From cb04295981d407c3871a7c0bc621fd85a5e50a93 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 12 Oct 2020 14:03:39 +0530 Subject: [PATCH 01/38] New_4490409 Created new topic "Schedule scans with Microsoft Defender ATP for Linux" --- images/linux-mdatp.png | Bin 0 -> 5634 bytes .../linux-schedule-scan-atp.md | 247 ++++++++++++++++++ 2 files changed, 247 insertions(+) create mode 100644 images/linux-mdatp.png create mode 100644 windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md diff --git a/images/linux-mdatp.png b/images/linux-mdatp.png new file mode 100644 index 0000000000000000000000000000000000000000..f8c9c07b16906f1465cf3b97f50b71ab49b3f10f GIT binary patch literal 5634 zcmV+d7X9goP)4_KtMo6D;h>!XGcdzOG`^k zOiWEpO;Au!Qc_Y=Q&Ut_R8>_~R#sM5S65hASXo(FT3T9NU0q&YUSD5dU`H%sVP0cl zUt?lmV`F1vV_;-sVPs@vWn^MyWn*S#V`^$@Yinz4D*$Y4Yi(_8Zf$LDZfCf> zsHv%`sj8}~s;R1~s;jH3tgNi9t*x%EuCcMPvT!c5uc@=Mv$V0QwX?0YwY9gjuDG_a zxwWynwz9gov%9&pytuTyyu7`;w!XTyzP+EnySKl;zrnq^!NI}8!otPR-^S11#?ar! z(BR69Ps+im%gM*g%gN2KbIr}n&d$!y&dt!!(9zJ((b3V;($dq@)6~?|)z#J4*VozE z+1uOO-QC?QUjxqgHpeUs%xPU|Dwm@VT8WkMH z1sv|n;!?0$6QYEo($unvF(!sB4flQD_kES)|6}g+&1khckeq!#B)KICXQ7TQ&XThP)Wc;Zv!q&&+aEYaE$3Yv*O^t}F>qNeS0#JZjH>l!6g891ZE)|2 z&(%koDV0t=I@oGeW3(u59XMZz?N4=fvE9K-*xhEbMQmxUTlDP0-^OXr zQ41P_l(qL(+MQLRm=^W4A77xkCGmdV3?pn{cLTb}R6h2V{Z}D0Ww$L&I^NS|pS^A8 z@Y-t$9&Twxtwc@*d?{S()>zNn4Py+l7yCl12se1W#(pc=+>&@dZxw9@rE>x;J$raR z{*q4XWNt6%*xz7ACmkI9&H1H6_GVS2SC>wHePX3EgO+X)=}hkpD&u61a97nfbG zl5I>X)Pab-Y}K_R0?IGOu)aJ!AQ+dAhCCCFTb8Z2HpNU+?L?e$+Oj zPB8AhbnBT1Ge=N5`1F@6m6bidOUXH1IsXU+)ql8)-C(QSmKGgEk+A2q#-vW+gAc?Pd> zD!0Dy;8DC`Uts4vzVX^(hIqTGCN_aT#8GvQ=}nf9Vvr>H5^Dr~2zt zI?B_qbcpw{rE?rh=kNitFO!*0>FljkO7I;EFDff%FX3gL+A^e5T8pB!k|rHm4_lx= zyg2Txsx3o0RTdG3>j~)?Wnfg7E$yLtR?pVl!Y%M}I%+RwEe|wt2=6yUe`IevT|r*vvv6@_(I%H8g@LW3-3#TJj-F4pj$sx7a=>V^B0E!?&=I_>P0{m~)K zUO>~l+KZySn%@I!Zg9_{49^_bD_Xs5ko7M82YbIQ%5c2~+Y$D3?^E4Rp3B{lolfcG zLcFcP<@{8Ka!^0Je?ez0?MCC=x+_cKzte0)|l{zU>U zhr0*sdCu>`(!sj0q_dJE2R|nQwHSaYXkQiZpZDzS)na(i`^n5&BffOvkDET5H5}~P2m*I4bebm@3`WyIYO ztxa+yC~XUdK-%%oGB?j_4rn`_pY zUW5c{A*AEwmBk8-j~nKnmG|NPQtMMXyY#sLWqVxh>Zubsa<4WnFN69^txxH+2vM3hrGr_61D|x% z3RystxGiCh4_I5q^K*Ve-rK8K!>P1OMf9`Iz!+1Q253U*y2P$6K zS?hSDQ%Bx$q5e|qEgil-z1-?wI^y6jG*w72ARUA5b$Y4tB{uz2z{pZM*gt(CtnteI zNQXzo?Qx<0Qi~By#-DFV-Wq(dc&-h2rhpO2e4$xsMq%mTZ}$$}t9pTG;o`Qq1ke_8 zF$?g@0qM|sE~N~Q8zP8PbEWg~_Uk3dOUPTBFXq`L__9_->NHlDnu;c?7COUh(!B+v z7l;-vTw7HAb>(6f;+36oEl!#*yA8rQ#6PDN|EeQMUP9j5d@;{1VPziHTQF16WYt1v zm?64XCx~rYc&3n5{mBR3KwjAy7tXJ25Y8d~Iki5d6U#_!m|48vBFAH4uULNN?WxGG zoayzqu<4VILM>_&^x+J9b#(G8PxV!2I&Hf1D`!&aq!wQ-8RH%`p)yLPGl|N{D4`fD zn~6%WEWezmHc{Ha61mg9(%`KL`f?(#I)mjo9>hw0ueif426$Xg6h64^N(g_pghL|DQ7Ki=G2%ilGA^f z&)zzq89RE70pwS9vLzcvNa&^b7aaWm-H$%?eEarPdgIeC=y}WPm8E&8()st_o6$hY zYWw>tZC-S}d3|!ei?h|ju9y6M5DYh|#~1^M69Fl2^|qD6c+!z}{?P3YDg$hDJkt3U zwtxNg!()_Atr1T;Ry}VEyI%6Q&@kMj9%GDtq*J4bQ;w)~p8NBMBKGT`DV+(mYqg!nMF~vvgHiVmrA!rE}eh=@q<`8m@l>vQk+NFVRZ*7Lr%tH zC`U3}56Vj{>M8yi%HiBA&#|^eJD}0&;20vmvZAQN^H4V|p9ijgcJ}3a$?_MMT_j_i zdxF(l))&XL?1{_EB)M4U0^1t7bpH1H4`6P1&3Wdb(qusKVs;p1#29I8Fv4bLKqE7< z4tuysDvf$h4regWF~Bt&xtY~tf`Kt;wm05Pqp0N#OV1lPw{nAXBTPCfwcz~q=t2hn zd4XOfb{n&#O#DgO%9|6*zD#zAvf_1m{I2NtC6a#bG`aMwW@LY3kj`Iz_m&I$AwDB_^2X7~qL8LV^CyGFt>`LhNP2Q`RvXa z6hk^KnoJIoj>x`jNoQZ=TvoQRzctTRdEum&LzT{-K5^Hf`+O$`7}gn3Y`_$W%aF== ztTV!pbb!prpmel)J*AT`<{_@Rr*xb#lyvmW$e?s^+m~cxN{8iPcBF&HxHyl;u%vTw zUNYA5y7T7Gbh~H9ES*2R{6(L0pDIU^92{a9y?+^uFd!XSuZMK>dOf9stoP;Ud6NUu zamP^7!KYBBw}qsm$m$rhrZcFC^APYRB8|~%HSf%qN^cwKXd6m8Dt~#7D zh5Z_gu$d#7GQzT+Uph`bk95pD#{kzHkd9}JfOP0+;>4XaFy}5ww^CqKF@ zdX5*-Z2i2P8K-ofeBSF?qvvuJX>3ryPLAYa7pm7%nTL4`)t@09hdGAw979_MF)hY; z+8u*3)>fuv)k5V+E?(Cjt`J^r$Z^RQUH)bluSD%LS-#XI%iqo_5yq9hhw#>{$i93U znPsHjdG)oQv|XZQCl;@aM>@a8_9S}s7`R+T8k-cbog*2p*NP6T76!Qt=5TgNXgFUp zKuib6Xz+Z@Q~1S`3w68WnYH!Nvr6&K99Uhl8;6@zkUB*Xwq#gzmW{Z;@v4o3|TC0rqqaZ ze*UA^PPmsU(uO8Cer!Y58gN7UeaeCCg~xJA$Tf&o0@9r{N%guMX9BhKsrDD z&U?}Wky;Yz{P>&iN)JS8Nu=|`Z@d#^lZVeM`}tk+7@ihEi%IhK%?J-`9+rQm_aUp2 z=M1a<%43?*Ssh>Y(98?x>-AGTr1QP6y&YhaW4sKy?<4Lfeof9SE?*2Y!o`tGr(%)D z)O+XPmn-(6!;#}od+(t(jTgf+di=ot!XBoc6GjjYA2WcB=rPx!vsdseGhyj``>SsQ ze#7EfBZe7J33AB#Kt8_MWrVu`=s9}nxc))W9E?E}%~yxuNN-I3r+UZv~{ovqp?XI(BAcA7AV;!v7!Xxc))XAvqRJUwBMfi`v)hp9{t# z9V^zHSUUI-K9EgDTDCV~@!4cM3$jD}YL!`Li^X;_ySl-h4#9{C+DG|5HX|Y(mq^wbW-B_x_AZmX%Na!}>t*Iy6+=pz z`EVDAF$w9YdX%STo-*lt|LgAn*<_UuSzG4C;*g;%$QJQyR;Fk~M~nvKQWo{_WhMzD zY3+~^N>7PScc#fYtb9|YxX2ggJP9&=t`H5s)Mz)&!7x@;WlyzR&9QWK4 z(PJldn)$GE@za;?1*JoJxj^fklv`3dG!3Q0CPSZ^xE!*cgV^ME-J6M)8ChQA?DwXt zdg`?%jEd+2j4&I+MsRem;4IB<3-+$^Z3ECz%Vhp1?FFM2Pzp=JLU^w`j9kWJh#5UZ zIS(owmq>;XE?(InlIO20>c>m&;5(GSS;@T$|1-O>(>x7HhmY|Q+~O(480pe+*ktF8 zA*de?S+Ku0zw1cH%#3WL;Wo+?*K8nHU4RkxNyj0Qk?CJT>G0DULC<#*wAcqfaB`WP z3&PygG2|;w4MZddq@(r{!a13AGVX#WwsdSZ*?D6K>W4!X?5~jp8Iq2f8QCu##Wg$9 zfyaQPV-d;7^lt>xA^5WI2d&x-N-jgvfr#W-(jkQN*rnsJ$<7LyuT8KOjOF9;jY=~n}=|DHEvUr9aTp=?y5Ry(&!%zE?4wB^Z7^UNUIXANm zt7vFE4%uLTb?JC`<*;;2uDPdl6p?Jq$RUy$`#Y#~1d;46lNa!#d8NP#S)Tr$(lMxK zM>SY}LnwtfgM`5ioKweqn ziyJ)qvX2oiNJiKmL#LTRuN?o>KSm3cb6Jex^3Na-9KwSOSI?Lc<}?<{`sm)U!oPHllcKo_Lvs0EEd%4EcvgJ2_I ztW&e36Bo<`;v9?an}6#AgjNE+C}J9Vtt5{%ix{%{g^OSSt@Lb9pmehC`^HBk9Yst- z(y`cIT{`*oR63)T4##gfja#<(U3D9Pauur [!NOTE] +> To get a list of all the time zones, run the following command: +> timedatectl list-timezones + +> Examples for timezones: +> America/Los_Angeles +> America/New_York +> America/Chicago +> America/Denver + +## To set the Cron job + +**To backup crontab entries:** + +sudo crontab -l > /var/tmp/cron_backup_200919.dat + +> [!NOTE] +> Where 200919 == YRMMDD + +> TIP: +> Do this before you edit or remove. +> To edit the crontab and add a new job as a root user: +> sudo crontab -e + +> [!NOTE] +> The default editor is VIM + +You might see: + +0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh + +Press “Insert” + +Add the following entries: + +CRON_TZ=America/Los_Angeles + +0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log + +> [!NOTE] +> In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8) + +Press “Esc” + +Type “:wq” w/o the double quotes. + +> [!NOTE] +> w == write, q == quit + +To view your cron jobs, type sudo crontab -l + +:::image type="content" source="../../../../images/linux-mdatp.png" alt-text="linux mdatp"::: + +**How to inspect cron job runs:** + +sudo grep mdatp /var/log/cron + +**How to inspect the mdatp_cron_job.log** +sudo nano mdatp_cron_job.log + +## For those of you that are using Ansible, Chef, or Puppet] +### How to set cron jobs in Ansible: + +cron – Manage cron.d and crontab entries + +See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) + +### How to set crontabs in Chef: +cron resource + +See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) + +### How to set cron jobs in Puppet: +Resource Type: cron + +See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) + +Automating with Puppet: Cron jobs and scheduled tasks + +See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) + +## Additional information: + +**To get help with crontab** +man crontab + +**To get a list of crontab file of the current user:** + +crontab -l + +**To get a list of crontab file of another user:** + +crontab -u username -l + +**To backup crontab entries:** + +crontab -l > /var/tmp/cron_backup.dat +> [!TIP] +> Do this before you edit or remove. + +**To restore crontab entries:** + +crontab /var/tmp/cron_backup.dat + +**To edit the crontab and add a new job as a root user:** + +Sudo crontab -e + +**To edit the crontab and add a new job:** + +crontab -e + +**To edit other user’s crontab entries:** + +crontab -u username -e + +**To remove all crontab entries:** + +crontab -r + +**To remove other user’s crontab entries:** + +crontab -u username -r + +**Explanation**: + ++—————- minute (values: 0 – 59) (special characters: , – * /) + +| +————- hour (values: 0 – 23) (special characters: , – * /) + +| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C) + +| | | +——- month (values: 1 – 12) (special characters: ,- * / ) +| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C) +| | | | | +* * * * * command to be executed + + + + + + + + + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. + +## Schedule a scan with *launchd* + +You can create a scanning schedule using the *launchd* daemon on a macOS device. + +1. The following code shows the schema you need to use to schedule a scan. Open a text editor and use this example as a guide for your own scheduled scan file. + + For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website. + + ```XML + + + + + Label + com.microsoft.wdav.schedquickscan + ProgramArguments + + sh + -c + /usr/local/bin/mdatp --scan --quick + + RunAtLoad + + StartCalendarInterval + + Day + 3 + Hour + 2 + Minute + 0 + Weekday + 5 + + StartInterval + 604800 + WorkingDirectory + /usr/local/bin/ + + + ``` + +2. Save the file as *com.microsoft.wdav.schedquickscan.plist*. + + > [!TIP] + > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. + +3. Open **Terminal**. +4. Enter the following commands to load your file: + + ```bash + launchctl load /Library/LaunchDaemons/ + launchctl start + ``` + +5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday. + + Note that the `StartInterval` value is in seconds, indicating that scans should run every 604,800 seconds (one week), while the `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. + + > [!IMPORTANT] + > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode. + > + > If the device is turned off, the scan will run at the next scheduled scan time. + +## Schedule a scan with Intune + +You can also schedule scans with Microsoft Intune. The [runMDATPQuickScan.sh](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP#runmdatpquickscansh) shell script available at [Scripts for Microsoft Defender Advanced Threat Protection](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP) will persist when the device resumes from sleep mode. + +See [Use shell scripts on macOS devices in Intune](https://docs.microsoft.com/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise. From da50b63b45e3cfe776aa45fccfe215ca77d1c256 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 12 Oct 2020 14:22:47 +0530 Subject: [PATCH 02/38] Update linux-schedule-scan-atp.md --- .../linux-schedule-scan-atp.md | 109 +++--------------- 1 file changed, 15 insertions(+), 94 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 8515254bac..0d706608ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -26,14 +26,16 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to ## Pre-requisite > [!NOTE] -> To get a list of all the time zones, run the following command: -> timedatectl list-timezones + +To get a list of all the time zones, run the following command: + +timedatectl list-timezones > Examples for timezones: -> America/Los_Angeles -> America/New_York -> America/Chicago -> America/Denver +America/Los_Angeles +America/New_York +America/Chicago +America/Denver ## To set the Cron job @@ -42,12 +44,13 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to sudo crontab -l > /var/tmp/cron_backup_200919.dat > [!NOTE] -> Where 200919 == YRMMDD + +Where 200919 == YRMMDD > TIP: -> Do this before you edit or remove. -> To edit the crontab and add a new job as a root user: -> sudo crontab -e +Do this before you edit or remove. +To edit the crontab and add a new job as a root user: +sudo crontab -e > [!NOTE] > The default editor is VIM @@ -65,14 +68,14 @@ CRON_TZ=America/Los_Angeles 0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log > [!NOTE] -> In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8) +In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8) Press “Esc” Type “:wq” w/o the double quotes. > [!NOTE] -> w == write, q == quit + w == write, q == quit To view your cron jobs, type sudo crontab -l @@ -163,85 +166,3 @@ crontab -u username -r * * * * * command to be executed - - - - - - - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. - -## Schedule a scan with *launchd* - -You can create a scanning schedule using the *launchd* daemon on a macOS device. - -1. The following code shows the schema you need to use to schedule a scan. Open a text editor and use this example as a guide for your own scheduled scan file. - - For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website. - - ```XML - - - - - Label - com.microsoft.wdav.schedquickscan - ProgramArguments - - sh - -c - /usr/local/bin/mdatp --scan --quick - - RunAtLoad - - StartCalendarInterval - - Day - 3 - Hour - 2 - Minute - 0 - Weekday - 5 - - StartInterval - 604800 - WorkingDirectory - /usr/local/bin/ - - - ``` - -2. Save the file as *com.microsoft.wdav.schedquickscan.plist*. - - > [!TIP] - > To run a full scan instead of a quick scan, change line 12, `/usr/local/bin/mdatp --scan --quick`, to use the `--full` option instead of `--quick` (i.e. `/usr/local/bin/mdatp --scan --full`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*. - -3. Open **Terminal**. -4. Enter the following commands to load your file: - - ```bash - launchctl load /Library/LaunchDaemons/ - launchctl start - ``` - -5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday. - - Note that the `StartInterval` value is in seconds, indicating that scans should run every 604,800 seconds (one week), while the `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. - - > [!IMPORTANT] - > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode. - > - > If the device is turned off, the scan will run at the next scheduled scan time. - -## Schedule a scan with Intune - -You can also schedule scans with Microsoft Intune. The [runMDATPQuickScan.sh](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP#runmdatpquickscansh) shell script available at [Scripts for Microsoft Defender Advanced Threat Protection](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP) will persist when the device resumes from sleep mode. - -See [Use shell scripts on macOS devices in Intune](https://docs.microsoft.com/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise. From 32e1b1490b117de100bbed41d6478cb7e035c398 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 12 Oct 2020 15:12:25 +0530 Subject: [PATCH 03/38] Update linux-schedule-scan-atp.md minor corrections during self review --- .../linux-schedule-scan-atp.md | 62 +++++++++---------- 1 file changed, 30 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 0d706608ba..aee27d7e1f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -27,33 +27,31 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to > [!NOTE] -To get a list of all the time zones, run the following command: - -timedatectl list-timezones +> To get a list of all the time zones, run the following command: +`timedatectl list-timezones` > Examples for timezones: -America/Los_Angeles -America/New_York -America/Chicago -America/Denver +> - `America/Los_Angeles` +> - `America/New_York` +>- `America/Chicago` +>- `America/Denver` ## To set the Cron job **To backup crontab entries:** -sudo crontab -l > /var/tmp/cron_backup_200919.dat +`sudo crontab -l > /var/tmp/cron_backup_200919.dat` > [!NOTE] - -Where 200919 == YRMMDD +> Where 200919 == YRMMDD > TIP: Do this before you edit or remove. -To edit the crontab and add a new job as a root user: -sudo crontab -e +To edit the crontab, and add a new job as a root user: +`sudo crontab -e` > [!NOTE] -> The default editor is VIM +> The default editor is VIM. You might see: @@ -72,7 +70,7 @@ In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format Press “Esc” -Type “:wq” w/o the double quotes. +Type “:wq” without the double quotes. > [!NOTE] w == write, q == quit @@ -83,22 +81,22 @@ To view your cron jobs, type sudo crontab -l **How to inspect cron job runs:** -sudo grep mdatp /var/log/cron +`sudo grep mdatp /var/log/cron` **How to inspect the mdatp_cron_job.log** -sudo nano mdatp_cron_job.log +`sudo nano mdatp_cron_job.log` -## For those of you that are using Ansible, Chef, or Puppet] +## For those who use Ansible, Chef, or Puppet] ### How to set cron jobs in Ansible: -cron – Manage cron.d and crontab entries +`cron – Manage cron.d and crontab entries` -See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) +See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. ### How to set crontabs in Chef: -cron resource +`cron resource` -See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) +See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. ### How to set cron jobs in Puppet: Resource Type: cron @@ -107,50 +105,50 @@ See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs Automating with Puppet: Cron jobs and scheduled tasks -See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) +See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information. ## Additional information: **To get help with crontab** -man crontab +`man crontab` **To get a list of crontab file of the current user:** -crontab -l +`crontab -l` **To get a list of crontab file of another user:** -crontab -u username -l +`crontab -u username -l` **To backup crontab entries:** -crontab -l > /var/tmp/cron_backup.dat +`crontab -l > /var/tmp/cron_backup.dat` > [!TIP] > Do this before you edit or remove. **To restore crontab entries:** -crontab /var/tmp/cron_backup.dat +`crontab /var/tmp/cron_backup.dat` **To edit the crontab and add a new job as a root user:** -Sudo crontab -e +`Sudo crontab -e` **To edit the crontab and add a new job:** -crontab -e +`crontab -e` **To edit other user’s crontab entries:** -crontab -u username -e +`crontab -u username -e` **To remove all crontab entries:** -crontab -r +`crontab -r` **To remove other user’s crontab entries:** -crontab -u username -r +`crontab -u username -r` **Explanation**: From 970adb587ffd9881b9a735f74d6b7e9bdbe370ab Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Mon, 12 Oct 2020 15:27:59 +0530 Subject: [PATCH 04/38] Add files via upload Added new file --- .../threat-protection/images/linux-mdatp.png | Bin 0 -> 5634 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/images/linux-mdatp.png diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png new file mode 100644 index 0000000000000000000000000000000000000000..f8c9c07b16906f1465cf3b97f50b71ab49b3f10f GIT binary patch literal 5634 zcmV+d7X9goP)4_KtMo6D;h>!XGcdzOG`^k zOiWEpO;Au!Qc_Y=Q&Ut_R8>_~R#sM5S65hASXo(FT3T9NU0q&YUSD5dU`H%sVP0cl zUt?lmV`F1vV_;-sVPs@vWn^MyWn*S#V`^$@Yinz4D*$Y4Yi(_8Zf$LDZfCf> zsHv%`sj8}~s;R1~s;jH3tgNi9t*x%EuCcMPvT!c5uc@=Mv$V0QwX?0YwY9gjuDG_a zxwWynwz9gov%9&pytuTyyu7`;w!XTyzP+EnySKl;zrnq^!NI}8!otPR-^S11#?ar! z(BR69Ps+im%gM*g%gN2KbIr}n&d$!y&dt!!(9zJ((b3V;($dq@)6~?|)z#J4*VozE z+1uOO-QC?QUjxqgHpeUs%xPU|Dwm@VT8WkMH z1sv|n;!?0$6QYEo($unvF(!sB4flQD_kES)|6}g+&1khckeq!#B)KICXQ7TQ&XThP)Wc;Zv!q&&+aEYaE$3Yv*O^t}F>qNeS0#JZjH>l!6g891ZE)|2 z&(%koDV0t=I@oGeW3(u59XMZz?N4=fvE9K-*xhEbMQmxUTlDP0-^OXr zQ41P_l(qL(+MQLRm=^W4A77xkCGmdV3?pn{cLTb}R6h2V{Z}D0Ww$L&I^NS|pS^A8 z@Y-t$9&Twxtwc@*d?{S()>zNn4Py+l7yCl12se1W#(pc=+>&@dZxw9@rE>x;J$raR z{*q4XWNt6%*xz7ACmkI9&H1H6_GVS2SC>wHePX3EgO+X)=}hkpD&u61a97nfbG zl5I>X)Pab-Y}K_R0?IGOu)aJ!AQ+dAhCCCFTb8Z2HpNU+?L?e$+Oj zPB8AhbnBT1Ge=N5`1F@6m6bidOUXH1IsXU+)ql8)-C(QSmKGgEk+A2q#-vW+gAc?Pd> zD!0Dy;8DC`Uts4vzVX^(hIqTGCN_aT#8GvQ=}nf9Vvr>H5^Dr~2zt zI?B_qbcpw{rE?rh=kNitFO!*0>FljkO7I;EFDff%FX3gL+A^e5T8pB!k|rHm4_lx= zyg2Txsx3o0RTdG3>j~)?Wnfg7E$yLtR?pVl!Y%M}I%+RwEe|wt2=6yUe`IevT|r*vvv6@_(I%H8g@LW3-3#TJj-F4pj$sx7a=>V^B0E!?&=I_>P0{m~)K zUO>~l+KZySn%@I!Zg9_{49^_bD_Xs5ko7M82YbIQ%5c2~+Y$D3?^E4Rp3B{lolfcG zLcFcP<@{8Ka!^0Je?ez0?MCC=x+_cKzte0)|l{zU>U zhr0*sdCu>`(!sj0q_dJE2R|nQwHSaYXkQiZpZDzS)na(i`^n5&BffOvkDET5H5}~P2m*I4bebm@3`WyIYO ztxa+yC~XUdK-%%oGB?j_4rn`_pY zUW5c{A*AEwmBk8-j~nKnmG|NPQtMMXyY#sLWqVxh>Zubsa<4WnFN69^txxH+2vM3hrGr_61D|x% z3RystxGiCh4_I5q^K*Ve-rK8K!>P1OMf9`Iz!+1Q253U*y2P$6K zS?hSDQ%Bx$q5e|qEgil-z1-?wI^y6jG*w72ARUA5b$Y4tB{uz2z{pZM*gt(CtnteI zNQXzo?Qx<0Qi~By#-DFV-Wq(dc&-h2rhpO2e4$xsMq%mTZ}$$}t9pTG;o`Qq1ke_8 zF$?g@0qM|sE~N~Q8zP8PbEWg~_Uk3dOUPTBFXq`L__9_->NHlDnu;c?7COUh(!B+v z7l;-vTw7HAb>(6f;+36oEl!#*yA8rQ#6PDN|EeQMUP9j5d@;{1VPziHTQF16WYt1v zm?64XCx~rYc&3n5{mBR3KwjAy7tXJ25Y8d~Iki5d6U#_!m|48vBFAH4uULNN?WxGG zoayzqu<4VILM>_&^x+J9b#(G8PxV!2I&Hf1D`!&aq!wQ-8RH%`p)yLPGl|N{D4`fD zn~6%WEWezmHc{Ha61mg9(%`KL`f?(#I)mjo9>hw0ueif426$Xg6h64^N(g_pghL|DQ7Ki=G2%ilGA^f z&)zzq89RE70pwS9vLzcvNa&^b7aaWm-H$%?eEarPdgIeC=y}WPm8E&8()st_o6$hY zYWw>tZC-S}d3|!ei?h|ju9y6M5DYh|#~1^M69Fl2^|qD6c+!z}{?P3YDg$hDJkt3U zwtxNg!()_Atr1T;Ry}VEyI%6Q&@kMj9%GDtq*J4bQ;w)~p8NBMBKGT`DV+(mYqg!nMF~vvgHiVmrA!rE}eh=@q<`8m@l>vQk+NFVRZ*7Lr%tH zC`U3}56Vj{>M8yi%HiBA&#|^eJD}0&;20vmvZAQN^H4V|p9ijgcJ}3a$?_MMT_j_i zdxF(l))&XL?1{_EB)M4U0^1t7bpH1H4`6P1&3Wdb(qusKVs;p1#29I8Fv4bLKqE7< z4tuysDvf$h4regWF~Bt&xtY~tf`Kt;wm05Pqp0N#OV1lPw{nAXBTPCfwcz~q=t2hn zd4XOfb{n&#O#DgO%9|6*zD#zAvf_1m{I2NtC6a#bG`aMwW@LY3kj`Iz_m&I$AwDB_^2X7~qL8LV^CyGFt>`LhNP2Q`RvXa z6hk^KnoJIoj>x`jNoQZ=TvoQRzctTRdEum&LzT{-K5^Hf`+O$`7}gn3Y`_$W%aF== ztTV!pbb!prpmel)J*AT`<{_@Rr*xb#lyvmW$e?s^+m~cxN{8iPcBF&HxHyl;u%vTw zUNYA5y7T7Gbh~H9ES*2R{6(L0pDIU^92{a9y?+^uFd!XSuZMK>dOf9stoP;Ud6NUu zamP^7!KYBBw}qsm$m$rhrZcFC^APYRB8|~%HSf%qN^cwKXd6m8Dt~#7D zh5Z_gu$d#7GQzT+Uph`bk95pD#{kzHkd9}JfOP0+;>4XaFy}5ww^CqKF@ zdX5*-Z2i2P8K-ofeBSF?qvvuJX>3ryPLAYa7pm7%nTL4`)t@09hdGAw979_MF)hY; z+8u*3)>fuv)k5V+E?(Cjt`J^r$Z^RQUH)bluSD%LS-#XI%iqo_5yq9hhw#>{$i93U znPsHjdG)oQv|XZQCl;@aM>@a8_9S}s7`R+T8k-cbog*2p*NP6T76!Qt=5TgNXgFUp zKuib6Xz+Z@Q~1S`3w68WnYH!Nvr6&K99Uhl8;6@zkUB*Xwq#gzmW{Z;@v4o3|TC0rqqaZ ze*UA^PPmsU(uO8Cer!Y58gN7UeaeCCg~xJA$Tf&o0@9r{N%guMX9BhKsrDD z&U?}Wky;Yz{P>&iN)JS8Nu=|`Z@d#^lZVeM`}tk+7@ihEi%IhK%?J-`9+rQm_aUp2 z=M1a<%43?*Ssh>Y(98?x>-AGTr1QP6y&YhaW4sKy?<4Lfeof9SE?*2Y!o`tGr(%)D z)O+XPmn-(6!;#}od+(t(jTgf+di=ot!XBoc6GjjYA2WcB=rPx!vsdseGhyj``>SsQ ze#7EfBZe7J33AB#Kt8_MWrVu`=s9}nxc))W9E?E}%~yxuNN-I3r+UZv~{ovqp?XI(BAcA7AV;!v7!Xxc))XAvqRJUwBMfi`v)hp9{t# z9V^zHSUUI-K9EgDTDCV~@!4cM3$jD}YL!`Li^X;_ySl-h4#9{C+DG|5HX|Y(mq^wbW-B_x_AZmX%Na!}>t*Iy6+=pz z`EVDAF$w9YdX%STo-*lt|LgAn*<_UuSzG4C;*g;%$QJQyR;Fk~M~nvKQWo{_WhMzD zY3+~^N>7PScc#fYtb9|YxX2ggJP9&=t`H5s)Mz)&!7x@;WlyzR&9QWK4 z(PJldn)$GE@za;?1*JoJxj^fklv`3dG!3Q0CPSZ^xE!*cgV^ME-J6M)8ChQA?DwXt zdg`?%jEd+2j4&I+MsRem;4IB<3-+$^Z3ECz%Vhp1?FFM2Pzp=JLU^w`j9kWJh#5UZ zIS(owmq>;XE?(InlIO20>c>m&;5(GSS;@T$|1-O>(>x7HhmY|Q+~O(480pe+*ktF8 zA*de?S+Ku0zw1cH%#3WL;Wo+?*K8nHU4RkxNyj0Qk?CJT>G0DULC<#*wAcqfaB`WP z3&PygG2|;w4MZddq@(r{!a13AGVX#WwsdSZ*?D6K>W4!X?5~jp8Iq2f8QCu##Wg$9 zfyaQPV-d;7^lt>xA^5WI2d&x-N-jgvfr#W-(jkQN*rnsJ$<7LyuT8KOjOF9;jY=~n}=|DHEvUr9aTp=?y5Ry(&!%zE?4wB^Z7^UNUIXANm zt7vFE4%uLTb?JC`<*;;2uDPdl6p?Jq$RUy$`#Y#~1d;46lNa!#d8NP#S)Tr$(lMxK zM>SY}LnwtfgM`5ioKweqn ziyJ)qvX2oiNJiKmL#LTRuN?o>KSm3cb6Jex^3Na-9KwSOSI?Lc<}?<{`sm)U!oPHllcKo_Lvs0EEd%4EcvgJ2_I ztW&e36Bo<`;v9?an}6#AgjNE+C}J9Vtt5{%ix{%{g^OSSt@Lb9pmehC`^HBk9Yst- z(y`cIT{`*oR63)T4##gfja#<(U3D9Pauur Date: Mon, 12 Oct 2020 17:25:02 +0530 Subject: [PATCH 05/38] Linux_MDATP_4490409 Minor edits --- .../threat-protection/images}/linux-mdatp.png | Bin .../linux-schedule-scan-atp.md | 34 ++++++++++-------- 2 files changed, 20 insertions(+), 14 deletions(-) rename {images => windows/security/threat-protection/images}/linux-mdatp.png (100%) diff --git a/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png similarity index 100% rename from images/linux-mdatp.png rename to windows/security/threat-protection/images/linux-mdatp.png diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index aee27d7e1f..347e58511a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -19,16 +19,16 @@ ms.topic: conceptual # Schedule scans with Microsoft Defender ATP for Linux -For the command line to be able to run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). +To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). -Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. +Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. ## Pre-requisite > [!NOTE] -> To get a list of all the time zones, run the following command: -`timedatectl list-timezones` +> To get a list of all the time zones, run the following command: +> `timedatectl list-timezones` > Examples for timezones: > - `America/Los_Angeles` @@ -37,6 +37,7 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to >- `America/Denver` ## To set the Cron job +Use the following commands: **To backup crontab entries:** @@ -66,7 +67,7 @@ CRON_TZ=America/Los_Angeles 0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log > [!NOTE] -In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8) +In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8). Press “Esc” @@ -75,33 +76,36 @@ Type “:wq” without the double quotes. > [!NOTE] w == write, q == quit -To view your cron jobs, type sudo crontab -l +To view your cron jobs, type `sudo crontab -l` -:::image type="content" source="../../../../images/linux-mdatp.png" alt-text="linux mdatp"::: +:::image type="content" source="..\images\linux-mdatp.png" alt-text="linux mdatp"::: -**How to inspect cron job runs:** +**To inspect cron job runs:** `sudo grep mdatp /var/log/cron` -**How to inspect the mdatp_cron_job.log** +**To inspect the mdatp_cron_job.log** + `sudo nano mdatp_cron_job.log` ## For those who use Ansible, Chef, or Puppet] -### How to set cron jobs in Ansible: + +Use the following commands: +### To set cron jobs in Ansible: `cron – Manage cron.d and crontab entries` See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. -### How to set crontabs in Chef: +### To set crontabs in Chef: `cron resource` See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. -### How to set cron jobs in Puppet: +### To set cron jobs in Puppet: Resource Type: cron -See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) +See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information. Automating with Puppet: Cron jobs and scheduled tasks @@ -110,6 +114,7 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h ## Additional information: **To get help with crontab** + `man crontab` **To get a list of crontab file of the current user:** @@ -161,6 +166,7 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h | | | +——- month (values: 1 – 12) (special characters: ,- * / ) | | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C) | | | | | -* * * * * command to be executed + +*****command to be executed From a86c74982cd7697a858c64c1c468dfc8f1e9a854 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Mon, 12 Oct 2020 17:56:30 +0530 Subject: [PATCH 06/38] linux-mdatp-1.png New file --- .../threat-protection/images/linux-mdatp-1.png | Bin 0 -> 5634 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/images/linux-mdatp-1.png diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png new file mode 100644 index 0000000000000000000000000000000000000000..f8c9c07b16906f1465cf3b97f50b71ab49b3f10f GIT binary patch literal 5634 zcmV+d7X9goP)4_KtMo6D;h>!XGcdzOG`^k zOiWEpO;Au!Qc_Y=Q&Ut_R8>_~R#sM5S65hASXo(FT3T9NU0q&YUSD5dU`H%sVP0cl zUt?lmV`F1vV_;-sVPs@vWn^MyWn*S#V`^$@Yinz4D*$Y4Yi(_8Zf$LDZfCf> zsHv%`sj8}~s;R1~s;jH3tgNi9t*x%EuCcMPvT!c5uc@=Mv$V0QwX?0YwY9gjuDG_a zxwWynwz9gov%9&pytuTyyu7`;w!XTyzP+EnySKl;zrnq^!NI}8!otPR-^S11#?ar! z(BR69Ps+im%gM*g%gN2KbIr}n&d$!y&dt!!(9zJ((b3V;($dq@)6~?|)z#J4*VozE z+1uOO-QC?QUjxqgHpeUs%xPU|Dwm@VT8WkMH z1sv|n;!?0$6QYEo($unvF(!sB4flQD_kES)|6}g+&1khckeq!#B)KICXQ7TQ&XThP)Wc;Zv!q&&+aEYaE$3Yv*O^t}F>qNeS0#JZjH>l!6g891ZE)|2 z&(%koDV0t=I@oGeW3(u59XMZz?N4=fvE9K-*xhEbMQmxUTlDP0-^OXr zQ41P_l(qL(+MQLRm=^W4A77xkCGmdV3?pn{cLTb}R6h2V{Z}D0Ww$L&I^NS|pS^A8 z@Y-t$9&Twxtwc@*d?{S()>zNn4Py+l7yCl12se1W#(pc=+>&@dZxw9@rE>x;J$raR z{*q4XWNt6%*xz7ACmkI9&H1H6_GVS2SC>wHePX3EgO+X)=}hkpD&u61a97nfbG zl5I>X)Pab-Y}K_R0?IGOu)aJ!AQ+dAhCCCFTb8Z2HpNU+?L?e$+Oj zPB8AhbnBT1Ge=N5`1F@6m6bidOUXH1IsXU+)ql8)-C(QSmKGgEk+A2q#-vW+gAc?Pd> zD!0Dy;8DC`Uts4vzVX^(hIqTGCN_aT#8GvQ=}nf9Vvr>H5^Dr~2zt zI?B_qbcpw{rE?rh=kNitFO!*0>FljkO7I;EFDff%FX3gL+A^e5T8pB!k|rHm4_lx= zyg2Txsx3o0RTdG3>j~)?Wnfg7E$yLtR?pVl!Y%M}I%+RwEe|wt2=6yUe`IevT|r*vvv6@_(I%H8g@LW3-3#TJj-F4pj$sx7a=>V^B0E!?&=I_>P0{m~)K zUO>~l+KZySn%@I!Zg9_{49^_bD_Xs5ko7M82YbIQ%5c2~+Y$D3?^E4Rp3B{lolfcG zLcFcP<@{8Ka!^0Je?ez0?MCC=x+_cKzte0)|l{zU>U zhr0*sdCu>`(!sj0q_dJE2R|nQwHSaYXkQiZpZDzS)na(i`^n5&BffOvkDET5H5}~P2m*I4bebm@3`WyIYO ztxa+yC~XUdK-%%oGB?j_4rn`_pY zUW5c{A*AEwmBk8-j~nKnmG|NPQtMMXyY#sLWqVxh>Zubsa<4WnFN69^txxH+2vM3hrGr_61D|x% z3RystxGiCh4_I5q^K*Ve-rK8K!>P1OMf9`Iz!+1Q253U*y2P$6K zS?hSDQ%Bx$q5e|qEgil-z1-?wI^y6jG*w72ARUA5b$Y4tB{uz2z{pZM*gt(CtnteI zNQXzo?Qx<0Qi~By#-DFV-Wq(dc&-h2rhpO2e4$xsMq%mTZ}$$}t9pTG;o`Qq1ke_8 zF$?g@0qM|sE~N~Q8zP8PbEWg~_Uk3dOUPTBFXq`L__9_->NHlDnu;c?7COUh(!B+v z7l;-vTw7HAb>(6f;+36oEl!#*yA8rQ#6PDN|EeQMUP9j5d@;{1VPziHTQF16WYt1v zm?64XCx~rYc&3n5{mBR3KwjAy7tXJ25Y8d~Iki5d6U#_!m|48vBFAH4uULNN?WxGG zoayzqu<4VILM>_&^x+J9b#(G8PxV!2I&Hf1D`!&aq!wQ-8RH%`p)yLPGl|N{D4`fD zn~6%WEWezmHc{Ha61mg9(%`KL`f?(#I)mjo9>hw0ueif426$Xg6h64^N(g_pghL|DQ7Ki=G2%ilGA^f z&)zzq89RE70pwS9vLzcvNa&^b7aaWm-H$%?eEarPdgIeC=y}WPm8E&8()st_o6$hY zYWw>tZC-S}d3|!ei?h|ju9y6M5DYh|#~1^M69Fl2^|qD6c+!z}{?P3YDg$hDJkt3U zwtxNg!()_Atr1T;Ry}VEyI%6Q&@kMj9%GDtq*J4bQ;w)~p8NBMBKGT`DV+(mYqg!nMF~vvgHiVmrA!rE}eh=@q<`8m@l>vQk+NFVRZ*7Lr%tH zC`U3}56Vj{>M8yi%HiBA&#|^eJD}0&;20vmvZAQN^H4V|p9ijgcJ}3a$?_MMT_j_i zdxF(l))&XL?1{_EB)M4U0^1t7bpH1H4`6P1&3Wdb(qusKVs;p1#29I8Fv4bLKqE7< z4tuysDvf$h4regWF~Bt&xtY~tf`Kt;wm05Pqp0N#OV1lPw{nAXBTPCfwcz~q=t2hn zd4XOfb{n&#O#DgO%9|6*zD#zAvf_1m{I2NtC6a#bG`aMwW@LY3kj`Iz_m&I$AwDB_^2X7~qL8LV^CyGFt>`LhNP2Q`RvXa z6hk^KnoJIoj>x`jNoQZ=TvoQRzctTRdEum&LzT{-K5^Hf`+O$`7}gn3Y`_$W%aF== ztTV!pbb!prpmel)J*AT`<{_@Rr*xb#lyvmW$e?s^+m~cxN{8iPcBF&HxHyl;u%vTw zUNYA5y7T7Gbh~H9ES*2R{6(L0pDIU^92{a9y?+^uFd!XSuZMK>dOf9stoP;Ud6NUu zamP^7!KYBBw}qsm$m$rhrZcFC^APYRB8|~%HSf%qN^cwKXd6m8Dt~#7D zh5Z_gu$d#7GQzT+Uph`bk95pD#{kzHkd9}JfOP0+;>4XaFy}5ww^CqKF@ zdX5*-Z2i2P8K-ofeBSF?qvvuJX>3ryPLAYa7pm7%nTL4`)t@09hdGAw979_MF)hY; z+8u*3)>fuv)k5V+E?(Cjt`J^r$Z^RQUH)bluSD%LS-#XI%iqo_5yq9hhw#>{$i93U znPsHjdG)oQv|XZQCl;@aM>@a8_9S}s7`R+T8k-cbog*2p*NP6T76!Qt=5TgNXgFUp zKuib6Xz+Z@Q~1S`3w68WnYH!Nvr6&K99Uhl8;6@zkUB*Xwq#gzmW{Z;@v4o3|TC0rqqaZ ze*UA^PPmsU(uO8Cer!Y58gN7UeaeCCg~xJA$Tf&o0@9r{N%guMX9BhKsrDD z&U?}Wky;Yz{P>&iN)JS8Nu=|`Z@d#^lZVeM`}tk+7@ihEi%IhK%?J-`9+rQm_aUp2 z=M1a<%43?*Ssh>Y(98?x>-AGTr1QP6y&YhaW4sKy?<4Lfeof9SE?*2Y!o`tGr(%)D z)O+XPmn-(6!;#}od+(t(jTgf+di=ot!XBoc6GjjYA2WcB=rPx!vsdseGhyj``>SsQ ze#7EfBZe7J33AB#Kt8_MWrVu`=s9}nxc))W9E?E}%~yxuNN-I3r+UZv~{ovqp?XI(BAcA7AV;!v7!Xxc))XAvqRJUwBMfi`v)hp9{t# z9V^zHSUUI-K9EgDTDCV~@!4cM3$jD}YL!`Li^X;_ySl-h4#9{C+DG|5HX|Y(mq^wbW-B_x_AZmX%Na!}>t*Iy6+=pz z`EVDAF$w9YdX%STo-*lt|LgAn*<_UuSzG4C;*g;%$QJQyR;Fk~M~nvKQWo{_WhMzD zY3+~^N>7PScc#fYtb9|YxX2ggJP9&=t`H5s)Mz)&!7x@;WlyzR&9QWK4 z(PJldn)$GE@za;?1*JoJxj^fklv`3dG!3Q0CPSZ^xE!*cgV^ME-J6M)8ChQA?DwXt zdg`?%jEd+2j4&I+MsRem;4IB<3-+$^Z3ECz%Vhp1?FFM2Pzp=JLU^w`j9kWJh#5UZ zIS(owmq>;XE?(InlIO20>c>m&;5(GSS;@T$|1-O>(>x7HhmY|Q+~O(480pe+*ktF8 zA*de?S+Ku0zw1cH%#3WL;Wo+?*K8nHU4RkxNyj0Qk?CJT>G0DULC<#*wAcqfaB`WP z3&PygG2|;w4MZddq@(r{!a13AGVX#WwsdSZ*?D6K>W4!X?5~jp8Iq2f8QCu##Wg$9 zfyaQPV-d;7^lt>xA^5WI2d&x-N-jgvfr#W-(jkQN*rnsJ$<7LyuT8KOjOF9;jY=~n}=|DHEvUr9aTp=?y5Ry(&!%zE?4wB^Z7^UNUIXANm zt7vFE4%uLTb?JC`<*;;2uDPdl6p?Jq$RUy$`#Y#~1d;46lNa!#d8NP#S)Tr$(lMxK zM>SY}LnwtfgM`5ioKweqn ziyJ)qvX2oiNJiKmL#LTRuN?o>KSm3cb6Jex^3Na-9KwSOSI?Lc<}?<{`sm)U!oPHllcKo_Lvs0EEd%4EcvgJ2_I ztW&e36Bo<`;v9?an}6#AgjNE+C}J9Vtt5{%ix{%{g^OSSt@Lb9pmehC`^HBk9Yst- z(y`cIT{`*oR63)T4##gfja#<(U3D9Pauur Date: Mon, 12 Oct 2020 20:54:38 +0530 Subject: [PATCH 07/38] 4490409 minor image tag changes --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 347e58511a..6862347fd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -78,7 +78,7 @@ Type “:wq” without the double quotes. To view your cron jobs, type `sudo crontab -l` -:::image type="content" source="..\images\linux-mdatp.png" alt-text="linux mdatp"::: +:::image type="content" source="..\images\linux-mdatp-1.png" alt-text="linux mdatp"::: **To inspect cron job runs:** From 2c781644824327ee8ca4f743cda8455830c6a314 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 13 Oct 2020 19:55:32 +0530 Subject: [PATCH 08/38] Update linux-schedule-scan-atp.md --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 6862347fd7..4881a157db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -88,7 +88,7 @@ To view your cron jobs, type `sudo crontab -l` `sudo nano mdatp_cron_job.log` -## For those who use Ansible, Chef, or Puppet] +## For those who use Ansible, Chef, or Puppet Use the following commands: ### To set cron jobs in Ansible: From cd76be762770237fe42059bdd96cd438e5eac045 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:57:59 +0530 Subject: [PATCH 09/38] Update linux-schedule-scan-atp.md --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 4881a157db..491a44df0e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -21,7 +21,7 @@ ms.topic: conceptual To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). -Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. +Linux (and Unix) have a tool called **crontab**(similar to Task Scheduler) to be able to run scheduled tasks. ## Pre-requisite From ac4ce3a6408ffcf5ac0c6d172c226ad27f2d887f Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 13 Oct 2020 21:00:28 +0530 Subject: [PATCH 10/38] Update linux-schedule-scan-atp.md --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 4881a157db..09fcee81f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -26,10 +26,8 @@ Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b ## Pre-requisite > [!NOTE] - > To get a list of all the time zones, run the following command: > `timedatectl list-timezones` - > Examples for timezones: > - `America/Los_Angeles` > - `America/New_York` @@ -67,14 +65,14 @@ CRON_TZ=America/Los_Angeles 0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log > [!NOTE] -In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8). +>In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC –8). Press “Esc” Type “:wq” without the double quotes. > [!NOTE] - w == write, q == quit +> w == write, q == quit To view your cron jobs, type `sudo crontab -l` From 47429eb530bedc9d4ecc942939d5ca9246d6c445 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:46:01 +0530 Subject: [PATCH 11/38] Update linux-schedule-scan-atp.md --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 737bba28fe..2daf8f2576 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -21,7 +21,7 @@ ms.topic: conceptual To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). -Linux (and Unix) have a tool called **crontab**(similar to Task Scheduler) to be able to run scheduled tasks. +Linux(and Unix) have a tool called **crontab**(similar to Task Scheduler) to be able to run scheduled tasks. ## Pre-requisite From b5c866a3520e0cb37d2df908b76b535a659ca054 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Thu, 15 Oct 2020 14:32:58 +0530 Subject: [PATCH 12/38] Update linux-schedule-scan-atp.md Updated per comments from Yong Rhee --- .../linux-schedule-scan-atp.md | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 2daf8f2576..b04e20d3a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -155,16 +155,11 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h **Explanation**: -+—————- minute (values: 0 – 59) (special characters: , – * /) - -| +————- hour (values: 0 – 23) (special characters: , – * /) - -| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C) - -| | | +——- month (values: 1 – 12) (special characters: ,- * / ) -| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C) -| | | | | - -*****command to be executed ++—————- minute (values: 0 – 59) (special characters: , – * /)
+| +————- hour (values: 0 – 23) (special characters: , – * /)
+| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C)
+| | | +——- month (values: 1 – 12) (special characters: ,- * / )
+| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C)
+| | | | |*****command to be executed From 104c43ff75a1f4af29a932f8e2b49618176c5ca9 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Thu, 15 Oct 2020 14:42:18 +0530 Subject: [PATCH 13/38] update-toc-per-4490409 Updated the new topic link in the TOC - "Schedule scans with Microsoft Defender ATP for Linux" --- windows/security/threat-protection/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f69cdfadb5..7325a5cf3e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -284,6 +284,7 @@ ##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) ##### [Set preferences](microsoft-defender-atp/linux-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md) +##### [Schedule scans with Microsoft Defender ATP for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) From 4eebe0f6f82af97bfc6e9a94c9184cbaa34e3d0a Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Thu, 15 Oct 2020 14:54:54 +0530 Subject: [PATCH 14/38] Update linux-schedule-scan-atp.md minor edit --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index b04e20d3a6..22187f7d02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -21,7 +21,7 @@ ms.topic: conceptual To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). -Linux(and Unix) have a tool called **crontab**(similar to Task Scheduler) to be able to run scheduled tasks. +Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. ## Pre-requisite From 272b272988926a83aac025515b09846e6b1e452e Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 15 Oct 2020 11:08:06 -0700 Subject: [PATCH 15/38] Update linux-schedule-scan-atp.md using correct brand names from MDATP to Microsoft Defender for Endpoint (Linux) --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 22187f7d02..d5c088430a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -1,7 +1,7 @@ --- -title: How to schedule scans with MDATP for Linux -description: Learn how to schedule an automatic scanning time for Microsoft Defender ATP in Linux to better protect your organization's assets. -keywords: microsoft, defender, atp, linux, scans, antivirus +title: How to schedule scans with Microsoft Defender for Endpoint (Linux) +description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint (Linux) to better protect your organization's assets. +keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux) search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,9 +17,9 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Schedule scans with Microsoft Defender ATP for Linux +# Schedule scans with Microsoft Defender for Endpoint (Linux) -To run a scan on MDATP for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). +To run a scan for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands). Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. From 59eb12e1ebca06511ad3e3ff02e09363171e3921 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Fri, 16 Oct 2020 22:49:48 +0530 Subject: [PATCH 16/38] Update linux-schedule-scan-atp.md --- .../linux-schedule-scan-atp.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index d5c088430a..ff23ec7922 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -31,8 +31,8 @@ Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b > Examples for timezones: > - `America/Los_Angeles` > - `America/New_York` ->- `America/Chicago` ->- `America/Denver` +> - `America/Chicago` +> - `America/Denver` ## To set the Cron job Use the following commands: @@ -44,9 +44,10 @@ Use the following commands: > [!NOTE] > Where 200919 == YRMMDD -> TIP: -Do this before you edit or remove. -To edit the crontab, and add a new job as a root user: +> [!TIP] +> Do this before you edit or remove.
+ +To edit the crontab, and add a new job as a root user:
`sudo crontab -e` > [!NOTE] @@ -109,7 +110,7 @@ Automating with Puppet: Cron jobs and scheduled tasks See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information. -## Additional information: +## Additional information **To get help with crontab** @@ -126,8 +127,9 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h **To backup crontab entries:** `crontab -l > /var/tmp/cron_backup.dat` + > [!TIP] -> Do this before you edit or remove. +> Do this before you edit or remove.
**To restore crontab entries:** From c2b1ce54a71a141ca0ab9b953dce06198784fbed Mon Sep 17 00:00:00 2001 From: Lovina Saldanha <69782111+Lovina-Saldanha@users.noreply.github.com> Date: Fri, 16 Oct 2020 23:08:33 +0530 Subject: [PATCH 17/38] Update linux-schedule-scan-atp.md --- .../linux-schedule-scan-atp.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index ff23ec7922..18d93d4b7d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -37,7 +37,7 @@ Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b ## To set the Cron job Use the following commands: -**To backup crontab entries:** +**To backup crontab entries** `sudo crontab -l > /var/tmp/cron_backup_200919.dat` @@ -79,7 +79,7 @@ To view your cron jobs, type `sudo crontab -l` :::image type="content" source="..\images\linux-mdatp-1.png" alt-text="linux mdatp"::: -**To inspect cron job runs:** +**To inspect cron job runs** `sudo grep mdatp /var/log/cron` @@ -90,18 +90,18 @@ To view your cron jobs, type `sudo crontab -l` ## For those who use Ansible, Chef, or Puppet Use the following commands: -### To set cron jobs in Ansible: +### To set cron jobs in Ansible `cron – Manage cron.d and crontab entries` See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. -### To set crontabs in Chef: +### To set crontabs in Chef `cron resource` See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. -### To set cron jobs in Puppet: +### To set cron jobs in Puppet Resource Type: cron See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information. @@ -116,46 +116,46 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h `man crontab` -**To get a list of crontab file of the current user:** +**To get a list of crontab file of the current user** `crontab -l` -**To get a list of crontab file of another user:** +**To get a list of crontab file of another user** `crontab -u username -l` -**To backup crontab entries:** +**To backup crontab entries** `crontab -l > /var/tmp/cron_backup.dat` > [!TIP] > Do this before you edit or remove.
-**To restore crontab entries:** +**To restore crontab entries** `crontab /var/tmp/cron_backup.dat` -**To edit the crontab and add a new job as a root user:** +**To edit the crontab and add a new job as a root user** `Sudo crontab -e` -**To edit the crontab and add a new job:** +**To edit the crontab and add a new job** `crontab -e` -**To edit other user’s crontab entries:** +**To edit other user’s crontab entries** `crontab -u username -e` -**To remove all crontab entries:** +**To remove all crontab entries** `crontab -r` -**To remove other user’s crontab entries:** +**To remove other user’s crontab entries** `crontab -u username -r` -**Explanation**: +**Explanation** +—————- minute (values: 0 – 59) (special characters: , – * /)
| +————- hour (values: 0 – 23) (special characters: , – * /)
From b7f5d38e67c4fce459f4c94795fe7491df8cbf80 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Tue, 20 Oct 2020 23:38:41 +0530 Subject: [PATCH 18/38] Update linux-schedule-scan-atp.md minor correction in note --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 18d93d4b7d..3bd8a7cde1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -27,7 +27,7 @@ Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b > [!NOTE] > To get a list of all the time zones, run the following command: -> `timedatectl list-timezones` +> `timedatectl list-timezones`
> Examples for timezones: > - `America/Los_Angeles` > - `America/New_York` From bdd52aab30e1ff2822a438468344637389a6c5fb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:01:32 -0800 Subject: [PATCH 19/38] Update configure-microsoft-defender-antivirus-features.md --- .../configure-microsoft-defender-antivirus-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index a3d582510d..383dce56d6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp --- From 5f8681b6f29617b0270343fe18e2773d0bf65d93 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:05:50 -0800 Subject: [PATCH 20/38] Update configure-microsoft-defender-antivirus-features.md --- ...e-microsoft-defender-antivirus-features.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index 383dce56d6..91b4bdb5bd 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -37,15 +37,17 @@ The following broad categories of features can be configured: - Cloud-delivered protection - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection -- How end-users interact with the client on individual endpoints +- How end users interact with the client on individual endpoints -The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). +The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. -## In this section -Topic | Description -:---|:--- -[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection -[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings +|Article |Description | +|---------|---------| +|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. | +|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. | +|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. | + +> [!TIP] +> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. + From f4f111298f872493993a18d5a55a6b9fb44da77a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:07:09 -0800 Subject: [PATCH 21/38] Update configure-microsoft-defender-antivirus-features.md --- .../configure-microsoft-defender-antivirus-features.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index 91b4bdb5bd..fd9d16d4b6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -39,8 +39,7 @@ The following broad categories of features can be configured: - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection - How end users interact with the client on individual endpoints -The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). - +The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools). |Article |Description | |---------|---------| From c99aaeaef18a6d9a1fafc0926d4f4337d1a7dfea Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:10:46 -0800 Subject: [PATCH 22/38] Update configure-network-connections-microsoft-defender-antivirus.md --- ...etwork-connections-microsoft-defender-antivirus.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 8ee17ca054..1be93dc8a6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 07/08/2020 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp --- @@ -62,7 +62,7 @@ The table below lists the services and their associated URLs. Make sure that the | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` | | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
`http://www.microsoft.com/pkiops/certs`
`http://crl.microsoft.com/pki/crl/products`
`http://www.microsoft.com/pki/certs` | | Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud @@ -85,8 +85,7 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud. -Download the file by visiting the following link: -- https://aka.ms/ioavtest +Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest). >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. @@ -105,11 +104,11 @@ You will also see a detection under **Quarantined threats** in the **Scan histor 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware. +3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. > [!NOTE] > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). From a6e114417672f424ef360524007248e97541b7d4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:27:06 -0800 Subject: [PATCH 23/38] Update configure-process-opened-file-exclusions-microsoft-defender-antivirus.md --- ...exclusions-microsoft-defender-antivirus.md | 54 ++++++++----------- 1 file changed, 21 insertions(+), 33 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 95de8ec073..8b00cfd083 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -26,15 +26,16 @@ manager: dansimp You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -This topic describes how to configure exclusion lists for the following: +This article describes how to configure exclusion lists. - +## Examples of exclusions + +|Exclusion | Example | +|---|---| +|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by:
`c:\sample\test.exe`
`d:\internal\files\test.exe` | +|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:
`c:\test\sample\test.exe`
`c:\test\sample\test2.exe`
`c:\test\sample\utility.exe` | +|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` | -Exclusion | Example ----|--- -Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
  • c:\sample\test.exe
  • d:\internal\files\test.exe
-Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
  • c:\test\sample\test.exe
  • c:\test\sample\test2.exe
  • c:\test\sample\utility.exe
-Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md). @@ -46,14 +47,12 @@ You can add, remove, and review the lists for exclusions in [Group Policy](#gp), You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. +By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. ## Configure the list of exclusions for files opened by specified processes - - ### Use Microsoft Intune to exclude files that have been opened by specified processes from scans See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. @@ -80,8 +79,6 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// ![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - - ### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). @@ -94,11 +91,11 @@ The format for the cmdlets is: The following are allowed as the \: -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` +|Configuration action | PowerShell cmdlet | +|---|---| +|Create or overwrite the list | `Set-MpPreference` | +|Add to the list | `Add-MpPreference` | +|Remove items from the list | `Remove-MpPreference` | >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. @@ -109,7 +106,7 @@ For example, the following code snippet would cause Microsoft Defender AV scans Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true). ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans @@ -121,33 +118,24 @@ ExclusionProcess The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. -See the following for more information and allowed parameters: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - +For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). ### Use the Windows Security app to exclude files that have been opened by specified processes from scans See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions. - - ## Use wildcards in the process exclusion list The use of wildcards in the process exclusion list is different from their use in other exclusion lists. -In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. +In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list. The following table describes how the wildcards can be used in the process exclusion list: -Wildcard | Use | Example use | Example matches ----|---|---|--- -\* (asterisk) | Replaces any number of characters |
  • C:\MyData\\*
|
  • Any file opened by C:\MyData\file.exe
-? (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
- - +|Wildcard | Example use | Example matches | +|:---|:---|:---| +|`*` (asterisk)

Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` | +|Environment variables

The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` | ## Review the list of exclusions From ebb7a832fc41c69474297942f5d4254dafceea38 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:28:33 -0800 Subject: [PATCH 24/38] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 8139e27e9a..d799ae7d2e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -10,7 +10,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 01/31/2020 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp --- From 07b2b44a207c34ac121cf02039e697685b05a083 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:29:36 -0800 Subject: [PATCH 25/38] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index d799ae7d2e..81e984fa4a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -28,7 +28,7 @@ In addition to standard on-premises or hardware configurations, you can also use See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support. -For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic. +For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection). With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on. @@ -49,7 +49,7 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De ## Set up a dedicated VDI file share -In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine — thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell. +In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell. ### Use Group Policy to enable the shared security intelligence feature: From 97e4d4c368a1b39c197fd002f5f73f093b5e4950 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:32:16 -0800 Subject: [PATCH 26/38] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 81e984fa4a..e135754b51 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -63,7 +63,7 @@ In Windows 10, version 1903, we introduced the shared security intelligence feat 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. -6. Enter `\\\wdav-update` (for what this will be, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). +6. Enter `\\\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). 7. Click **OK**. @@ -81,7 +81,7 @@ See the [Download and unpackage](#download-and-unpackage-the-latest-updates) sec ## Download and unpackage the latest updates -Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those). +Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). ```PowerShell $vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-' @@ -98,7 +98,7 @@ cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" ``` You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. -We suggest starting with once a day — but you should experiment with increasing or decreasing the frequency to understand the impact. +We suggest starting with once a day—but you should experiment with increasing or decreasing the frequency to understand the impact. Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit. @@ -106,13 +106,13 @@ Security intelligence packages are typically published once every three to four 1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel. -2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**. +2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**. -3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**. +3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**. 4. You can choose to configure additional settings if you wish. -5. Click **OK** to save the scheduled task. +5. Select **OK** to save the scheduled task. You can initiate the update manually by right-clicking on the task and clicking **Run**. From 1f325f118d6783836b7e625ad53d9a5ac66bfe13 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:32:49 -0800 Subject: [PATCH 27/38] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index e135754b51..76394d2a43 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -118,7 +118,7 @@ You can initiate the update manually by right-clicking on the task and clicking ### Download and unpackage manually -If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior: +If you would prefer to do everything manually, here's what to do to replicate the script’s behavior: 1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`. From 7f685696729678e465c85c3f3c1151083d4730b6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 18 Nov 2020 15:33:09 -0800 Subject: [PATCH 28/38] update intune step 2 --- .../microsoft-defender-atp/onboarding-endpoint-manager.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md index 0027824386..1c87de1aa1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md @@ -104,12 +104,13 @@ needs.
In the following section, you'll create a number of configuration policies. First is a configuration policy to select which groups of users or devices will -be onboarded to Defender for Endpoint. +be onboarded to Defender for Endpoint: + +- [Endpoint detection and response](#endpoint-detection-and-response) Then you will continue by creating several -different types of endpoint security policies. +different types of endpoint security policies: -- [Endpoint detection and response](#endpoint-detection-and-response) - [Next-generation protection](#next-generation-protection) - [Attack surface reduction](#attack-surface-reduction--attack-surface-reduction-rules) From bab2ae97aa1932804ac19bbbbb522b643460192e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:52:54 -0800 Subject: [PATCH 29/38] Update deployment-vdi-microsoft-defender-antivirus.md --- ...oyment-vdi-microsoft-defender-antivirus.md | 39 ++++++++++++------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 76394d2a43..53d4a57daf 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.date: 11/18/2020 -ms.reviewer: +ms.reviewer: jesquive manager: dansimp --- @@ -122,7 +122,9 @@ If you would prefer to do everything manually, here's what to do to replicate th 1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`. -2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`. +2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}` + +Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}` > [!NOTE] > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time. @@ -138,32 +140,43 @@ If you would prefer to do everything manually, here's what to do to replicate th Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). -The start time of the scan itself is still based on the scheduled scan policy — ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. +The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan. See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans. ## Use quick scans -You can specify the type of scan that should be performed during a scheduled scan. -Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. +You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. +2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**. + +4. Select **OK**. + +5. Deploy your Group Policy object as you usually do. ## Prevent notifications -Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface. +Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Client Interface**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -2. Double-click **Suppress all notifications** and set the option to **Enabled**. +2. Select **Suppress all notifications** and then edit the policy settings. -3. Click **OK**. +3. Set the policy to **Enabled**, and then select **OK**. -This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. +4. Deploy your Group Policy object as you usually do. + +Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +> [!TIP] +> To open the Action Center on Windows 10, take one of the following steps: +> - On the right end of the taskbar, select the Action Center icon. +> - Press the Windows logo key button + A. +> - On a touchscreen device, swipe in from the right edge of the screen. ## Disable scans after an update From 74736769a503f0d018b6cd48203c09a5b680f204 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 15:53:57 -0800 Subject: [PATCH 30/38] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 53d4a57daf..4233121080 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -185,7 +185,7 @@ This setting will prevent a scan from occurring after receiving an update. You c > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. -1. Expand the tree to **Windows components > Windows Defender > Signature Updates**. +1. Expand the tree to **Windows components** > **Windows Defender** > **Signature Updates**. 2. Double-click **Turn on scan after signature update** and set the option to **Disabled**. From 0b93827584f1975210e8f1f608c5342fe162cc30 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 16:07:09 -0800 Subject: [PATCH 31/38] Update configure-process-opened-file-exclusions-microsoft-defender-antivirus.md --- ...ess-opened-file-exclusions-microsoft-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 8b00cfd083..c9663557f9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -43,9 +43,9 @@ The exclusions only apply to [always-on real-time protection and monitoring](con Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. +You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists. -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. +You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists. By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. From d189183c96745e9b124274024cda72f175b9ae37 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 16:08:36 -0800 Subject: [PATCH 32/38] Update deployment-vdi-microsoft-defender-antivirus.md --- .../deployment-vdi-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 4233121080..4bad0e3733 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -180,7 +180,7 @@ Suppressing notifications prevents notifications from Microsoft Defender Antivir ## Disable scans after an update -This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). +Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. From 4660b238059867db435d359bac4cd0ddea310288 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 16:30:47 -0800 Subject: [PATCH 33/38] fixes --- ...exclusions-microsoft-defender-antivirus.md | 2 +- ...oyment-vdi-microsoft-defender-antivirus.md | 24 ++++++++++++------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index c9663557f9..81cb5deeec 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -73,7 +73,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...**. - 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. + 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes. 5. Click **OK**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 4bad0e3733..bbb87abdc3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -185,23 +185,31 @@ Disabling a scan after an update will prevent a scan from occurring after receiv > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. -1. Expand the tree to **Windows components** > **Windows Defender** > **Signature Updates**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. -2. Double-click **Turn on scan after signature update** and set the option to **Disabled**. +2. Select **Turn on scan after security intelligence update** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Disabled**. -This prevents a scan from running immediately after an update. +4. Select **OK**. + +5. Deploy your Group Policy object as you usually do. + +This policy prevents a scan from running immediately after an update. ## Scan VMs that have been offline -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. +2. Select **Turn on catch-up quick scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**. -This forces a scan if the VM has missed two or more consecutive scheduled scans. +4. Select **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy forces a scan if the VM has missed two or more consecutive scheduled scans. ## Enable headless UI mode From 807b8fc534933e132b84925cbb0c10491e990f18 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 17:00:36 -0800 Subject: [PATCH 34/38] Update deployment-vdi-microsoft-defender-antivirus.md --- ...eployment-vdi-microsoft-defender-antivirus.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index bbb87abdc3..a7990f4bca 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -213,20 +213,26 @@ This policy forces a scan if the VM has missed two or more consecutive scheduled ## Enable headless UI mode -1. Double-click **Enable headless UI mode** and set the option to **Enabled**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -2. Click **OK**. +2. Select **Enable headless UI mode** and edit the policy. -This hides the entire Microsoft Defender AV user interface from users. +3. Set the policy to **Enabled**. + +4. Click **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. ## Exclusions Exclusions can be added, removed, or customized to suit your needs. -For more details, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). +For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). ## Additional resources -- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) +- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4) From a446f2ccf637ae28b1d6863aa577a0eb441a2c72 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 18 Nov 2020 17:01:52 -0800 Subject: [PATCH 35/38] Update configure-process-opened-file-exclusions-microsoft-defender-antivirus.md --- ...ocess-opened-file-exclusions-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 81cb5deeec..725634e323 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -106,7 +106,7 @@ For example, the following code snippet would cause Microsoft Defender AV scans Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true). +For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true). ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans From e11250a1fc13d616ebd6bceb320329264791f5ba Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Wed, 18 Nov 2020 18:13:05 -0800 Subject: [PATCH 36/38] Fix typo in system extension instrucitons --- .../microsoft-defender-atp/mac-sysext-policies.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md index 9b20ff2260..73bb94faf9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md @@ -150,13 +150,13 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender 4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file: ```bash - $ security cms -S -N "" -i /com.apple.webcontent-filter.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig + $ security cms -S -N "" -i /com.microsoft.network-extension.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig ``` For example, if the certificate name is **SigningCertificate** and the signed file is going to be stored in Documents: ```bash - $ security cms -S -N "SigningCertificate" -i ~/Documents/com.apple.webcontent-filter.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig + $ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig ``` 5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file. From 8765322a40d7750701fd888530837ad94f177265 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 19 Nov 2020 15:14:07 +0530 Subject: [PATCH 37/38] Update TOC.md To fix build error --- windows/security/threat-protection/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 29bbd110d3..2e9b5977ec 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -8,7 +8,6 @@ ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) ### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md) ### [Portal overview](microsoft-defender-atp/portal-overview.md) -### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) ### [Microsoft Defender ATP for non-Windows platforms](microsoft-defender-atp/non-windows.md) ## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md) From 28c6d8b6ffabca4d3f5990e54c94e8984f78d249 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 19 Nov 2020 15:15:33 +0530 Subject: [PATCH 38/38] Update linux-schedule-scan-atp.md minor spelling error --- .../microsoft-defender-atp/linux-schedule-scan-atp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md index 3bd8a7cde1..fe7f0dbd32 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md @@ -137,7 +137,7 @@ See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h **To edit the crontab and add a new job as a root user** -`Sudo crontab -e` +`sudo crontab -e` **To edit the crontab and add a new job**