diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 55a4737d3b..f5d0413d28 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -298,6 +298,7 @@ ##### [Set preferences](microsoft-defender-atp/linux-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md) ##### [Schedule scans with Microsoft Defender ATP for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md) +##### [Schedule an update of the Microsoft Defender for Endpoint (Linux)](microsoft-defender-atp/linux-update-MDE-Linux.md) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/update-MDE-linux-4634577.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/update-MDE-linux-4634577.jpg new file mode 100644 index 0000000000..b39cfc8f6d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/update-MDE-linux-4634577.jpg differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-update-MDE-Linux.md b/windows/security/threat-protection/microsoft-defender-atp/linux-update-MDE-Linux.md new file mode 100644 index 0000000000..dde0bd8f3a --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-update-MDE-Linux.md @@ -0,0 +1,182 @@ +--- +title: How to schedule an update of the Microsoft Defender for Endpoint (Linux) +description: Learn how to schedule an update of the Microsoft Defender for Endpoint (Linux) to better protect your organization's assets. +keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux) +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Schedule an update of the Microsoft Defender for Endpoint (Linux) + +To run an update on Microsoft Defender for Endpoint for Linux, see [Deploy updates for Microsoft Defender for Endpoint for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-updates). + +Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks. + +## Pre-requisite + +> [!NOTE] +> To get a list of all the time zones, run the following command: +> `timedatectl list-timezones`
+> Examples for timezones:
+> - `America/Los_Angeles` +> - `America/New_York` +> - `America/Chicago` +> - `America/Denver` + +## To set the Cron job +Use the following commands: + +**To backup crontab entries** + +`sudo crontab -l > /var/tmp/cron_backup_201118.dat` + +> [!NOTE] +> Where 201118 == YYMMDD + +> [!TIP] +> Do this before you edit or remove.
+ +To edit the crontab, and add a new job as a root user:
+`sudo crontab -e` + +> [!NOTE] +> The default editor is VIM. + +You might see: + +0****/etc/opt/microsoft/mdatp/logrorate.sh + +And + +02**sat /bin/mdatp scan quick>~/mdatp_cron_job.log + +See [Schedule scans with Microsoft Defender for Endpoint (Linux)](linux-schedule-scan-atp.md) + +Press “Insert” + +Add the following entries: + +CRON_TZ=America/Los_Angeles + +> #!RHEL and variants (CentOS and Oracle Linux) + +`06**sun[$(date +\%d) -le 15] sudo yum update mdatp>>~/mdatp_cron_job.log` + +> #!SLES and variants + +`06**sun[$(date +\%d) -le 15] sudo zypper update mdatp>>~/mdatp_cron_job.log` + +> #!Ubuntu and Debian systems + +`06**sun [$(date +\%d) -le 15] sudo apt-get install --only-upgrade mdatp>>~/mdatp_cron_job.log` + +> [!NOTE] +> In the examples above, we are setting it to 00 minutes, 6 a.m.(hour in 24 hour format), any day of the month, any month, on Sundays.[$(date +\%d) -le 15] == Won’t run unless it’s equal or less than the 15th day (3rd week). Meaning it will run every 3rd Sundays(7) of the month at 6:00 a.m. Pacific (UTC -8). + +Press “Esc” + +Type “:wq” w/o the double quotes. + +> [!NOTE] +> w == write, q == quit + +To view your cron jobs, type `sudo crontab -l` + +:::image type="content" source="images/update-MDE-linux-4634577.jpg" alt-text="update MDE linux"::: + +To inspect cron job runs: +`sudo grep mdatp /var/log/cron` + +To inspect the mdatp_cron_job.log +`sudo nano mdatp_cron_job.log` + +## For those who use Ansible, Chef, or Puppet + +Use the following commands: +### To set cron jobs in Ansible + +`cron – Manage cron.d and crontab entries` + +See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. + +### To set crontabs in Chef +`cron resource` + +See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information. + +### To set cron jobs in Puppet +Resource Type: cron + +See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information. + +Automating with Puppet: Cron jobs and scheduled tasks + +See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information. + +## Additional information + +**To get help with crontab** + +`man crontab` + +**To get a list of crontab file of the current user** + +`crontab -l` + +**To get a list of crontab file of another user** + +`crontab -u username -l` + +**To backup crontab entries** + +`crontab -l > /var/tmp/cron_backup.dat` + +> [!TIP] +> Do this before you edit or remove.
+ +**To restore crontab entries** + +`crontab /var/tmp/cron_backup.dat` + +**To edit the crontab and add a new job as a root user** + +`sudo crontab -e` + +**To edit the crontab and add a new job** + +`crontab -e` + +**To edit other user’s crontab entries** + +`crontab -u username -e` + +**To remove all crontab entries** + +`crontab -r` + +**To remove other user’s crontab entries** + +`crontab -u username -r` + +**Explanation** + +
++—————- minute (values: 0 – 59) (special characters: , – * /)  

+| +————- hour (values: 0 – 23) (special characters: , – * /) 

+| | +———- day of month (values: 1 – 31) (special characters: , – * / L W C)  

+| | | +——- month (values: 1 – 12) (special characters: ,- * / )  

+| | | | +—- day of week (values: 0 – 6) (Sunday=0 or 7) (special characters: , – * / L W C) 

+| | | | |*****command to be executed
+
+ diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 691d1f29c5..354a099a61 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -1,6 +1,6 @@ --- title: Take response actions on a file in Microsoft Defender ATP -description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details. +description: Take response actions on file-related alerts by stopping and quarantining a file or blocking a file and checking activity details. keywords: respond, stop and quarantine, block file, deep analysis search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -133,6 +133,9 @@ You can roll back and remove a file from quarantine if you’ve determined that > > Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days. +> [!Important] +> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. + ## Add indicator to block or allow a file You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. @@ -213,6 +216,7 @@ The Deep analysis summary includes a list of observed *behaviors*, some of which Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts. Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. +
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] @@ -240,7 +244,8 @@ When the sample is collected, Defender for Endpoint runs the file in is a secure ![You can only submit PE files in the file details section](images/submit-file.png) ->**Note**  Only PE files are supported, including _.exe_ and _.dll_ files + > [!NOTE] + > Only PE files are supported, including _.exe_ and _.dll_ files. A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.