Merge pull request #1202 from MicrosoftDocs/user/tudobril/allowed-threats

Add info on how to configure allowed threats; clean up bash snippets
2025-06-18 11:53:37 +00:00 · 2019-09-26 08:41:28 -07:00
parent 45088b8846 8d64a9f6af
commit 5f1b165443
6 changed files with 43 additions and 31 deletions
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
@ -48,11 +48,11 @@ Download the installation and onboarding packages from Windows Defender Security
    Extract the contents of the .zip files:
    ```bash
-    ls -l
+    $ ls -l
    total 721152
    -rw-r--r--  1 test  staff       6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip
    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
-    mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+    $ unzip WindowsDefenderATPOnboardingPackage.zip
    Archive:  WindowsDefenderATPOnboardingPackage.zip
    inflating: WindowsDefenderATPOnboarding.py
    ```
@ -92,7 +92,7 @@ If you did not enable Microsoft's driver during installation, then the applicati
 You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available:
 ```bash
-mdatp --health
+$ mdatp --health
 ...
 realTimeProtectionAvailable             : false
 realTimeProtectionEnabled               : true
@ -112,7 +112,7 @@ In this case, you need to perform the following steps to enable Real-Time Protec
 1. In Terminal, attempt to install the driver. (The operation will fail)
    ```bash
-    sudo kextutil /Library/Extensions/wdavkext.kext
+    $ sudo kextutil /Library/Extensions/wdavkext.kext
    Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
    Kext rejected due to system policy: <OSKext 0x7fc34d528390 [0x7fffa74aa8e0]> { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" }
    Diagnostics for /Library/Extensions/wdavkext.kext:
@ -125,13 +125,13 @@ In this case, you need to perform the following steps to enable Real-Time Protec
 4. In Terminal, install the driver again. This time the operation will succeed:
 ```bash
-sudo kextutil /Library/Extensions/wdavkext.kext
+$ sudo kextutil /Library/Extensions/wdavkext.kext
 ```
 The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available:
 ```bash
-mdatp --health
+$ mdatp --health
 ...
 realTimeProtectionAvailable             : true
 realTimeProtectionEnabled               : true
@ -145,20 +145,20 @@ realTimeProtectionEnabled               : true
    The client machine is not associated with orgId. Note that the *orgId* attribute is blank.
    ```bash
-    mdatp --health orgId
+    $ mdatp --health orgId
    ```
 2. Run the Python script to install the configuration file:
    ```bash
-    /usr/bin/python WindowsDefenderATPOnboarding.py
+    $ /usr/bin/python WindowsDefenderATPOnboarding.py
    Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password)
    ```
 3. Verify that the machine is now associated with your organization and reports a valid *orgId*:
    ```bash
-    mdatp --health orgId
+    $ mdatp --health orgId
    E6875323-A6C0-4C60-87AD-114BBE7439B8
    ```
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
@ -50,28 +50,29 @@ Download the installation and onboarding packages from Microsoft Defender Securi
    Extract the contents of the .zip files:
    ```bash
-    mavel-macmini:Downloads test$ ls -l
+    $ ls -l
    total 721688
    -rw-r--r--  1 test  staff     269280 Mar 15 11:25 IntuneAppUtil
    -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
-    mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+    $ unzip WindowsDefenderATPOnboardingPackage.zip
    Archive:  WindowsDefenderATPOnboardingPackage.zip
    warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
      inflating: intune/kext.xml
      inflating: intune/WindowsDefenderATPOnboarding.xml
      inflating: jamf/WindowsDefenderATPOnboarding.plist
    mavel-macmini:Downloads test$
    ```
 7. Make IntuneAppUtil an executable:
-    ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil```
+    ```bash
    $ chmod +x IntuneAppUtil
    ```
 8. Create the wdav.pkg.intunemac package from wdav.pkg:
    ```bash
-    mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
+    $ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
    Microsoft Intune Application Utility for Mac OS X
    Version: 1.0.0.0
    Copyright 2018 Microsoft Corporation
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
@ -51,17 +51,16 @@ Download the installation and onboarding packages from Windows Defender Security
 5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
    ```bash
-    mavel-macmini:Downloads test$ ls -l
+    $ ls -l
    total 721160
    -rw-r--r--  1 test  staff      11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
    -rw-r--r--  1 test  staff  354531845 Mar 13 08:57 wdav.pkg
-    mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip
+    $ unzip WindowsDefenderATPOnboardingPackage.zip
    Archive:  WindowsDefenderATPOnboardingPackage.zip
    warning:  WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
    inflating: intune/kext.xml
     inflating: intune/WindowsDefenderATPOnboarding.xml
     inflating: jamf/WindowsDefenderATPOnboarding.plist
    mavel-macmini:Downloads test$
    ```
 ## Create JAMF policies
@ -166,7 +165,7 @@ Once the policy is applied, you'll see the Microsoft Defender ATP icon in the ma
 You can monitor policy installation on a device by following the JAMF log file:
 ```bash
-    mavel-mojave:~ testuser$ tail -f /var/log/jamf.log
+    $ tail -f /var/log/jamf.log
    Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found.
    Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"...
    Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV
@ -179,7 +178,7 @@ You can monitor policy installation on a device by following the JAMF log file:
 You can also check the onboarding status:
 ```bash
-mavel-mojave:~ testuser$ mdatp --health
+$ mdatp --health
 ...
 licensed                                : true
 orgId                                   : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
@ -195,7 +194,7 @@ orgId                                   : "4751b7d4-ea75-4e8f-a1f5-6d640c65bc45"
 You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
 ```bash
-mdatp --health healthy
+$ mdatp --health healthy
 ```
 The above command prints "1" if the product is onboarded and functioning as expected.
@ -219,6 +218,8 @@ Create a script in **Settings > Computer Management > Scripts**.
 This script removes Microsoft Defender ATP from the /Applications directory:
 ```bash
   #!/bin/bash
   echo "Is WDAV installed?"
   ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
@ -66,7 +66,7 @@ Whether real-time protection (scan files as they are accessed) is enabled or not
 Whether the antivirus engine runs in passive mode or not. In passive mode:
 - Real-time protection is turned off
- On demand scanning is turned on
+- On-demand scanning is turned on
 - Automatic threat remediation is turned off
 - Security intelligence updates are turned on
 - Status menu icon is hidden
@ -149,6 +149,16 @@ Used to exclude content from the scan by file name.
 | **Possible values** | any string |
 | **Comments** | Applicable only if *$type* is *excludedFileName* |
 #### Allowed threats
 List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
 |||
 |:---|:---|
 | **Domain** | com.microsoft.wdav |
 | **Key** | allowedThreats |
 | **Data type** | Array of strings |
 #### Threat type settings
 The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
@ -243,7 +253,7 @@ The *userInterface* section of the configuration profile is used to manage the p
 #### Show / hide status menu icon
-Whether the status menu icon (shown in the top right corner of the screen) is hidden or not.
+Whether the status menu icon (shown in the top-right corner of the screen) is hidden or not.
 |||
 |:---|:---|
@ -425,7 +435,7 @@ The following configuration profile contains entries for all settings described
        </array>
        <key>allowedThreats</key>
        <array>
-            <string>eicar</string>
+            <string>EICAR-Test-File (not a virus)</string>
        </array>
        <key>threatTypeSettings</key>
        <array>
@ -540,7 +550,7 @@ The following configuration profile contains entries for all settings described
                    </array>
                    <key>allowedThreats</key>
                    <array>
-                        <string>eicar</string>
+                        <string>EICAR-Test-File (not a virus)</string>
                    </array>
                    <key>threatTypeSettings</key>
                    <array>
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
@ -31,7 +31,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
 1. Increase logging level:
   ```bash
-   mdatp --log-level verbose
+   $ mdatp --log-level verbose
   Creating connection to daemon
   Connection established
   Operation succeeded
@ -39,10 +39,10 @@ If you can reproduce a problem, please increase the logging level, run the syste
 2. Reproduce the problem
-3. Run `mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
+3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
   ```bash
-   mdatp --diagnostic --create
+   $ sudo mdatp --diagnostic --create
   Creating connection to daemon
   Connection established
   ```
@ -50,7 +50,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
 4. Restore logging level:
   ```bash
-   mdatp --log-level info
+   $ mdatp --log-level info
   Creating connection to daemon
   Connection established
   Operation succeeded
@ -82,13 +82,13 @@ Important tasks, such as controlling product settings and triggering on-demand s
 |-------------|-------------------------------------------|-----------------------------------------------------------------------|
 |Configuration|Turn on/off real-time protection           |`mdatp --config realTimeProtectionEnabled [true/false]`                |
 |Configuration|Turn on/off cloud protection               |`mdatp --config cloudEnabled [true/false]`                             |
-|Configuration|Turn on/off product diagnostics            |`mdatp --config diagnostic [true/false]`                               |
+|Configuration|Turn on/off product diagnostics            |`mdatp --config cloudDiagnosticEnabled [true/false]`                               |
 |Configuration|Turn on/off automatic sample submission    |`mdatp --config cloudAutomaticSampleSubmission [true/false]`           |
 |Configuration|Turn on PUA protection                     |`mdatp --threat --type-handling potentially_unwanted_application block`|
 |Configuration|Turn off PUA protection                    |`mdatp --threat --type-handling potentially_unwanted_application off`  |
 |Configuration|Turn on audit mode for PUA protection      |`mdatp --threat --type-handling potentially_unwanted_application audit`|
 |Diagnostics  |Change the log level                       |`mdatp --log-level [error/warning/info/verbose]`                       |
-|Diagnostics  |Generate diagnostic logs                   |`mdatp --diagnostic`                                                   |
+|Diagnostics  |Generate diagnostic logs                   |`mdatp --diagnostic --create`                                                   |
 |Health       |Check the product's health                 |`mdatp --health`                                                       |
 |Protection   |Scan a path                                |`mdatp --scan --path [path]`                                           |
 |Protection   |Do a quick scan                            |`mdatp --scan --quick`                                                 |
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md
@ -69,7 +69,7 @@ To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/ap
 If you prefer the command line, you can also check the connection by running the following command in Terminal:
 ```bash
-curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
 ```
 The output from this command should be similar to the following: