deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #1202 from MicrosoftDocs/user/tudobril/allowed-threats

Browse Source 
Add info on how to configure allowed threats; clean up bash snippets
This commit is contained in:
Clay Detels
2019-09-26 08:41:28 -07:00
committed by GitHub
parent 45088b8846 8d64a9f6af
commit 5f1b165443
6 changed files with 43 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
View File

@ -48,11 +48,11 @@ Download the installation and onboarding packages from Windows Defender Security
Extract the contents of the .zip files:
```bash
ls -l
$ ls -l
total 721152
-rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: WindowsDefenderATPOnboarding.py
```
@ -92,7 +92,7 @@ If you did not enable Microsoft's driver during installation, then the applicati
You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:
```bash
mdatp --health
$ mdatp --health
...
realTimeProtectionAvailable : false
realTimeProtectionEnabled : true
@ -112,7 +112,7 @@ In this case, you need to perform the following steps to enable Real-Time Protec
1. In Terminal, attempt to install the driver. (The operation will fail)
```bash
sudo kextutil /Library/Extensions/wdavkext.kext
$ sudo kextutil /Library/Extensions/wdavkext.kext
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
Diagnostics for /Library/Extensions/wdavkext.kext:
@ -125,13 +125,13 @@ In this case, you need to perform the following steps to enable Real-Time Protec
4. In Terminal, install the driver again. This time the operation will succeed:
```bash
sudo kextutil /Library/Extensions/wdavkext.kext
$ sudo kextutil /Library/Extensions/wdavkext.kext
```
The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available:
```bash
mdatp --health
$ mdatp --health
...
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
@ -145,20 +145,20 @@ realTimeProtectionEnabled : true
The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
```bash
mdatp --health orgId
$ mdatp --health orgId
```
2. Run the Python script to install the configuration file:
```bash
/usr/bin/python WindowsDefenderATPOnboarding.py
$ /usr/bin/python WindowsDefenderATPOnboarding.py
Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
```
3. Verify that the machine is now associated with your organization and reports a valid *orgId*:
```bash
mdatp --health orgId
$ mdatp --health orgId
E6875323-A6C0-4C60-87AD-114BBE7439B8
```

11
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
View File

@ -50,28 +50,29 @@ Download the installation and onboarding packages from Microsoft Defender Securi
Extract the contents of the .zip files:
```bash
mavel-macmini:Downloads test$ ls -l
$ ls -l
total 721688
-rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
mavel-macmini:Downloads test$
```
7. Make IntuneAppUtil an executable:
```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil```
```bash
$ chmod +x IntuneAppUtil
```
8. Create the wdav.pkg.intunemac package from wdav.pkg:
```bash
mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
Microsoft Intune Application Utility for Mac OS X
Version: 1.0.0.0
Copyright 2018 Microsoft Corporation

13
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
View File

@ -51,17 +51,16 @@ Download the installation and onboarding packages from Windows Defender Security
5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
```bash
mavel-macmini:Downloads test$ ls -l
$ ls -l
total 721160
-rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
-rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
inflating: intune/kext.xml
inflating: intune/WindowsDefenderATPOnboarding.xml
inflating: jamf/WindowsDefenderATPOnboarding.plist
mavel-macmini:Downloads test$
```
## Create JAMF policies
@ -166,7 +165,7 @@ Once the policy is applied, you'll see the Microsoft Defender ATP icon in the ma
You can monitor policy installation on a device by following the JAMF log file:
```bash
mavel-mojave:~ testuser$ tail -f /var/log/jamf.log
$ tail -f /var/log/jamf.log
Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
@ -179,7 +178,7 @@ You can monitor policy installation on a device by following the JAMF log file:
You can also check the onboarding status:
```bash
mavel-mojave:~ testuser$ mdatp --health
$ mdatp --health
...
licensed : true
orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
@ -195,7 +194,7 @@ orgId : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
```bash
mdatp --health healthy
$ mdatp --health healthy
```
The above command prints "1" if the product is onboarded and functioning as expected.
@ -219,6 +218,8 @@ Create a script in **Settings > Computer Management > Scripts**.
This script removes Microsoft Defender ATP from the /Applications directory:
```bash
#!/bin/bash
echo "Is WDAV installed?"
ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null

18
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
View File

@ -66,7 +66,7 @@ Whether real-time protection (scan files as they are accessed) is enabled or not
Whether the antivirus engine runs in passive mode or not. In passive mode:
- Real-time protection is turned off
- On demand scanning is turned on
- On-demand scanning is turned on
- Automatic threat remediation is turned off
- Security intelligence updates are turned on
- Status menu icon is hidden
@ -149,6 +149,16 @@ Used to exclude content from the scan by file name.
| **Possible values** | any string |
| **Comments** | Applicable only if *$type* is *excludedFileName* |
#### Allowed threats
List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
|||
|:---|:---|
| **Domain** | com.microsoft.wdav |
| **Key** | allowedThreats |
| **Data type** | Array of strings |
#### Threat type settings
The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
@ -243,7 +253,7 @@ The *userInterface* section of the configuration profile is used to manage the p
#### Show / hide status menu icon
Whether the status menu icon (shown in the top right corner of the screen) is hidden or not.
Whether the status menu icon (shown in the top-right corner of the screen) is hidden or not.
|||
|:---|:---|
@ -425,7 +435,7 @@ The following configuration profile contains entries for all settings described
</array>
<key>allowedThreats</key>
<array>
<string>eicar</string>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>threatTypeSettings</key>
<array>
@ -540,7 +550,7 @@ The following configuration profile contains entries for all settings described
</array>
<key>allowedThreats</key>
<array>
<string>eicar</string>
<string>EICAR-Test-File (not a virus)</string>
</array>
<key>threatTypeSettings</key>
<array>

12
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
View File

@ -31,7 +31,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
1. Increase logging level:
```bash
mdatp --log-level verbose
$ mdatp --log-level verbose
Creating connection to daemon
Connection established
Operation succeeded
@ -39,10 +39,10 @@ If you can reproduce a problem, please increase the logging level, run the syste
2. Reproduce the problem
3. Run `mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
```bash
mdatp --diagnostic --create
$ sudo mdatp --diagnostic --create
Creating connection to daemon
Connection established
```
@ -50,7 +50,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
4. Restore logging level:
```bash
mdatp --log-level info
$ mdatp --log-level info
Creating connection to daemon
Connection established
Operation succeeded
@ -82,13 +82,13 @@ Important tasks, such as controlling product settings and triggering on-demand s
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
|Configuration|Turn on/off product diagnostics |`mdatp --config diagnostic [true/false]` |
|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
|Health |Check the product's health |`mdatp --health` |
|Protection |Scan a path |`mdatp --scan --path [path]` |
|Protection |Do a quick scan |`mdatp --scan --quick` |

2
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
View File

@ -69,7 +69,7 @@ To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/ap
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to the following: