Disable or Modify Tools × Microsoft Defender for Endpoint on Linux

A publicly-reported instance of Disable or Modify Tools bypassing Microsoft Defender for Endpoint on Linux, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Defender for Endpoint on Linux

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

High

Status

unknown

Disclosed

2025-10-15

Config / version noted

Not stated

Provenance

windowsforum.com
disclosed 2025-10-15 · original source · via exa

Reported as

TOCTOU race condition ... defeats the agent's availability, suspending real-time protection, file scanning, and telemetry

Mechanism

A TOCTOU race condition (CWE-367) in the Defender agent's Linux code paths allows a local attacker to race the interval between a resource check and its use, causing a service crash or hang. This defeats the agent's availability, suspending real-time protection, file scanning, and telemetry.

Detection & mitigation

Monitor for unexpected termination or restart of the Defender for Endpoint Linux agent process (e.g., mdatp) and correlate with local privilege escalation attempts or suspicious process creation events. Apply the vendor security update (October 14, 2025) to remediate the TOCTOU vulnerability.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.