Enhanced antimalware engine capabilities for Linux and macOS

Update: Enhanced antimalware engine for and macOS is now generally available. 

The new engine will be gradually rolled out to all devices.

IMPORTANT: Ensure you are applying regular updates. Soon after general availability, app/platform versions older than 101.62.64 (released in February of 2022) will stop getting security intelligence updates. 

To ensure Microsoft cloud-delivered protection works properly, your security/IT team must configure your /proxy/internet settings to allow connections between your endpoints and certain Microsoft URLs. To support the new Microsoft Defender for Endpoint on and macOS anti-malware engine enhancements, you must allow-list within the proxy ecosystem in your environment the following URL endpoints:

[How this will affect your organization:]

Starting July 31, 2022,  access to these URLs will be *required* to ensure uninterrupted cloud-delivered protection on your and macOS systems behind a proxy. Organizations that have not allow-listed by July 31, 2022, access to the above mentioned URLs will be unable to download threat definition updates required for effective anti-malware protection.

We are announcing a significant upgrade to our next-generation protection on Linux and macOS with a new, enhanced engine. 

The Microsoft Defender antimalware engine is a key component of next-generation protection. This protection brings , big-data analysis, in-depth threat research, and the Microsoft cloud infrastructure, to protect devices (or endpoints) in your organization.

The main benefits of this major update include performance and prevention improvements, as well as adding support for custom file indicators on macOS and Linux.

What to expect with this enhancement:

  • Better support for protection against known and unknown malware with client-side machine-learning models, heuristics, and correlation between static signals.
  • Enhanced cloud-delivered protection with support for metadata-based  machine-learning models, file classifications and reputation-based  machine-learning models, and more.
  • Emergency security intelligence updates are now available through cloud-delivered protection that can help protect against malware outbreaks.
  • Better support for false positive and false negative prevention.
  • IMPORTANT: Threat naming and definition version nomenclature will change for the purpose of consistency across all platforms and aligning to our overall naming conventions. For more information about how Microsoft names malware, see: Malware names | Microsoft Docs.
  • Reduced memory and CPU footprints
  • Improved behavior monitoring with lower resource consumption is now available to all our customers as a configurable component for Linux (if enabled).
  • Memory scanning, providing better coverage for fileless attacks (Linux).
  • Reduced overall package size, significantly reduced security intelligence update download sizes.
  • Custom file indicators are now available with “audit”, “allow”, “block & remediate” action . The indicator type will be added at a later date.


As a preview entry prerequisite, ensure the following requirements are fulfilled:

  1. During general availability, the new engine will be gradually rolled out to all devices. The process of migration from the old engine to the new engine would last for 3 months
  2. The minimum Microsoft Defender for Endpoint version number must be 101.62.64 [Feb 2022 build]
  3. Soon after migration begins, versions older than 101.62.64 will stop getting protection updates
  4. Organizations which have all devices on a version greater than 101.62.64 would get first preference for the rollout

Key changes to look out for

Custom file indicators

A key feature of the new antimalware engine is the ability to create custom file indicators. You may already have experience with custom file indicators on Windows. The existing three indicator response actions are “allow,” “alert only,” and “alert and block & remediate.” These actions are now supported on macOS and Linux.

Note that warn and block only (block without remediation) indicator types are currently not supported for Linux & macOS. This is visually indicated in the Microsoft 365 Defender portal. In addition, if you have previously created non-scoped custom file indicators (targeted to all devices) in your environment, the indicators will also start applying to any device that is running the new antimalware engine.

Threat nomenclature

The change in threat / malware name is changing to ensure consistency with the standard naming scheme followed across all platforms, including Windows. This is part of the effort for aligning our nomenclature across all platforms and having a standardized naming mechanism.

Threat names will now follow this format:

… —> [Threat Type]:[Platform]/[Malware Family].[Variant]?![Suffixes]?


Previous engine syntax New engine syntax




















Microsoft Defender for Endpoint threat list output

Some examples of the updated threat names when displayed through command line:

Screenshot of a detected Linux threat with new naming conventionScreenshot of a detected Linux threat with new naming convention

Screenshot of a Trojan detected with new threat naming conventionScreenshot of a Trojan detected with new threat naming convention

User Interface (macOS)

The following screenshot shows alerts will use the updated threat names in the user interface:

Screenshot from macOS UI showing new threat nameScreenshot from macOS UI showing new threat name

Microsoft 365 Defender portal

Alerts will use the updated threat names in the Microsoft 365 Defender portal.

For example:

Screenshot showing an alert in the portal with the new naming conventionScreenshot showing an alert in the portal with the new naming convention

Screenshot showing an alert example in the portal with the new naming conventionScreenshot showing an alert example in the portal with the new naming convention

Version numbers

The format of ‘Security intelligence version' under the About tab and Virus and threat protection updates in the macOS Microsoft Defender interface and using the Linux command line interface will now display a different version numbering scheme.

Security Intelligence/definitions version example: 1.355.2459.0

Engine version example: 1.1.18900.3

Comparison of old version name vs new version name displayComparison of old version name vs new version name display

Comparison of old client version name vs new version name on macOS UIComparison of old client version name vs new version name on macOS UI

Comparison of old engine version name vs new version name on Linux agentComparison of old engine version name vs new version name on Linux agent

Exceptions / Rules configured based on threat names

In the previous engine capability, if any rule has been configured (using “mdatp threat allowed” command) to allow threats based on the threat family name, those rules will not be in effect with the new engine. New rules will have to be created with the corresponding new threat family names. For example, in case of EICAR threats:

Screenshot of threat exclusion command changesScreenshot of threat exclusion command changes

IMPORTANT: Action might be needed

  • Ensure your proxy solution allows access to security intelligence and cloud protection locations. Some of these locations were previously listed as “optional” and applied primarily to Windows, at Configure device proxy and Internet connection settings | Microsoft Docs.
  • Threat exclusions defined using the old naming convention will need to be updated. In addition, if you have any scheduled queries based on the threat name, you may need to revise them.

Note: In addition to setting exclusions for files that may no longer be covered by allowed threat configuration, you can now also use custom file indicators with the “Allow” action type as a mitigation.

We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft 365 security center.


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.