Manage global exclusion policies for Linux across both AV and EDR

Create and manage global exclusions for Linux 

Global exclusions for Microsoft Defender for Endpoint on Linux are now generally available. This will allow security teams to create and manage exclusion that apply to both antivirus (AV) and endpoint detection and response (EDR)—helping reduce false positives, improve performance, and streamline security operations on Linux servers. 

Many organizations rely on exclusions to maintain optimal performance and ensure compatibility—especially in Linux server environments running custom applications or handling high input/output workloads. Until now, the absence of a unified exclusion scope across both AV and EDR made it challenging to tackle performance issues and avoid disruptions to trusted software due to false positives. 

With global exclusions, organizations can now effortlessly exclude specific files, folders, and processes from both AV and EDR using a single, centralized configuration—ensuring consistent protection, improved accuracy, and better performance across their Linux workloads. 

Key benefits 

• Unified scope for antivirus + endpoint detection and response: Apply exclusions across both antivirus and endpoint detection and response using a single exclusion scope called “Global”. 

• Mitigation of performance issues: Helps address performance issues—such as high CPU and memory usage—by excluding noisy processes. 

• Reduced false positives: Avoid flagging known and trusted files or custom applications unique to your environment. By excluding trusted files and processes—such as Tanium used in endpoint management—you can avoid incorrect detections and focus on high-fidelity signals. 

• Centralized, scalable management: Configure exclusions via security settings management using the Defender portal, Microsoft Intune, or JSON-based policies. 

How it works 

Global exclusions in Microsoft Defender for Endpoint for Linux are applied at the sensor level. This early-stage filtering helps eliminate noise from trusted sources before any pre-processing by antivirus or endpoint detection and response engines. By default, these exclusions apply to real-time protection and passive mode, but not to on-demand custom scans. Here’s the summary of how it works: 

• Scope: Applies to both real-time protection and EDR detections on Linux. It does not impact on-demand scans. 

• Supported types: You can exclude files, folders and processes 

• Configuration options: 

• • Microsoft Defender portal: Use the built-in security settings management experience.
  • Microsoft Intune: Use the endpoint security blade to define and deploy exclusion policies.
  • JSON-based policies: For advanced deployments, exclusions can be defined in managed JSON and deployed via configuration management tools. 

This flowchart shows when and where global exclusions are applied in the context of Microsoft Defender for Endpoint on Linux.

Getting started 

For detailed guidance on how to configure, validate, and manage global exclusions, please refer to our documentation: Configure and validate exclusions for Microsoft Defender for Endpoint on Linux - Microsoft Defender for Endpoint | Microsoft Learn. 

To start using global exclusions for Microsoft Defender for Endpoint on Linux, please upgrade to the latest version 101.24092.0001 or above.