diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index ac15e0c03b..3eca661850 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -332,8 +332,12 @@ ###### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md) ##### [Update](microsoft-defender-atp/linux-updates.md) ##### [Configure]() +###### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md) ###### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) ###### [Set preferences](microsoft-defender-atp/linux-preferences.md) +##### [Troubleshoot]() +###### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) +###### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) ##### [Resources](microsoft-defender-atp/linux-resources.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md new file mode 100644 index 0000000000..088b47a20c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -0,0 +1,111 @@ +--- +title: Configure and validate exclusions for Microsoft Defender ATP for Linux +description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes. +keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Configure and validate exclusions for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. + +> [!IMPORTANT] +> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. + +You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans. + +Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux. + +> [!WARNING] +> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. + +## Supported exclusion types + +The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux. + +Exclusion | Definition | Examples +---|---|--- +File extension | All files with the extension, anywhere on the machine | .test +File | A specific file identified by the full path | /var/log/test.log +Folder | All files under the specified folder | /var/log/ +Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat
cat + +## How to configure the list of exclusions + +### From the management console + +For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). + +### From the command line + +Run the following command to see the available switches for managing exclusions: + +```bash +$ mdatp --exclusion +``` + +Examples: + +- Add an exclusion for a file extension: + + ```bash + $ mdatp --exclusion --add-extension .txt + Configuration updated successfully + ``` + +- Add an exclusion for a file: + + ```bash + $ mdatp --exclusion --add-folder /var/log/dummy.log + Configuration updated successfully + ``` + +- Add an exclusion for a folder: + + ```bash + $ mdatp --exclusion --add-folder /var/log/ + Configuration updated successfully + ``` + +- Add an exclusion for a process: + + ```bash + $ mdatp --exclusion --add-process cat + Configuration updated successfully + ``` + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using `curl` to download a test file. + +In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path. + +```bash +$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt +``` + +If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). + +If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: + +```bash +echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt +``` + +You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md index c2505dae33..0ac647a0b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md @@ -18,7 +18,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Configuring Microsoft Defender ATP for static proxy discovery +# Configure Microsoft Defender ATP for Linux for static proxy discovery **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md new file mode 100644 index 0000000000..d34c004a38 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -0,0 +1,91 @@ +--- +title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux +ms.reviewer: +description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux +keywords: microsoft, defender, atp, linux, cloud, connectivity, communication +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +## Run the connectivity test + +To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line: + +```bash +$ mdatp --connectivity-test +``` + +If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall. + +## Troubleshooting steps for environments without proxy or with transparent proxy + +To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal: + +```bash +curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' +``` + +The output from this command should be similar to: + +``` +OK https://x.cp.wd.microsoft.com/api/report +OK https://cdn.x.cp.wd.microsoft.com/ping +``` + +## Troubleshooting steps for environments with static proxy + +> [!WARNING] +> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. +> +> Intercepting proxies are also not supported for security reasons. Configure your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your proxy certificate to the global store will not allow for interception. + +If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port: + +```bash +$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' +``` + +Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands. + +To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`: + +```bash +#Environment="HTTPS_PROXY=http://address:port" +``` + +Also ensure that the correct static proxy address is filled in to replace `address:port`. + +If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting: + +```bash +$ sudo systemctl daemon-reload; sudo systemctl restart mdatp +``` + +Upon success, attempt another connectivity test from the command line: + +```bash +$ mdatp --connectivity-test +``` + +If the problem persists, contact customer support. + +## Resources + +- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md new file mode 100644 index 0000000000..55da60a602 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -0,0 +1,82 @@ +--- +title: Troubleshoot performance issues for Microsoft Defender ATP for Linux +description: Troubleshoot performance issues in Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, performance +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot performance issues for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux. + +Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. + +Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux. + +The following steps can be used to troubleshoot and mitigate these issues: + +1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues. + + If your device is not managed by your organization, real-time protection can be disabled from the command line: + + ```bash + $ mdatp --config realTimeProtectionEnabled false + ``` + + If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). + +2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux. + + > [!NOTE] + > This feature is available in version 100.90.70 or newer. + + This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: + + ```bash + $ mdatp config real_time_protection_statistics_enabled on + ``` + + This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command: + + ```bash + $ mdatp health + ``` + + Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it: + + ```bash + $ mdatp --config realTimeProtectionEnabled true + ``` + + To collect current statistics, run: + + ```bash + $ mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file + ``` + + The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + + > [!NOTE] + > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + +3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. + +4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. + + See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 4a410131e3..4ac890ab74 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -64,7 +64,7 @@ Select the type of exclusion that you wish to add and follow the prompts. You can validate that your exclusion lists are working by using `curl` to download a test file. -In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path. +In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path. ```bash $ curl -o test.txt https://www.eicar.org/download/eicar.com.txt @@ -72,7 +72,7 @@ $ curl -o test.txt https://www.eicar.org/download/eicar.com.txt If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). -If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: +If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: ```bash echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 2819fb191f..aa08dca96f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -117,25 +117,7 @@ Microsoft Defender ATP can discover a proxy server by using the following discov If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md). -## Validating cloud connectivity - -To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser. - -If you prefer the command line, you can also check the connection by running the following command in Terminal: - -```bash -$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping' -``` - -The output from this command should be similar to the following: - -> `OK https://x.cp.wd.microsoft.com/api/report` -> `OK https://cdn.x.cp.wd.microsoft.com/ping` - -Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal: -```bash -$ mdatp --connectivity-test -``` +For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page. ## How to update Microsoft Defender ATP for Linux