We are excited to announce that we have added our new Linux EDR agent to the New Server Protection and EDR Features early access program.

Joining the EAP:

To get access to the new agent you must first join the New Server Protection and EDR Features early access program. See this presentation on how to join the EAP.

Getting access to the agent and installing:

Once you have successfully joined, from the Protect Devices page in Sophos Central you can now see the 'Download Linux MTR Installer' is now available (this is a shared agent for both Sophos EDR and customers and customers of the Sophos MTR service):



Once installed, from the Devices page in Central locate the newly installed server and choose the option to Update Now:



Enrolling the device into Early Access: 

Once the first update is completed, go back to the Early Access Programs page and choose the option to Manage the EAP. The newly installed Server should now be available as an eligible device to join the EAP. Assign the device to the EAP then click Save:


Enrolled Linux Servers will now respond to Live Discover queries as seen below:


Note: At this point the Linux EDR agent only supports the new Live Discover EDR capability and provides no threat protection capabilities. This agent cannot run on the same device where Central Server Protection for Linux is installed.


Supported Linux Distributions:

Here is the list of distributions supported by the Linux EDR agent:

·  Amazon Linux 2
·  CentOS7
·  CentOS8
·  CentOS Minimal
·  RHEL 7
·  RHEL 8
·  Ubuntu 18.04
·  Ubuntu Minimal

Using Live Discover:

Check out these videos which walk through using Live Discover and give an overview of the threat hunting and IT operational use cases where it can support you:

Selecting devices for a query

Using Live Discover to support IT Operations use cases

Using Live Discover for Threat Hunting

Using Live Discover for a forensic investigation

The full library of EDRv3 shared videos can be found here.


Can you help to shape our future products?

We're looking for customers and partners to join our Sophos Design Partner group. Sign up and you'll be able to give us your product feedback and ideas through surveys, interviews, or usability testing.
You'll be helping to make the world a safer place -- and you might win Amazon vouchers while you're doing it.
We’re particularly keen to talk to customers who are using our new EDR features in EAP.
Interested? Contact us at  InterceptBeta [at] Sophos [dot] com


Looking for other ways to provide feedback and get support with EDRv3:

Leverage the Sophos Endpoint Early Access Community where we’ll be providing blogs, videos documentation and forums where we’ll be sharing information and answering your technical questions.

Live Discover Schema:

Details on the osquery schema and the schema supporting the Sophos Data Recorder can be found here.

EDRv3 Known issues:

You can find a list of known early access issues here.