From afccaeb049c32c8f83637283e62d838d38c8833b Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 10 Feb 2021 14:12:49 +0530 Subject: [PATCH 01/11] Update mac-support-perf.md Updated per task 4850091 --- .../mac-support-perf.md | 66 ++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index cbfb2f15f2..3592042383 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -53,8 +53,72 @@ The following steps can be used to troubleshoot and mitigate these issues: If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). + If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, please contact customer support for further instructions and mitigation. + 2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. -3. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. +3. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Mac. + > [!NOTE] + > This feature is available in version 100.90.70 or newer. + This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line: + ```bash + mdatp config real-time-protection-statistics --value enabled + ``` + This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: + ```bash + mdatp health --field real_time_protection_enabled + ``` + Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it: + ```bash + mdatp config real-time-protection --value enabled + ``` + + ```output + Configuration property updated + ``` + To collect current statistics, run: + ```bash + mdatp config real-time-protection --value enabled + ``` + > [!NOTE] + > Using **--output json** (note the double dash) ensures that the output format is ready for parsing. + + The output of this command will show all processes and their associated scan activity. + +4. On your Mac system, download the sample Python parser high_cpu_parser.py using the command: + + The output of this command should be similar to the following: + + Next, type the following commands: + + ```bash + chmod +x high_cpu_parser.py + ``` + ```bash + cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log + ``` + The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. + + For example, the output of the command will be something like the below: + + ```output + ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 + 27432 None 76703 + 73467 actool 1249 + 73914 xcodebuild 1081 + 73873 bash 1050 + 27475 None 836 + 1 launchd 407 + 73468 ibtool 344 + 549 telemetryd_v1 325 + 4764 None 228 + 125 CrashPlanService 164 + + To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + + > [!NOTE] + > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + +5. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. See [Configure and validate exclusions for Microsoft Defender for Endpoint for Mac](mac-exclusions.md) for details. From 23e532f06d1d6f104a734f2bd9359c8fc7fdbb4d Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Wed, 10 Feb 2021 14:28:08 +0530 Subject: [PATCH 02/11] Update mac-support-perf.md to fix suggestions --- .../microsoft-defender-atp/mac-support-perf.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 3592042383..ce7eac88f1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -80,6 +80,7 @@ The following steps can be used to troubleshoot and mitigate these issues: ```bash mdatp config real-time-protection --value enabled ``` + > [!NOTE] > Using **--output json** (note the double dash) ensures that the output format is ready for parsing. @@ -91,12 +92,12 @@ The following steps can be used to troubleshoot and mitigate these issues: Next, type the following commands: - ```bash + ```bash chmod +x high_cpu_parser.py - ``` - ```bash + ``` + ```bash cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log - ``` + ``` The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. For example, the output of the command will be something like the below: @@ -113,7 +114,7 @@ The following steps can be used to troubleshoot and mitigate these issues: 549 telemetryd_v1 325 4764 None 228 125 CrashPlanService 164 - + ``` To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). > [!NOTE] From aa7d638cfe469ab9e5ca5c6419ba1a7e5d7522b2 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 15 Feb 2021 09:54:30 +0530 Subject: [PATCH 03/11] Update mac-support-perf.md To fix suggestions --- .../mac-support-perf.md | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index ce7eac88f1..9fdffcef44 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -61,25 +61,25 @@ The following steps can be used to troubleshoot and mitigate these issues: > [!NOTE] > This feature is available in version 100.90.70 or newer. This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line: - ```bash + ``bash mdatp config real-time-protection-statistics --value enabled - ``` + `` This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: - ```bash + ``bash mdatp health --field real_time_protection_enabled - ``` + `` Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it: - ```bash + ``bash mdatp config real-time-protection --value enabled - ``` + `` - ```output + ``output Configuration property updated - ``` + `` To collect current statistics, run: - ```bash + ``bash mdatp config real-time-protection --value enabled - ``` + `` > [!NOTE] > Using **--output json** (note the double dash) ensures that the output format is ready for parsing. @@ -92,17 +92,17 @@ The following steps can be used to troubleshoot and mitigate these issues: Next, type the following commands: - ```bash + ``bash chmod +x high_cpu_parser.py - ``` - ```bash + `` + ``bash cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log - ``` + `` The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. For example, the output of the command will be something like the below: - ```output + ``output ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 27432 None 76703 73467 actool 1249 @@ -114,7 +114,8 @@ The following steps can be used to troubleshoot and mitigate these issues: 549 telemetryd_v1 325 4764 None 228 125 CrashPlanService 164 - ``` + `` + To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). > [!NOTE] From cd5de240071cf4c17a14e37247efb3886bf0f259 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 15 Feb 2021 10:02:24 +0530 Subject: [PATCH 04/11] Update mac-support-perf.md to fix suggestions --- .../mac-support-perf.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 9fdffcef44..95e10d2e83 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -61,25 +61,25 @@ The following steps can be used to troubleshoot and mitigate these issues: > [!NOTE] > This feature is available in version 100.90.70 or newer. This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line: - ``bash + ```bash mdatp config real-time-protection-statistics --value enabled - `` + ``` This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: - ``bash + ```bash mdatp health --field real_time_protection_enabled - `` + ``` Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it: - ``bash + ```bash mdatp config real-time-protection --value enabled - `` + ``` - ``output + ```output Configuration property updated - `` + ``` To collect current statistics, run: - ``bash + ```bash mdatp config real-time-protection --value enabled - `` + ``` > [!NOTE] > Using **--output json** (note the double dash) ensures that the output format is ready for parsing. @@ -92,17 +92,17 @@ The following steps can be used to troubleshoot and mitigate these issues: Next, type the following commands: - ``bash + ```bash chmod +x high_cpu_parser.py - `` - ``bash + ``` + ```bash cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log - `` + ``` The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. For example, the output of the command will be something like the below: - ``output + ```output ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 27432 None 76703 73467 actool 1249 @@ -114,7 +114,7 @@ The following steps can be used to troubleshoot and mitigate these issues: 549 telemetryd_v1 325 4764 None 228 125 CrashPlanService 164 - `` + ``` To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). From c9e3eeb1fba04e8b7a4b7c4191a642888b300cd6 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Thu, 18 Feb 2021 16:39:02 +0530 Subject: [PATCH 05/11] Update mac-support-perf.md to fix suggestions --- .../mac-support-perf.md | 64 +++++++++++-------- 1 file changed, 37 insertions(+), 27 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 95e10d2e83..19a133c523 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -57,52 +57,62 @@ The following steps can be used to troubleshoot and mitigate these issues: 2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. -3. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Mac. +1. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Mac. + > [!NOTE] > This feature is available in version 100.90.70 or newer. This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line: - ```bash - mdatp config real-time-protection-statistics --value enabled - ``` - This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: - ```bash - mdatp health --field real_time_protection_enabled - ``` - Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it: - ```bash - mdatp config real-time-protection --value enabled - ``` - ```output - Configuration property updated - ``` - To collect current statistics, run: - ```bash + ```bash + mdatp config real-time-protection-statistics --value enabled + ``` + + This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: + + ```bash + mdatp health --field real_time_protection_enabled + ``` + +Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it: + + ```bash mdatp config real-time-protection --value enabled - ``` + ``` + + ```output + Configuration property updated + ``` + + To collect current statistics, run: + + ```bash + mdatp config real-time-protection --value enabled + ``` > [!NOTE] > Using **--output json** (note the double dash) ensures that the output format is ready for parsing. - The output of this command will show all processes and their associated scan activity. + The output of this command will show all processes and their associated scan activity. -4. On your Mac system, download the sample Python parser high_cpu_parser.py using the command: +1. On your Mac system, download the sample Python parser high_cpu_parser.py using the command: The output of this command should be similar to the following: Next, type the following commands: - ```bash + ```bash chmod +x high_cpu_parser.py - ``` - ```bash + ``` + + ```bash cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log - ``` + ``` + The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. For example, the output of the command will be something like the below: - ```output + ```output ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 27432 None 76703 73467 actool 1249 @@ -114,13 +124,13 @@ The following steps can be used to troubleshoot and mitigate these issues: 549 telemetryd_v1 325 4764 None 228 125 CrashPlanService 164 - ``` + ``` To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. -5. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. +1. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. See [Configure and validate exclusions for Microsoft Defender for Endpoint for Mac](mac-exclusions.md) for details. From 8f53106d5286f3bc7cc105ffab22ff8ad783ff77 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Fri, 19 Feb 2021 13:21:41 +0530 Subject: [PATCH 06/11] Update mac-support-perf.md to fix review comments --- .../mac-support-perf.md | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 6c5a6f3877..d8583066b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -100,9 +100,28 @@ Verify that the **real_time_protection_enabled** entry is true. Otherwise, run t 1. On your Mac system, download the sample Python parser high_cpu_parser.py using the command: - The output of this command should be similar to the following: +```bash +wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/ +linux/diagnostic/high_cpu_parser.py +``` - Next, type the following commands: +The output of this command should be similar to the following: + +```Output +--2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft. +mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py +Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151. +101.xxx.xxx +Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151. +101.xxx.xxx| :443... connected. +HTTP request sent, awaiting response... 200 OK +Length: 1020 [text/plain] +Saving to: 'high_cpu_parser.py' +100%[===========================================>] 1,020 --.-K/s in +0s +``` + +Next, type the following commands: ```bash chmod +x high_cpu_parser.py From b83d11b566d8c6ae64812062c7357d44f09a7375 Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Fri, 5 Mar 2021 10:46:36 -0800 Subject: [PATCH 07/11] Update vpn-connection-type.md Help fix some customer confusion -- the adapter is called "SSTP" even though it's also used for the plug-in protocols. We have a customer that doesn't want to use a particular VPN plug-in because of concerns that it's using or attempting to use the wrong protocol. --- windows/security/identity-protection/vpn/vpn-connection-type.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index a0330b3425..de5aca388c 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -41,7 +41,7 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and - [SSTP](https://technet.microsoft.com/library/ff687819.aspx) - SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option. + SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option. Note: when a VPN plug-in is used, the adapter will be listed as an SSTP adapter even though the VPN protocol used is the plug-in's protocol. - Automatic From 06de20553e51da2ddeedc22020b8e4eb87bfaf37 Mon Sep 17 00:00:00 2001 From: mrmiller1972 <39915569+mrmiller1972@users.noreply.github.com> Date: Thu, 18 Mar 2021 13:19:17 -0400 Subject: [PATCH 08/11] Update windows-10-subscription-activation.md The abbreviation GVLK is not defined and may not be familiar to readers. Replaced GVLKs with "Generic Volume License Keys (GVLKs)" --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 8ea91fd4cc..e974dc183f 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -23,7 +23,7 @@ Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**. -The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. +The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. ## Subscription Activation for Windows 10 Enterprise From baa7c5e33dceedc33749486d708f6224350be20d Mon Sep 17 00:00:00 2001 From: Kateyanne <67609554+Kateyanne@users.noreply.github.com> Date: Thu, 18 Mar 2021 13:17:09 -0700 Subject: [PATCH 09/11] Update windows/security/identity-protection/vpn/vpn-connection-type.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../security/identity-protection/vpn/vpn-connection-type.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index de5aca388c..806f2df6c1 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -41,7 +41,10 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and - [SSTP](https://technet.microsoft.com/library/ff687819.aspx) - SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option. Note: when a VPN plug-in is used, the adapter will be listed as an SSTP adapter even though the VPN protocol used is the plug-in's protocol. + SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option. + + > [!NOTE] + > When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol. - Automatic @@ -85,4 +88,3 @@ In Intune, you can also include custom XML for third-party plug-in profiles: - From 90a980f2abd29d593c75eed63bbf980024453ba7 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 18 Mar 2021 17:46:37 -0700 Subject: [PATCH 10/11] Added automatic image borders --- .../security/identity-protection/vpn/vpn-connection-type.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index 806f2df6c1..89a4c83d9b 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -66,11 +66,13 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.m The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune: -![Available connection types](images/vpn-connection-intune.png) +> [!div class="mx-imgBorder"] +> ![Available connection types](images/vpn-connection-intune.png) In Intune, you can also include custom XML for third-party plug-in profiles: -![Custom XML](images/vpn-custom-xml-intune.png) +> [!div class="mx-imgBorder"] +> ![Custom XML](images/vpn-custom-xml-intune.png) ## Related topics From 239e828ef42789c2b3a3732010dceffa23b69b46 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Fri, 19 Mar 2021 18:33:53 +0530 Subject: [PATCH 11/11] Update mac-support-perf.md To fix PR suggestions --- .../mac-support-perf.md | 127 +++++++++--------- 1 file changed, 62 insertions(+), 65 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 152273333c..38addca0cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -43,7 +43,7 @@ The following steps can be used to troubleshoot and mitigate these issues: 1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender for Endpoint for Mac is contributing to the performance issues. - If your device is not managed by your organization, real-time protection can be disabled using one of the following options: + If your device is not managed by your organization, real-time protection can be disabled using one of the following options: - From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**. @@ -55,104 +55,101 @@ The following steps can be used to troubleshoot and mitigate these issues: mdatp config real-time-protection --value disabled ``` - If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). + If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). - If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, please contact customer support for further instructions and mitigation. + If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, please contact customer support for further instructions and mitigation. 2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. 1. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Mac. - > [!NOTE] - > This feature is available in version 100.90.70 or newer. - This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line: + > [!NOTE] + > This feature is available in version 100.90.70 or newer. + This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line: - ```bash + ```bash mdatp config real-time-protection-statistics --value enabled - ``` + ``` - This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: + This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: - ```bash + ```bash mdatp health --field real_time_protection_enabled - ``` + ``` -Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it: + Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it: - ```bash + ```bash mdatp config real-time-protection --value enabled - ``` + ``` - ```output + ```output Configuration property updated - ``` + ``` - To collect current statistics, run: + To collect current statistics, run: - ```bash + ```bash mdatp config real-time-protection --value enabled - ``` + ``` - > [!NOTE] - > Using **--output json** (note the double dash) ensures that the output format is ready for parsing. + > [!NOTE] + > Using **--output json** (note the double dash) ensures that the output format is ready for parsing. - The output of this command will show all processes and their associated scan activity. + The output of this command will show all processes and their associated scan activity. 1. On your Mac system, download the sample Python parser high_cpu_parser.py using the command: -```bash -wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/ -linux/diagnostic/high_cpu_parser.py -``` + ```bash + wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py + ``` -The output of this command should be similar to the following: + The output of this command should be similar to the following: -```Output ---2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft. -mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py -Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151. -101.xxx.xxx -Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151. -101.xxx.xxx| :443... connected. -HTTP request sent, awaiting response... 200 OK -Length: 1020 [text/plain] -Saving to: 'high_cpu_parser.py' -100%[===========================================>] 1,020 --.-K/s in -0s -``` + ```Output + --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft. + mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1020 [text/plain] + Saving to: 'high_cpu_parser.py' + 100%[===========================================>] 1,020 --.-K/s in + 0s + ``` -Next, type the following commands: +1. Next, type the following commands: - ```bash - chmod +x high_cpu_parser.py - ``` + ```bash + chmod +x high_cpu_parser.py + ``` - ```bash - cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log - ``` + ```bash + cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log + ``` - The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. + The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. - For example, the output of the command will be something like the below: + For example, the output of the command will be something like the below: - ```output - ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 - 27432 None 76703 - 73467 actool 1249 - 73914 xcodebuild 1081 - 73873 bash 1050 - 27475 None 836 - 1 launchd 407 - 73468 ibtool 344 - 549 telemetryd_v1 325 - 4764 None 228 - 125 CrashPlanService 164 - ``` + ```output + ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 + 27432 None 76703 + 73467 actool 1249 + 73914 xcodebuild 1081 + 73873 bash 1050 + 27475 None 836 + 1 launchd 407 + 73468 ibtool 344 + 549 telemetryd_v1 325 + 4764 None 228 + 125 CrashPlanService 164 + ``` - To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - > [!NOTE] - > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + > [!NOTE] + > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 1. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.