Update Microsoft is bringing its Defender ATP Antivirus software to Linux, iOS and Android


Level 16
May 4, 2019
Microsoft believes there's a market for its security software on mobile devices, so Android and iOS users will soon have the option of running Microsoft Defender on their devices.

Posting on the Microsoft Security Blog, Moti Gindi, Corporate Vice President, Microsoft Defender ATP, confirmed that the company has been working on and investing in mobile threat defense. The end result is a version of Microsoft Defener ATP for both Android and iOS .

As CNBC reports, Microsoft sees a gap in the market for its security solution on mobile devices. Malware is a problem on mobile devices even if they are seen as safer environments than that offered by a desktop PC. However, Microsoft believes there's still a risk, especially for corporate users, if users install apps found outside of the official app stores or are subject to a phishing attack.

MalwareTips Bot

Content Creator
Apr 21, 2016
Attackers will cross multiple domains like email, identity, endpoints, and applications to find the point of least resistance. Today’s defense solutions have been designed to protect, detect, and block threats for each domain separately, allowing attackers to exploit the seams and threshold differences between solutions—leaving the business vulnerable to attack. While one facet of an attack may be caught and blocked in email, the same threat actor may have also compromised identities by exploiting weak passwords or leaked credentials, or by fooling people into providing their passwords or authorization tokens. It’s also possible for point solutions to overlook critical signals entirely because, in isolation, they failed to register as significant.

The industry as a whole has struggled to win this battle, but we can turn the tide. The current class of security solutions can do a better job of stopping or even preventing the spread of attacks by looking at the entire security stack as a living organism. We have to force a shift in the protection paradigm by moving from a model of reactive detection and response based on siloed security solutions to proactive protection. We cannot leave security teams to manually coordinate signals across domains to fully understand the breadth of the attack and how to stop it. Threat protection that changes our approach to attacks requires built-in intelligence that can understand how an attack got in, prevent its spread across domains, and automatically heal compromised assets.
Microsoft Threat Protection coordinates defenses to stop attacks from spreading and auto-heal impacted assets

Generally available Microsoft Threat Protection (MTP) provides the built-in intelligence, automation, and integration to coordinate protection, detection, response, and prevention by combining and orchestrating into a single solution the capabilities of Microsoft Defender Advanced Threat Protection (ATP) (endpoints), Office 365 ATP (email), Azure ATP (identity), and Microsoft Cloud App Security (apps).
With MTP, security teams can:

  • Automatically block attacks and eliminate their persistence to keep them from starting again. MTP looks across domains to understand the entire chain of events, identify affected assets, and protect your most sensitive resources. When, for example, a compromised user or an at-risk device tries to access confidential information, MTP applies conditional access and blocks the attack, delivering on the Zero Trust model.
  • Prioritize incidents for investigation and response. MTP lets you focus on what matters the most by correlating alerts and low-level signals into incidents to determine the full scope of the threat across Microsoft 365 services. Incidents provide a complete picture of the threat in real time and in a single, cohesive console.
  • Auto-heal assets. MTP identifies affected assets like users, endpoints, mailboxes, and applications, and returns them to a safe state. Automated healing includes actions like identifying and terminating malicious processes on endpoints and removing mail forwarding rules attackers put in place and marking users as compromised in the directory.
  • Focus unique expertise on cross-domain hunting. MTP empowers the security team to be proactive, giving them back the time they need to learn from our insights, harden defenses, and keep out more threats. It also lets them use their unique organizational knowledge like proprietary indicators of compromise, org-specific behavioral patterns, and free-form research to actively hunt for threats across domains with custom queries over raw data.

Coordinated defenses to uncover the full attack kill chain can help block nation-state level attacks
In 2019, the Microsoft Threat Intelligence Center notified nearly 10,000 customers targeted by a few nation-state actors, citing HOLMIUM as one of the most active. Sophisticated attacks like this are why MTP was created. A recent HOLMIUM attack pattern demonstrates this: HOLMIUM targets identities in the cloud as a first step. After compromising an identity, the adversary leverages cloud APIs to persist, using a cloud email configuration to run malicious PowerShell on the endpoint every time Outlook is opened by the user. A conventional approach to containing this threat may start with the endpoint; when the PowerShell activity is detected, the SOC remediates the endpoint. However, in this case the attacker is persistent in the cloud and so the endpoint could be immediately compromised again.

MTP looks at the bigger picture and goes beyond simple blocking on the endpoint, putting a compromised organization in a better position to fight the threat. Signs of the attack are detected across the affected domains, including password spraying activity against Azure Active Directory (AD), sign-ins to Office 365 with potentially compromised credentials, and malicious PowerShell executions on endpoints. These detections are correlated into a coherent incident that catalogs the end-to-end attack and all affected assets. MTP intervenes to block the attack, not only stopping the PowerShell activity on the endpoints but also containing the impacted user accounts by marking them as compromised in Azure AD. The Threat Analytics report in MTP provides an exposure view and recommends the customer apply the appropriate Outlook security patch that will prevent this attack from recurring.
MTP extends coordinated protection across platforms with Microsoft Defender ATP for Linux and across domains with Azure Sentinel
Today, we’re announcing another step in our journey to offer security from Microsoft with the public preview of Microsoft Defender ATP for Linux. Extending endpoint threat protection to Linux has been a long-time ask from our customers and we’re excited to be able to deliver on that. We know our customers’ environments are complex and heterogenous. Providing comprehensive protection across multiple platforms through a single solution and streamlined view is more important than ever. Next week at the RSA Conference, we’ll provide a preview of our investments in mobile threat defense with the work we’re doing to bring our solutions to Android and iOS.

Azure Sentinel, Microsoft’s cloud-native security information and event manager (SIEM), further extends the capabilities of MTP by incorporating alerts, threat intelligence, and signals from third-party solutions. MTP shares alerts and threat intelligence with Azure Sentinel so security teams can view and manage threats across Microsoft and third-party security solutions in a single SIEM console.

To learn more about how Microsoft Threat Protection can help you deliver proactive protection and prevention against the spread of attacks, see Microsoft Threat Protection and stop by our booth at the RSA Conference!

Stay tuned for more information on our cross-platform journey from our Tech Community blogs next week!

The post Microsoft Threat Protection stops attack sprawl and auto-heals enterprise assets with built-in intelligence and automation appeared first on Microsoft Security.
Last edited by a moderator:

Captain Awesome

Level 23
Malware Tester
May 7, 2016
As often as we write about malware-ridden apps and exploitable vulnerabilities in iOS and Android, it’s painfully clear that Apple and Google aren’t perfect when it comes to protecting the users of their mobile platforms. Enter: Microsoft. On Thursday, the company announced it will bring its Defender antivirus software to iOS and Android, with plans to preview its mobile security solutions at the RSA Conference next week.

Microsoft abandoned its own attempts at capturing a segment of the smartphone market when it killed off Windows 10 Mobile in 2017, but as CNBC notes, it has still been a major player in the space, releasing its popular Office software on iOS and Android, as well as bringing Minecraft to mobile devices in 2014.

“They’re pretty safe, but pretty safe is not the same as safe,” Microsoft corporate VP Rob Lefferts said in an interview at the company’s HQ last week, according to CNBC. “Malware does happen on those platforms.”

If you’ve been reading BGR even sporadically for the past several years, you know how frequently malware shows up in applications that Android users sideload on to their devices from outside the official Google Play store. Lefferts also talked about how easy it is to be the victim of a phishing attempt, where a hacker will present unknowing users with a seemingly legitimate interface into which they input their credentials, only to have them stolen. Lefferts believes that Microsoft’s Defender “could help companies make employees less vulnerable to such attacks.”

Read more: Microsoft will bring its Defender antivirus software to iOS and Android
Last edited by a moderator:


Level 9
Nov 3, 2019
An iOS and Android version of Microsoft Defender will be released this year, bringing the antivirus software to mobile devices for the first time.

In an official blog post, it was revealed that Microsoft Defender Advanced Threat Protection has added support for Linux, joining Windows and macOS. Microsoft also said that there are plans to expand the program to iOS and Android, which will further extend the reach of the antivirus software.

Apple and Google have implemented various initiatives to curb the spread of malware on their respective app stores. Microsoft believes it can do more in helping protect iOS and Android device owners from security threats.

“They’re pretty safe, but pretty safe is not the same as safe,” Microsoft executive Rob Lefferts told CNBC in an interview at the company’s headquarters in Redmond, Washington. “Malware does happen on those platforms.”

The mobile versions of Microsoft Defender will likely be very different compared to the app’s desktop versions, according to The Verge, partly because iOS apps are not allowed to scan for malware on iPhones and iPads. The Android version of Microsoft Defender, meanwhile, will help prevent the entrance of malware through apps that are directly loaded into devices, bypassing the Google Play Store.

Lefferts added that mobile device owners are at risk from phishing attacks, through which hackers aim to acquire their targets’ credentials through fake interfaces where victims are tricked into entering their usernames and passwords. It is unclear, however, how Microsoft Defender will prevent phishing attacks from succeeding.

The iOS and Android versions of Microsoft Defender will be part of the company’s enterprise security platform, so it is very likely that the apps will first be available for companies and their employees. In contrast with Microsoft’s Intune software that allows administrators to manage the computers and mobile devices of employees, Microsoft Defender will focus on security, such as by preventing people from accessing websites that are tagged as unsafe, according to Lefferts.

There is no specific timeline for the release of Microsoft Defender’s iOS and Android versions. In addition to support for Linux, Windows, and macOS, the software has been introduced as extensions for Google’s Chrome and Mozilla’s Firefox browsers.


Level 42
Content Creator
Apr 24, 2016
The phishing protection offered by MS SmartScreen is actually very good.
For MS it's a smart move (when unfortunately lost Windows Phone) to expand to Android and IOS.
I think in the long run covering all those systems with MS defender will be good for all.
Protecting Android and IOS will beef up Windows protection because they will learn from it and they have access to an enormous amount of telemetry and cloud data.


Level 21
Sep 5, 2017
Almost within a year after releasing Microsoft Defender Advanced Threat Protection (ATP) for macOS computers, Microsoft today announced a public preview of its antivirus software for various Linux distributions, including Ubuntu, RHEL, CentOS and Debian.
If this news hasn't gotten you excited yet...
Microsoft is also planning to soon release Defender ATP anti-malware apps for smartphones and other devices running Google's Android and Apple's iOS mobile operating systems.
"We know our customers' environments are complex and heterogeneous. Providing comprehensive protection across multiple platforms through a single solution and streamlined view is more important than ever," the company said.
"Next week at the RSA Conference, we'll provide a preview of our investments in mobile threat defense with the work we're doing to bring our solutions to Android and iOS."
I am sure you might have heard this many times that 'Linux doesn't need antivirus software,' but this is not the case anymore.
Since the last few years, hackers have started paying more attention to Linux and macOS platforms, making them a new target for viruses, Trojans, spyware, adware, ransomware, and other nefarious threats.
Despite the fact that the attack surface for Linux is much much smaller, Linux has its own share of vulnerabilities and malware threats, and you need proactive monitoring to keep your system safe.
According to Microsoft, Defender ATP is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
It proactively hunts across users, email, applications, and endpoints to automatically detect, investigate, and stop coordinated multi-point attacks.
"The AI capabilities built into Microsoft Security solutions are trained on 8 trillion daily threat signals and the insights of 3,500 security experts. Custom algorithms and machine learning models make, and learn from, billions of queries every day," said Ann Johnson, Corporate Vice President of the Cybersecurity Solutions Group.
A timeline for when Microsoft would release the iOS and Android versions have not been specified, although the company said it would be available later this year.

ForgottenSeer 85911

it remains to be seen if home users will be able to use it since it is ATP which is meant only for subscribing enterprise users

this is part of Microsoft's ongoing "we will join them since we cannot beat them" strategy
Microsoft is doing this with both Linux and Android
the strategy is to find ways to offer paid services and monetize things in the Linux and Android spaces


Level 85
Content Creator
Jul 3, 2015
it remains to be seen if home users will be able to use it since it is ATP which is meant only for subscribing enterprise users

this is part of Microsoft's ongoing "we will join them since we cannot beat them" strategy
Microsoft is doing this with both Linux and Android
the strategy is to find ways to offer paid services and monetize things in the Linux and Android spaces
Home users don't need it on Linux. Servers need it. Maybe businesses need it, if there are any that use Linux on their endpoints.
Last edited:


Level 18
Content Creator
May 7, 2018
Home users don't need it on Linux. Servers need it. Maybe businesses need it, if there are any that use Linux on their endpoints.
Yes this is definitely geared towards servers and businesses. Since many servers are running linux, they have become a target more so than before. Home users running linux don't need to worry just yet, but if linux threats start to rise, then they will have to pay attention, but for now no need to worry.


Level 34
Mar 16, 2019
Don't forget sudo pacman install Defender, or sudo dnf install defender, gotta love that Linux consistency.

Thinking of it, are they going to call it defender, or Windows security?:unsure::p
It's going to be Microsoft Defender I think. It was already on the news last year when the change was done in a Windows Preview version but nothing has been changed officially yet.
Oh well, their ATP version is already named Microsoft.
Last edited: