain applications can experience performance issues w
 ## Related articles
 
 - [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint)
+
 - [Connect your non-Azure machines to Microsoft Defender for Cloud](/azure/defender-for-cloud/quickstart-onboard-machines)
+
 - [Turn on network protection for Linux](network-protection-linux.md)
 
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]