deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #1483 from MicrosoftDocs/user/tudobril/troubleshoot

Browse Source 
Add troubleshooting for perf and documentation on managing exclusions
This commit is contained in:
Clay Detels
2019-11-01 13:16:09 -07:00
committed by GitHub
parent 5b8b4f5ce4 664e7ca418
commit 5d268f5ef7
8 changed files with 237 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/TOC.md
View File

@ -320,8 +320,12 @@
##### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
#### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
#### [Configure Microsoft Defender ATP for Mac]()
##### [Configure and validate exclusions](windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md)
##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/microsoft-defender-atp-mac-pua.md)
#### [Troubleshoot Microsoft Defender ATP for Mac]()
##### [Troubleshoot performance issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md)
##### [Troubleshoot kernel extension issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md)
#### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
#### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)

BIN
windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 204 KiB

82
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Configure and validate exclusions for Microsoft Defender ATP for Mac
ms.reviewer:
description: Describes how to provide and validate exclusions for Microsoft Defender ATP for Mac. Exclusions can be set for files, folders, and processes.
keywords: microsoft, defender, atp, mac, exclusions, scans, antivirus
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configure and validate exclusions for Microsoft Defender ATP for Mac
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
>[!IMPORTANT]
>The exclusions described in this article don't apply to other Microsoft Defender ATP for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Mac scans.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Mac.
>[!WARNING]
>Defining exclusions lowers the protection offered by Microsoft Defender ATP for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## Supported exclusion types
The follow table shows the exclusion types supported by Microsoft Defender ATP for Mac.
Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | .test
File | A specific file identified by the full path | /var/log/test.log
Folder | All files under the specified folder | /var/log/
Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat<br/>cat
## How to configure the list of exclusions
### From the management console
For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
### From the user interface
Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
![Manage exclusions screenshot](images/mdatp-37-Exclusions.png)
Select the type of exclusion that you wish to add and follow the prompts.
## Validate exclusions lists with the EICAR test file
You can validate that your exclusion lists are working by using `curl` to download a test file.
In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path.
```bash
$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
```bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.

61
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
View File

@ -80,66 +80,11 @@ To complete this process, you must have admin privileges on the machine.
The installation proceeds.
> [!NOTE]
> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled.
> [!CAUTION]
> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](microsoft-defender-atp-mac-support-kext.md) for information on how to resolve this.
> [!NOTE]
> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-Time Protection will not be available until the machine is rebooted.
### Fixing disabled Real-Time Protection
If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it:
![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png)
You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:
```bash
$ mdatp --health
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
...
```
> [!NOTE]
> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation.
The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation".
If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled:
![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png)
In this case, you need to perform the following steps to enable Real-Time Protection instead.
1. In Terminal, attempt to install the driver. (The operation will fail)
```bash
$ sudo kextutil /Library/Extensions/wdavkext.kext
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:
```
2. Open **System Preferences...** > **Security & Privacy** from the menu. (Close it first, if it's opened.)
3. **Allow** system software from developers "Microsoft Corporation"
4. In Terminal, install the driver again. This time the operation will succeed:
```bash
$ sudo kextutil /Library/Extensions/wdavkext.kext
```
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available:
```bash
$ mdatp --health
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
```
> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be available until the machine is rebooted.
## Client configuration

91
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac
ms.reviewer:
description: Describes how to troubleshoot kernel extension-related issues in Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, kernel, extension
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot kernel extension issues
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac.
Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device.
If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it:
![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png)
You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device.
```bash
$ mdatp --health
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
...
```
The following sections provide guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender ATP for Mac.
## Managed deployment
See the instructions corresponding to the management tool that you used to deploy the product:
- [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile)
- [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md#create-system-configuration-profiles)
## Manual deployment
If less than 30 minutes have passed since the product was installed, navigate to **System Preferences** > **Security & Privacy**, where you have to **Allow** system software from developers "Microsoft Corporation".
If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device:
![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png)
In this case, you need to perform the following steps to trigger the approval flow again.
1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again.
```bash
$ sudo kextutil /Library/Extensions/wdavkext.kext
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:
```
2. Open **System Preferences** > **Security & Privacy** from the menu. (Close it first, if it's opened.)
3. **Allow** system software from developers "Microsoft Corporation"
4. In Terminal, install the driver again. This time the operation will succeed:
```bash
$ sudo kextutil /Library/Extensions/wdavkext.kext
```
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available:
```bash
$ mdatp --health
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
...
```

55
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Troubleshoot performance issues
ms.reviewer:
description: Describes how to troubleshoot performance issues in Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, performance
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot performance issues
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Mac.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Mac that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Mac. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Mac.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Mac is contributing to the performance issues.
If your device is not managed by your organization, real-time protection can be disabled using one of the following options:
- From the user interface. Open Microsoft Defender ATP for Mac and navigate to **Manage settings**.
![Manage real-time protection screenshot](images/mdatp-36-RTP.png)
- From the Terminal. For security purposes, this operation requires elevation.
```bash
$ mdatp --config realTimeProtectionEnabled false
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
3. Configure Microsoft Defender ATP for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
See [Configure and validate exclusions for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-exclusions.md) for details.

4
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft Defender ATP for Mac
ms.reviewer:
ms.reviewer:
description: Describes how to install and use Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---