Offline Security Intelligence Update is now GA!!

We are extremely excited to share that Offline Security Intelligence Update is now GA!!

Organizations can now update security intelligence (also referred to as “signatures”) on endpoints with limited or no exposure to the internet using a local hosting server. Exercise better control over the download and deployment of signatures on their servers running critical workloads.

In addition, these are the benefits of the new offline security intelligence update capability:

  • Control and manage the frequency of signature downloads on the local server and endpoints pulling signatures from the local server.
  • Get peace of mind by being able to test the downloaded signatures on a test device before propagating it to the entire fleet.
  • Reduce bandwidth as now, on behalf of your entire fleet, only one local server will poll Microsoft Cloud to get the latest signatures.
  • Run any of the 3 major platforms  (Windows, Mac, ) on the local server without needing to install for Endpoint.
  • Know you are getting the latest antivirus protection as signatures are always downloaded along with the latest compatible AV engine.
  • Trust that there are backups in case. For every update, signature with n-1 version is moved to a backup folder on the local server. In case of any issue with the latest signature, you can pull the n-1 signature version from the backup folder to your endpoints. On the rare occasion offline update fails,  you can also choose to fallback to online update directly from Microsoft Cloud.

How it works

Figure 1: High-level process flow diagram showing signatures downloading to local server and then being propagated to the Linux EndpointsFigure 1: High-level process flow diagram showing signatures downloading to local server and then being propagated to the Linux Endpoints

  • Organizations need to set up a local server that is reachable by Microsoft Cloud; ownership of the management and maintenance of the local server lies with the organization.
  • Signatures are downloaded from Microsoft Cloud on this local Web/NFS server by executing a script using cronjob/task scheduler on the local server.
  • Endpoints running for Endpoint will pull the downloaded signatures from this local Web/NFS server at a user-defined time interval.
  • Signatures pulled on the endpoints from the local server are first verified before loading it with the AV engine.
  • To trigger and configure the update process, update the managed config json file on the Linux endpoints.
  • The status of the update can be seen on the mdatp cli.


Getting started

Please upgrade to the latest for Endpoint agent version 101.24022.000 or above to experience the benefits. 

To configure Linux Endpoints and the local server please refer to our documentation.  


This article was originally published by Microsoft's Defender for Endpoint Blog. You can find the original article here.