From 180cad0aa3ace97c1986a531f3557429f52cb456 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:00:20 +0200 Subject: [PATCH 01/11] clean linter warnings --- .../linux-support-install.md | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md index 9a2bf09a0d..0f1f9c1af8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -24,7 +24,6 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) @@ -36,9 +35,11 @@ An error in installation may or may not result in a meaningful error message by ```bash sudo journalctl | grep 'microsoft-mdatp' > installation.log ``` + ```bash grep 'postinstall end' installation.log ``` + ```Output microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216 ``` @@ -54,6 +55,7 @@ Check if the mdatp service is running: ```bash systemctl status mdatp ``` + ```Output ● mdatp.service - Microsoft Defender for Endpoint Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled) @@ -69,47 +71,59 @@ systemctl status mdatp ## Steps to troubleshoot if mdatp service isn't running 1. Check if "mdatp" user exists: + ```bash id "mdatp" ``` + If there’s no output, run + ```bash sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp ``` 2. Try enabling and restarting the service using: + ```bash sudo systemctl enable mdatp ``` + ```bash sudo systemctl restart mdatp ``` 3. If mdatp.service isn't found upon running the previous command, run: + ```bash sudo cp /opt/microsoft/mdatp/conf/mdatp.service ``` + where `````` is ```/lib/systemd/system``` for Ubuntu and Debian distributions and - ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES. + ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES. Then rerun step 2. 4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details. Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. -5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`. +5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`. 6. Ensure that the daemon has executable permission. + ```bash ls -l /opt/microsoft/mdatp/sbin/wdavdaemon ``` + ```Output -rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon ``` + If the daemon doesn't have executable permissions, make it executable using: + ```bash sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon ``` + and retry running step 2. 7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec". @@ -117,24 +131,31 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan ## If mdatp service is running, but EICAR text file detection doesn't work 1. Check the file system type using: + ```bash findmnt -T ``` + Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned. ## Command-line tool “mdatp” isn't working 1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command: + ```bash sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp ``` + and try again. If none of the above steps help, collect the diagnostic logs: + ```bash sudo mdatp diagnostic create ``` + ```Output Diagnostic file created: ``` + Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs. From 4727cb7d21be56f7bb961e55a60f4e57498f6751 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:19:22 +0200 Subject: [PATCH 02/11] add to installaton tsg --- .../linux-support-install.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md index 0f1f9c1af8..cf23de1bf6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -48,6 +48,20 @@ An output from the previous command with correct date and time of installation i Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file. +## Make sure you have the correct package + +Please mind that the package you are installing is matching the host distribution and version. + +| package | distribution | +|-------------------------------|------------------------------------------| +| mdatp-rhel8.Linux.x86_64.rpm | Oracle, RHEL and CentOS 8.x | +| mdatp-sles12.Linux.x86_64.rpm | SuSE Linux Enterprise Server 12.x | +| mdatp-sles15.Linux.x86_64.rpm | SuSE Linux Enterprise Server 15.x | +| mdatp.Linux.x86_64.rpm | Oracle, RHEL and CentOS 7.x | +| mdatp.Linux.x86_64.deb | Debian and Ubuntu 16.04, 18.04 and 20.04 | + +For [manual deployment](linux-install-manually.md), make sure the correct distro and version had been chosen. + ## Installation failed Check if the mdatp service is running: From 19aa1f6eb9adb899dfc58c19652515382de1e960 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:29:36 +0200 Subject: [PATCH 03/11] connectivity tsg --- .../linux-support-connectivity.md | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index 74db615cdb..6c3ebda4cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -24,7 +24,6 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) @@ -37,8 +36,29 @@ To test if Defender for Endpoint for Linux can communicate to the cloud with the mdatp connectivity test ``` +expected output: + +```output +Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://x.cp.wd.microsoft.com/api/report ... [OK] +Testing connection with https://winatp-gw-cus.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-eus.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-weu.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-neu.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-ukw.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-uks.microsoft.com/test ... [OK] +Testing connection with https://eu-v20.events.data.microsoft.com/ping ... [OK] +Testing connection with https://us-v20.events.data.microsoft.com/ping ... [OK] +Testing connection with https://uk-v20.events.data.microsoft.com/ping ... [OK] +Testing connection with https://v20.events.data.microsoft.com/ping ... [OK] +``` + If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall. +Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, please whitelist MDE from such inspection. + ## Troubleshooting steps for environments without proxy or with transparent proxy To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal: From ca98df17c4314ec30de067a38f2ea3e6a80e7184 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:31:35 +0200 Subject: [PATCH 04/11] fix linter warnings --- .../linux-support-perf.md | 48 ++++++++++--------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index e6585fc97f..627b4a24e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -23,7 +23,6 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) @@ -43,19 +42,20 @@ The following steps can be used to troubleshoot and mitigate these issues: ```bash mdatp config real-time-protection --value disabled ``` + ```Output Configuration property updated ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). -2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. +2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. > [!NOTE] > This feature is available in version 100.90.70 or newer. This feature is enabled by default on the `Dogfood` and `InsiderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: - + ```bash mdatp config real-time-protection-statistics --value enabled ``` @@ -71,6 +71,7 @@ The following steps can be used to troubleshoot and mitigate these issues: ```bash mdatp config real-time-protection --value enabled ``` + ```Output Configuration property updated ``` @@ -80,16 +81,18 @@ The following steps can be used to troubleshoot and mitigate these issues: ```bash mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json ``` + > [!NOTE] > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. - The output of this command will show all processes and their associated scan activity. + The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command: +3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command: ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` + The output of this command should be similar to the following: ```Output @@ -102,39 +105,40 @@ The following steps can be used to troubleshoot and mitigate these issues: 100%[===========================================>] 1,020 --.-K/s in 0s ``` + 4. Next, type the following commands: + ```bash chmod +x high_cpu_parser.py ``` + ```bash cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log ``` The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. - + For example, the output of the command will be something like the below: ```Output ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 - 27432 None 76703 - 73467 actool     1249 - 73914 xcodebuild 1081 - 73873 bash 1050 - 27475 None 836 - 1    launchd    407 - 73468 ibtool     344 - 549  telemetryd_v1   325 - 4764 None 228 - 125  CrashPlanService 164 + 27432 None 76703 + 73467 actool     1249 + 73914 xcodebuild 1081 + 73873 bash 1050 + 27475 None 836 + 1    launchd    407 + 73468 ibtool     344 + 549  telemetryd_v1   325 + 4764 None 228 + 125  CrashPlanService 164 ``` -   - To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - + + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + >[!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. - For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). - - + For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). From 6229099d43ef75159b6d5166e680094ca362a122 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:43:03 +0200 Subject: [PATCH 05/11] update perf docs --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 627b4a24e7..6e3ff940d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -33,6 +33,8 @@ Real-time protection (RTP) is a feature of Defender for Endpoint for Linux that Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Defender for Endpoint for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint for Linux. +Before starting, **please make sure that other security products are not currenly running on the device**. Multilpe security products may conflict and impact the host performance. + The following steps can be used to troubleshoot and mitigate these issues: 1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint for Linux is contributing to the performance issues. @@ -49,6 +51,8 @@ The following steps can be used to troubleshoot and mitigate these issues: If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). + If the performance problem persists while real-time protection is off, the origin of the problem could the EDR component. In this case please contact customer support for further instructions and mitigation. + 2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. > [!NOTE] From 89ac2af4ffd5d3ac81dfc1b5e4b4f0d06ff65095 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 20:07:30 +0200 Subject: [PATCH 06/11] add support for missing events --- windows/security/threat-protection/TOC.md | 1 + .../linux-support-events.md | 94 +++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 47925e97e7..59c4787025 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -302,6 +302,7 @@ ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) ##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) ##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) +##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-events.md) #### [Privacy](microsoft-defender-atp/linux-privacy.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md new file mode 100644 index 0000000000..f541d9d0d0 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md @@ -0,0 +1,94 @@ +--- +title: Troubleshoot missing events or alerts issues for Microsoft Defender ATP for Linux +description: Troubleshoot missing events or alerts issues in Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, events +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +mms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +--- + +# Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint for Linux + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) + +This article provides some general steps to mitigate missing events or alerts in the [security center](https://securitycenter.windows.com/) portal. + +Once MDE had been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages. +In case events are not appearing or some types of events are missing, that could indicate some problem. + +## Missing network and login events + +MDE utilized `audit` framework from linux to track network and login activity. + +1. Make sure audit framework is working. + + ```bash + service auditd status + ``` + + expected output: + + ```output + ● auditd.service - Security Auditing Service + Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago + Docs: man:auditd(8) + https://github.com/linux-audit/audit-documentation + Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) + Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) + Main PID: 16666 (auditd) + Tasks: 25 + CGroup: /system.slice/auditd.service + ├─16666 /sbin/auditd + ├─16668 /sbin/audispd + ├─16670 /usr/sbin/sedispatch + └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d + ``` + +2. If auditd is stopped, please start it. + + ```bash + service auditd start + ``` + +**On SLES15** systems, SYSCALL auditing in `auditd` is disabled by default and can explain missing events. + +1. To validate that SYSCALL auditing is not disabeld, list the current audit rules: + + ```bash + sudo auditctl -l + ``` + + if the following line is present, please remove it or edit it to enable MDE to track specific SYSCALLs. + + ```output + -a task, never + ``` + + audit rules are located at `/etc/audit/rules.d/audit.rules`. + +## Missing file events + +File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux#system-requirements). + +List the filesystems on the machine with: + +```bash +df -Th +``` From 34914b978bc750593e5e0a5ab1ccdf68a8672594 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 20:12:04 +0200 Subject: [PATCH 07/11] fix title --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 59c4787025..25a5417d95 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -302,7 +302,7 @@ ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) ##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) ##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) -##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-events.md) +##### [Troubleshoot missing events issues](microsoft-defender-atp/linux-support-events.md) #### [Privacy](microsoft-defender-atp/linux-privacy.md) From 6a3ab419c597adbc1bd1df06f52d12cb055a1930 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 10:41:37 -0800 Subject: [PATCH 08/11] Update linux-support-events.md --- .../microsoft-defender-atp/linux-support-events.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md index f541d9d0d0..0d035c7cf7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md @@ -29,12 +29,12 @@ ms.topic: conceptual This article provides some general steps to mitigate missing events or alerts in the [security center](https://securitycenter.windows.com/) portal. -Once MDE had been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages. +Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages. In case events are not appearing or some types of events are missing, that could indicate some problem. ## Missing network and login events -MDE utilized `audit` framework from linux to track network and login activity. +Microsoft Defender for Endpoint utilized `audit` framework from linux to track network and login activity. 1. Make sure audit framework is working. @@ -75,7 +75,7 @@ MDE utilized `audit` framework from linux to track network and login activity. sudo auditctl -l ``` - if the following line is present, please remove it or edit it to enable MDE to track specific SYSCALLs. + if the following line is present, please remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs. ```output -a task, never From 7b08a9c1a6217a54e0bb988c474bd5f995653c2e Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 10:42:38 -0800 Subject: [PATCH 09/11] Update linux-support-perf.md --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 6e3ff940d3..ab5e272c34 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -51,7 +51,7 @@ The following steps can be used to troubleshoot and mitigate these issues: If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). - If the performance problem persists while real-time protection is off, the origin of the problem could the EDR component. In this case please contact customer support for further instructions and mitigation. + If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case please contact customer support for further instructions and mitigation. 2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. From afae7f15ddac1bb06551620e897c1cc19ce1d1bf Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 10:49:09 -0800 Subject: [PATCH 10/11] fix link --- .../microsoft-defender-atp/linux-support-events.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md index 0d035c7cf7..af7e797106 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md @@ -85,7 +85,7 @@ Microsoft Defender for Endpoint utilized `audit` framework from linux to track n ## Missing file events -File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux#system-requirements). +File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux.md#system-requirements). List the filesystems on the machine with: From 4667c3bd23d80cd3ce5d077848ee3f69e9630d49 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 10:55:44 -0800 Subject: [PATCH 11/11] Update linux-support-connectivity.md --- .../microsoft-defender-atp/linux-support-connectivity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index 6c3ebda4cd..9e0a8a30c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -57,7 +57,7 @@ Testing connection with https://v20.events.data.microsoft.com/ping ... [OK] If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall. -Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, please whitelist MDE from such inspection. +Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allow list. ## Troubleshooting steps for environments without proxy or with transparent proxy