deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2429 from MicrosoftDocs/user/tudobril/linux-cloud

Browse Source 
Troubleshooting steps for connectivity & perf for Linux
This commit is contained in:
Tina Burden 2020-04-01 10:40:04 -07:00 committed by GitHub
commit 62772b0f16
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 292 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/TOC.md
View File

@ -332,8 +332,12 @@
###### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
##### [Update](microsoft-defender-atp/linux-updates.md)
##### [Configure]()
###### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
###### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
###### [Set preferences](microsoft-defender-atp/linux-preferences.md)
##### [Troubleshoot]()
###### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
###### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
##### [Resources](microsoft-defender-atp/linux-resources.md)

111
windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md Normal file
View File

@ -0,0 +1,111 @@
---
title: Configure and validate exclusions for Microsoft Defender ATP for Linux
description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes.
keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configure and validate exclusions for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
> [!IMPORTANT]
> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux.
> [!WARNING]
> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## Supported exclusion types
The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux.
Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | .test
File | A specific file identified by the full path | /var/log/test.log
Folder | All files under the specified folder | /var/log/
Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat<br/>cat
## How to configure the list of exclusions
### From the management console
For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
### From the command line
Run the following command to see the available switches for managing exclusions:
```bash
$ mdatp --exclusion
```
Examples:
- Add an exclusion for a file extension:
```bash
$ mdatp --exclusion --add-extension .txt
Configuration updated successfully
```
- Add an exclusion for a file:
```bash
$ mdatp --exclusion --add-folder /var/log/dummy.log
Configuration updated successfully
```
- Add an exclusion for a folder:
```bash
$ mdatp --exclusion --add-folder /var/log/
Configuration updated successfully
```
- Add an exclusion for a process:
```bash
$ mdatp --exclusion --add-process cat
Configuration updated successfully
```
## Validate exclusions lists with the EICAR test file
You can validate that your exclusion lists are working by using `curl` to download a test file.
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
```bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.

2
windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
View File

@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configuring Microsoft Defender ATP for static proxy discovery
# Configure Microsoft Defender ATP for Linux for static proxy discovery
**Applies to:**

91
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
ms.reviewer:
description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
keywords: microsoft, defender, atp, linux, cloud, connectivity, communication
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
## Run the connectivity test
To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```bash
$ mdatp --connectivity-test
```
If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
## Troubleshooting steps for environments without proxy or with transparent proxy
To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
```bash
curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to:
```
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
```
## Troubleshooting steps for environments with static proxy
> [!WARNING]
> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
>
> Intercepting proxies are also not supported for security reasons. Configure your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your proxy certificate to the global store will not allow for interception.
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
```bash
$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`:
```bash
#Environment="HTTPS_PROXY=http://address:port"
```
Also ensure that the correct static proxy address is filled in to replace `address:port`.
If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
```bash
$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
```
Upon success, attempt another connectivity test from the command line:
```bash
$ mdatp --connectivity-test
```
If the problem persists, contact customer support.
## Resources
- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).

82
windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Troubleshoot performance issues for Microsoft Defender ATP for Linux
description: Troubleshoot performance issues in Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, performance
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot performance issues for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues.
If your device is not managed by your organization, real-time protection can be disabled from the command line:
```bash
$ mdatp --config realTimeProtectionEnabled false
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux.
> [!NOTE]
> This feature is available in version 100.90.70 or newer.
This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
$ mdatp config real_time_protection_statistics_enabled on
```
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
```bash
$ mdatp health
```
Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
```bash
$ mdatp --config realTimeProtectionEnabled true
```
To collect current statistics, run:
```bash
$ mdatp diagnostic real_time_protection_statistics # you can use > stat.log to redirect to file
```
The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
> [!NOTE]
> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details.

4
windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
View File

@ -64,7 +64,7 @@ Select the type of exclusion that you wish to add and follow the prompts.
You can validate that your exclusion lists are working by using `curl` to download a test file.
In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path.
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
@ -72,7 +72,7 @@ $ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
```bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt

20
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -117,25 +117,7 @@ Microsoft Defender ATP can discover a proxy server by using the following discov
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
## Validating cloud connectivity
To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to the following:
> `OK https://x.cp.wd.microsoft.com/api/report`
> `OK https://cdn.x.cp.wd.microsoft.com/ping`
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
```bash
$ mdatp --connectivity-test
```
For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page.
## How to update Microsoft Defender ATP for Linux