The potentially unwanted application (PUA) protection feature in Defender for Endpoint on Linux can detect and block PUA files on endpoints in your network.
These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
How it works
Defender for Endpoint on Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
When a PUA is detected on an endpoint, Defender for Endpoint on Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft 365 Defender portal portal or through the
mdatp command-line tool. The threat name will contain the word “Application”.
Configure PUA protection
PUA protection in Defender for Endpoint on Linux can be configured in one of the following ways:
- Off: PUA protection is disabled.
- Audit: PUA files are reported in the product logs, but not in Microsoft 365 Defender. No record of the infection is stored in the threat history and no action is taken by the product.
- Block: PUA files are reported in the product logs and in Microsoft 365 Defender. A record of the infection is stored in the threat history and action is taken by the product.
By default, PUA protection is configured in Audit mode.
You can configure how PUA files are handled from the command line or from the management console.
Use the command-line tool to configure PUA protection:
In Terminal, execute the following command to configure PUA protection:
mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
Use the management console to configure PUA protection:
In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the Threat type settings section of the Set preferences for Defender for Endpoint on Linux article.