ClamAV + osquery → Microsoft Defender for Endpoint P1
ClamAV + osquery ↔ Microsoft Defender for Endpoint P1: integration to migration path.
ClamAV and osquery deploy alongside Defender for Endpoint P1 first — starting at the perimeter and as read-only inventory — then progressively extend onto the surfaces P1 never covers: Linux file-server AV, deep host inventory, FIM-of-record and custom signatures. No flag day, no forced re-tooling, and every phase rolls back in minutes.
The honest exception is the headline: neither ClamAV nor osquery is an EDR, so this is augmentation, not replacement. MDE P1 stays AV-of-record on Windows throughout — we say so up front, because the rest only matters if you can trust it.
The idea
Augment the gaps. Keep Defender as AV-of-record.
The topology that makes this zero-downtime: Defender P1 stays the only on-access scanner on Windows — its real-time minifilter owns the file system — while ClamAV runs scheduled at off-hours against high-value paths and at the mail/web perimeter, and osquery plus Fleet runs everywhere as a read-only inventory and query plane. The one hard rule is on-access ownership: never two on-access scanners on the same host, so on Linux you pick one per host and cross-exclude their working directories. Defender keeps owning real-time prevention, ASR and Tamper Protection; the OSS pair covers what P1 simply does not ship.
The phases
Seven steps. Each one reversible.
Baseline & inventory
We document per-endpoint MDE P1 onboarding status, ASR rule state and last-seen; per-Linux-host AV; per-gateway scanning state; and SIEM ingest paths. Critically, we make an explicit decision on scope — augmentation only (the default), or a scoped retirement of a pre-existing perimeter SaaS-AV. MDE P1 is never the retirement target. Read-only.
Stand up osquery + Fleet
Fleet runs HA — two replicas plus Postgres and Redis — with an enroll secret distributed and osqueryd reporting host inventory on a 5% canary. Only baseline tables run at first (processes, users, os_version, kernel_info); the behavioural tables wait until later to avoid eBPF/audit overhead.
ClamAV at the mail / web perimeter
clamd lands on the mail gateway, and the web gateway if present, with EICAR rejection verified and logs flowing to the SIEM. freshclam pulls signatures six times a day, stacked with SecuriteInfo, MalwarePatrol and URLhaus feeds — staged in non-production first. This catches signature-based malware before it reaches the endpoint.
osquery to the full fleet
osqueryd reaches 100% of in-scope endpoints in 10 / 25 / 50 / 100% waves, each soaked at least seven days. The behavioural tables (process_events, socket_events) come on at 300-second intervals only after the 100% baseline is stable for a week and the SIEM ingest budget tolerates it.
ClamAV on Linux file servers
Where applicable, clamd plus clamonacc runs on each in-scope Linux file server, with on-access blocking enabled only after a 14-day log-only soak. A coexistence check matters: if MDE for Linux real-time is on the host, clamonacc stays off, because two on-access scanners fight over fanotify.
Selective perimeter SaaS-AV retirement
Only if Phase 0 scoped it, and only after ClamAV has matched at least 95% of the SaaS detections side-by-side for 30 days: a pre-existing perimeter SaaS-AV (such as a hosted mail-AV) is retired, with MX cut to the local gateway. The 5% delta is vendor-proprietary feed content, accepted as residual risk. MDE P1 is not retired.
Steady state — augmentation
MDE P1 is the Windows endpoint AV-of-record; ClamAV is the Linux file-server AV plus mail/web gateway scanner; osquery and Fleet are the cross-platform inventory, FIM and custom-query plane. The SIEM ingests alerts from all three. No further retirement — augmentation is the honest end state.
Feature parity
Where each tool genuinely leads.
| Capability | ClamAV + osquery | Microsoft Defender for Endpoint P1 | Parity |
|---|---|---|---|
| On-access AV (real-time) | ClamAV clamonacc + fanotify (Linux only) | MsMpEng real-time minifilter (Windows) | Partial |
| Signature file scanning | ClamAV clamdscan + freshclam CVDs | Defender security-intel signatures | At parity |
| Cloud-delivered / ML prevention (BAFS) | None (signature-only) | MAPS Advanced + Block-at-First-Sight | SaaS only |
| Prevention controls (ASR / CFA / network) | None | ASR rules, Controlled Folder Access, Network protection | SaaS only |
| Custom signature authoring | ClamAV sigtool .ndb/.hdb/.ldb + YARA | Custom indicators are P2-only (P1 lacks API-tier IoC at scale) | OSS only |
| Host inventory | osquery 200+ tables, deb_packages/startup_items/chrome_extensions | Device inventory: OS/version/last-seen/basic HW | Partial |
| Fleet-wide query | Fleet Live Query + scheduled packs | Advanced Hunting is P2/E5 only — P1 cannot query DeviceEvents | OSS only |
| FIM-of-record | osquery file_events | No FIM-of-record in P1 | OSS only |
| Threat hunting / behavioural telemetry | None (osquery read-only; no process-tree correlation) | None in P1 (Advanced Hunting is P2) | At parity |
| Mail / web gateway scanning | amavisd-new+clamd milter; ICAP c-icap+squidclamav | Not in scope (Defender for Office is separate) | OSS only |
| Tamper protection | None (config-managed, not enforced) | Cloud-managed Tamper Protection surviving local admin | SaaS only |
| Air-gapped signature update | freshclam mirrored CVDs | Security-intel via WSUS/UNC; cloud protection needs egress | At parity |
| Data retention / open log surface | Fleet results to SIEM (your storage budget) | Portal-only; raw DeviceEvents export needs paid Sentinel | Partial |
| Deployment & HA | Self-hosted Fleet (2+ replicas + Postgres + Redis) | Microsoft-managed cloud | Partial |
| Cost model | OSS free + self-host ops | Per-seat MDE P1 SKU | Partial |
What we're honest about
The caveats most vendors leave out.
Neither half is EDR — MDE P1 stays
ClamAV is signature-based file scanning; osquery is read-only inventory and query. There is no behavioural engine, no in-memory exec detection, no process-tree correlation in this pair. MDE P1 is never retired: it stays AV-of-record on Windows throughout, and the honest target is augmenting it on surfaces it does not cover. Anyone needing real EDR is in the wrong pair.
Cloud ML and ASR have no OSS parity
Defender's cloud-delivered protection and Block-at-First-Sight ML fire against Microsoft's global telemetry; ClamAV is signature-only and lags novel Windows malware by days to weeks, so treat its findings as corroborating, not authoritative. ASR rules, Controlled Folder Access, Network protection and Tamper Protection are vendor-curated and stay SaaS-only — AppLocker, WDAC and Sysmon approximate ASR statically but do not update with attacker tradecraft.
Two on-access scanners on Linux fight
ClamAV's clamonacc and MDE for Linux both contend for fanotify FAN_OPEN_PERM, which causes syscall stalls and, in extreme cases, kernel panics. Pick exactly one on-access owner per Linux host; where both run scheduled, cross-exclude each other's working directories so neither quarantines the other's signature database on update. Busy DB hosts often get osquery-only, by explicit risk acceptance.
You own the OSS stack and its compliance posture
Fleet's value lives in the indexer you size; its FIM-of-record only counts because you budgeted the storage and retention. The SOC 2 / ISO 27001 boundary now includes Fleet, osquery and ClamAV operations — patch cadence, log retention, DR and IR runbooks become yours. We run Fleet HA (two replicas, external Postgres with backups, Redis persistence) and budget at least one audit cycle of overlap before an OSS layer is accepted as a compensating control.
Why this beats a flag day
Reversible at every layer.
Every per-phase change rolls back in under 15 minutes — uninstall osquery, disable the ClamAV milter and restart Postfix, or wave-revert via Fleet config. The one honest exception is the optional Phase 5 perimeter-SaaS-AV cutover, where re-enabling the service and reverting MX takes hours to days — and even that fires only after the OSS scanner matches 95% of the SaaS detections side-by-side for at least 30 days. MDE P1 is never removed, so Windows AV coverage has no cutover to bet on.
See which gaps OSS closes — and what Defender must keep owning.
A call with a senior security engineer. We map your OS mix and PCI scope, find the Linux, inventory, FIM and perimeter gaps MDE P1 leaves open, and tell you honestly whether you need real EDR instead — before you commit to anything.
Map my migration →