[deadso]

I don't think people ITT understand what Defender ATP is supposed to be. It's not just an AV, but rather also has the ability to do threat protection across all your assets in the company.

It can analyze an attackers moves within your network, figuring out what files they accessed, ways they pivoted, and other stuff. So not only would it detect that you got compromised, but the display will show you likely paths, names of users that are also compromised, mitigation steps, deployed persistence measures, etc.

So for Defender ATP to work optimally in a deployment that leverages linux nodes, or has users using linux as their daily driver, you need to support linux.

[mrits]

Your statement would have been valid a few years ago. But now all AV providers also offer what you are talking about. AV+EDR with advanced threat hunting UI. So when you say AV today you should really think the other stuff as well.

[TA43]

They provide it but often not in the same product capacity, a common structure would be Sophos & CarbonBlack - two separate products by different companies. Additionally they'd need a third product to cover the *nix estate.

Defender, in its current state, rolls all of the above into one at a relatively competitive price point. Additionally, it receives new detections built off all the telemetry they get as a result of Windows Defender existing on almost every Win10 OS on the planet.

This leveraging of data on such a scale is letting Microsoft quickly become the market leader for threat detection & response.

[deadso]

Thanks for the info. Yeah, I'm not up to speed on the latest in the defense world. Good to know. I just felt like I had to bring it up because (at the time of posting) people were exclusively discussing the merits of an AV on linux (which is debatable) vs the value of EDR in a corporate environment.

[mistrial9]

fixed it -- the product claims say "It can analyze an attackers moves within your network, figuring out what files they accessed, ways they pivoted, and other stuff."