From 80a4d5bfe4edf99e72c39aa3b01f06e9e6375a7d Mon Sep 17 00:00:00 2001 From: schmurky Date: Wed, 21 Oct 2020 17:33:29 +0800 Subject: [PATCH 01/13] Replace for json --- .../microsoft-defender-atp/linux-support-perf.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 8390f37105..44a7b84113 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -32,7 +32,7 @@ This article provides some general steps that can be used to narrow down perform Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. -Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux. +Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues. The following steps can be used to troubleshoot and mitigate these issues: @@ -54,7 +54,7 @@ The following steps can be used to troubleshoot and mitigate these issues: > [!NOTE] > This feature is available in version 100.90.70 or newer. - This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: + This feature is enabled by default on the `Dogfood` and `InsiderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: ```bash mdatp config real-time-protection-statistics --value enabled @@ -78,8 +78,10 @@ The following steps can be used to troubleshoot and mitigate these issues: To collect current statistics, run: ```bash - mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file + mdatp diagnostic real-time-protection-statistics --output json > real_time_protection_logs ``` + > [!NOTE] + > Adding ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). @@ -88,6 +90,7 @@ The following steps can be used to troubleshoot and mitigate these issues: 3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. +4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues +5. Re-enable real-time protection. - For more details, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). From 397c7a4c475b6cd473c33ad90e6f64837ff699b2 Mon Sep 17 00:00:00 2001 From: schmurky Date: Wed, 21 Oct 2020 17:37:59 +0800 Subject: [PATCH 02/13] Replace add with use --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 44a7b84113..d9b56bf731 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -81,7 +81,7 @@ The following steps can be used to troubleshoot and mitigate these issues: mdatp diagnostic real-time-protection-statistics --output json > real_time_protection_logs ``` > [!NOTE] - > Adding ```--output json``` (note the double dash) ensures that the output format is ready for parsing. + > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). From cc82b538cccd6c73a28ff5bb36f550a411628a51 Mon Sep 17 00:00:00 2001 From: schmurky Date: Thu, 22 Oct 2020 17:34:09 +0800 Subject: [PATCH 03/13] More details --- .../linux-support-perf.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index d9b56bf731..2e16c94605 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -83,14 +83,23 @@ The following steps can be used to troubleshoot and mitigate these issues: > [!NOTE] > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. - The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + The output of this command will show all processes and their associated scan activity. +3. You can then run a script to parse the output. + + To do this, in your Windows system, create a folder in ```C:\temp\High_CPU_util_parser_for_Linux```. + + Save the output file ```real_time_protection_logs``` from your Linux system to the created folder. + + You can then use this sample Powershell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. + + Run the Powershell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. + > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. -3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. +4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues 5. Re-enable real-time protection. - For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + From f2ff564c5c96e7f01321988d4fb0c3971e62e4ee Mon Sep 17 00:00:00 2001 From: schmurky Date: Thu, 22 Oct 2020 17:36:07 +0800 Subject: [PATCH 04/13] PowerShell caps --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 2e16c94605..f52e335011 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -91,9 +91,9 @@ The following steps can be used to troubleshoot and mitigate these issues: Save the output file ```real_time_protection_logs``` from your Linux system to the created folder. - You can then use this sample Powershell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. + You can then use this sample PowerShell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. - Run the Powershell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. + Run the PowerShell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. From 2015a7ce2829bbc4b29f754f7d34411494ddc263 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:28:16 +0800 Subject: [PATCH 05/13] New updates --- .../linux-support-perf.md | 42 +++++++++++++------ 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index d0a4e97401..86995376ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -78,32 +78,48 @@ The following steps can be used to troubleshoot and mitigate these issues: To collect current statistics, run: ```bash - mdatp diagnostic real-time-protection-statistics --output json > real_time_protection_logs + mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json ``` > [!NOTE] > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity. -3. You can then run a script to parse the output. - - To do this, in your Windows system, create a folder in ```C:\temp\High_CPU_util_parser_for_Linux```. +3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. + ```bash + wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py + ``` + The output of this command should be something similar to: - Save the output file ```real_time_protection_logs``` from your Linux system to the created folder. + ```Output + --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.196.133 + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.196.133| :443... connected. + HTTP request sent, awaiting response... 200 OK + Length: 1020 [text/plain] + Saving to: 'high_cpu_parser.py' - You can then use this sample PowerShell script to parse the```real_time_protection_logs```. Save this script as ```MDATP_Linux_High_CPU_parser.ps1``` in ```C:\temp\High_CPU_util_parser_for_Linux```. - The output of this command will show all processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + 100%[===========================================>] 1,020 --.-K/s in 0s + ``` +4. Next, type the following commands: + ```bash + chmod +x high_cpu_parser.py + ``` + ```bash + cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log + ``` - Run the PowerShell script as admin. The script launches a Microsoft Excel file. The Excel file shows the list of processes with the most activity arranged in descending order. From here you can analyze which processes to exclude. + The output of the above command displays all the processes and their associated scan activity. + + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + + > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). +5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. -5. Re-enable real-time protection. + For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). - -4. Configure Defender for Endpoint for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. - For more details, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). From 8d26222842313aa52ee93cccace65e370ac416f3 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:30:46 +0800 Subject: [PATCH 06/13] added link to parser --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 86995376ac..808117dc1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,7 +85,7 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. +3. On your Linux system, download the sample Python parser [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` From d99b6ae0b04b5d9d45c0262d567917403fc5b6e9 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:35:05 +0800 Subject: [PATCH 07/13] add link --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 808117dc1e..da1c943252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,7 +85,7 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). +3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. You can also download it from this link: [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` From 00d43db17b9cb9e18d07cb202469d4b22423d064 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:36:03 +0800 Subject: [PATCH 08/13] removed link --- .../microsoft-defender-atp/linux-support-perf.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index da1c943252..17e0183fc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,7 +85,8 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py**. You can also download it from this link: [**high_cpu_parser.py**](https://github.com/microsoft/mdatp-xplat/blob/master/linux/diagnostic/high_cpu_parser.py). +3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the following command: + ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` From 88dfd49ccae54e3fe2e2fd28204e3abfda98555d Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:37:46 +0800 Subject: [PATCH 09/13] removed pii --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 17e0183fc5..b8eacdcd6e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -94,8 +94,8 @@ The following steps can be used to troubleshoot and mitigate these issues: ```Output --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py - Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.196.133 - Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.196.133| :443... connected. + Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx + Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected. HTTP request sent, awaiting response... 200 OK Length: 1020 [text/plain] Saving to: 'high_cpu_parser.py' From 1432a9f501442e76608446f05e082c66aff6c028 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 24 Nov 2020 15:56:25 +0800 Subject: [PATCH 10/13] minor edits --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index b8eacdcd6e..9f58beceba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -85,12 +85,12 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the following command: +3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command: ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` - The output of this command should be something similar to: + The output of this command should be similar to the following: ```Output --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py From 9bff12a18bed12a9274e378d8111ef966888bbd1 Mon Sep 17 00:00:00 2001 From: schmurky Date: Fri, 27 Nov 2020 15:31:10 +0800 Subject: [PATCH 11/13] Update with sample --- .../linux-support-perf.md | 26 ++++++++++++++++--- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 9f58beceba..c2520ac1b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -113,11 +113,29 @@ The following steps can be used to troubleshoot and mitigate these issues: The output of the above command displays all the processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - - - > [!NOTE] - > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + The output is list of the top contributors to the performance issues. The 1st column is the process identifier (PID), the 2nd column is te process name, and the last column is the number of scanned files, sorted by impact. + + For example, the output of the command will be something like the below: + + ```Output + mavel@mavel-mac:/Users/mavel > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 + 27432 None 76703 + 73467 actool     1249 + 73914 xcodebuild 1081 + 73873 bash 1050 + 27475 None 836 + 1    launchd    407 + 73468 ibtool     344 + 549  telemetryd_v1   325 + 4764 None 228 + 125  CrashPlanService 164 + ``` +  + + +>[!NOTE] +> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. From a86bdcca8dda061766281db5f04efe271a66dc6b Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 1 Dec 2020 19:58:59 +0800 Subject: [PATCH 12/13] remove alias --- .../microsoft-defender-atp/linux-support-perf.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index c2520ac1b7..2281e692f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -110,16 +110,12 @@ The following steps can be used to troubleshoot and mitigate these issues: cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log ``` - The output of the above command displays all the processes and their associated scan activity. - - To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - - The output is list of the top contributors to the performance issues. The 1st column is the process identifier (PID), the 2nd column is te process name, and the last column is the number of scanned files, sorted by impact. + The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. For example, the output of the command will be something like the below: ```Output - mavel@mavel-mac:/Users/mavel > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 + ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 27432 None 76703 73467 actool     1249 73914 xcodebuild 1081 @@ -131,11 +127,11 @@ The following steps can be used to troubleshoot and mitigate these issues: 4764 None 228 125  CrashPlanService 164 ``` -  - +   + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). ->[!NOTE] -> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. + >[!NOTE] + > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. From e15a00e7e5a328e635cc204396a9373abfbc0d93 Mon Sep 17 00:00:00 2001 From: schmurky Date: Tue, 1 Dec 2020 20:02:54 +0800 Subject: [PATCH 13/13] removed indent --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 2281e692f9..e6585fc97f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -128,7 +128,7 @@ The following steps can be used to troubleshoot and mitigate these issues: 125  CrashPlanService 164 ```   - To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). >[!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.