deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 07:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into tvm-updates

Browse Source
This commit is contained in:
Beth Levin 2020-08-12 11:02:47 -07:00
commit d04571e089
27 changed files with 372 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
windows/client-management/mdm/defender-csp.md
View File

@ -51,7 +51,7 @@ Supported operation is Get.
<a href="" id="detections-threatid-severity"></a>**Detections/*ThreatId*/Severity**
Threat severity ID.
The data type is a integer.
The data type is integer.
The following list shows the supported values:
@ -66,7 +66,7 @@ Supported operation is Get.
<a href="" id="detections-threatid-category"></a>**Detections/*ThreatId*/Category**
Threat category ID.
The data type is a integer.
The data type is integer.
The following table describes the supported values:
@ -128,7 +128,7 @@ Supported operation is Get.
<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
The data type is a integer.
The data type is integer.
The following list shows the supported values:
@ -149,7 +149,7 @@ Supported operation is Get.
<a href="" id="detections-threatid-executionstatus"></a>**Detections/*ThreatId*/ExecutionStatus**
Information about the execution status of the threat.
The data type is a integer.
The data type is integer.
Supported operation is Get.
@ -170,7 +170,7 @@ Supported operation is Get.
<a href="" id="detections-threatid-numberofdetections"></a>**Detections/*ThreatId*/NumberOfDetections**
Number of times this threat has been detected on a particular client.
The data type is a integer.
The data type is integer.
Supported operation is Get.
@ -182,7 +182,7 @@ Supported operation is Get.
<a href="" id="health-productstatus"></a>**Health/ProductStatus**
Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
Data type is integer. Supported operation is Get.
The data type is integer. Supported operation is Get.
Supported product status values:
- No status = 0
@ -233,7 +233,7 @@ Example:
<a href="" id="health-computerstate"></a>**Health/ComputerState**
Provide the current state of the device.
The data type is a integer.
The data type is integer.
The following list shows the supported values:
@ -394,7 +394,7 @@ When enabled or disabled exists on the client and admin moves the setting to not
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.
The data type is a integer.
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
@ -403,7 +403,7 @@ Valid values are:
- 0 (default) Disable.
<a href="" id="configuration-supportloglocation"></a>**Configuration/SupportLogLocation**
The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (MpCmdRun.exe) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
Data type is string.

29
windows/client-management/mdm/defender-ddf.md
View File

@ -1,6 +1,6 @@
---
title: Defender DDF file
description: See how the the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
description: See how the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used.
ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65
ms.reviewer:
manager: dansimp
@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 10/21/2019
ms.date: 08/11/2020
---
# Defender DDF file
@ -45,7 +45,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.2/MDM/Defender</MIME>
<MIME>com.microsoft/1.3/MDM/Defender</MIME>
</DFType>
</DFProperties>
<Node>
@ -734,6 +734,29 @@ The XML below is the current version for this CSP.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SupportLogLocation</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Scan</NodeName>

BIN
windows/client-management/mdm/images/Provisioning_CSP_Defender.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.2 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-defender.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 80 KiB

After

Width:  |  Height:  |  Size: 85 KiB

9
windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
View File

@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@ -23,13 +22,11 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Use Microsoft Intune to configure scanning options**
## Use Microsoft Intune to configure scanning options
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
<a id="ref1"></a>
## Use Microsoft Endpoint Configuration Manager to configure scanning options:
## Use Microsoft Endpoint Configuration Manager to configure scanning options
See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
@ -70,6 +67,8 @@ See [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell
For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
<a id="ref1"></a>
## Email scanning limitations
Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:

4
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
View File

@ -7,7 +7,6 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@ -20,7 +19,8 @@ manager: dansimp
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Windows Server 2016
- Windows Server 2019
Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.

6
windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
View File

@ -7,11 +7,10 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 09/03/2018
ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@ -62,7 +61,8 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht
5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- **Default Microsoft Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files.
- **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
- **Moderate blocking level** provides moderate only for high confidence detections
- **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
- **Zero tolerance blocking level** blocks all unknown executables.

26
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 06/02/2020
ms.date: 08/12/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -45,9 +45,9 @@ Depending on your organization's settings, employees can copy and paste images (
To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
### Why arent employees able to see their Extensions in the Application Guard Edge session?
### Are extensions supported in the Application Guard?
Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container).
### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
@ -119,8 +119,8 @@ For guidance on how to create a firewall rule by using group policy, see:
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
First rule (DHCP Server):
1. Program path: %SystemRoot%\System32\svchost.exe
2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))
1. Program path: `%SystemRoot%\System32\svchost.exe`
2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess))
3. Protocol UDP
4. Port 67
@ -148,14 +148,14 @@ This is a two step process.
Step 1:
Enable Internet Connection sharing by changing the Group Policy setting “Prohibit use of Internet Connection Sharing on your DNS domain network” which is part of the MS Security baseline from Enabled to Disabled.
Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from Enabled to Disabled.
Step 2:
1. Disable IpNat.sys from ICS load
System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
2. Configure ICS (SharedAccess) to enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
3. Disabling IPNAT (Optional)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
4. Reboot.
1. Disable IpNat.sys from ICS load:
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
2. Configure ICS (SharedAccess) to enabled:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
3. Disable IPNAT (Optional):
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
4. Restart the device.

69
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
View File

@ -101,6 +101,75 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
> If you don't set a value, the default value is to enable sample collection.
## Other recommended configuration settings
### Update endpoint protection configuration
After configuring the onboarding script, continue editing the same group policy to add endpoint protection configurations. Perform group policy edits from a system running Windows 10 or Server 2019 to ensure you have all of the required Microsoft Defender Antivirus capabilities. You may need to close and reopen the group policy object to register the Defender ATP configuration settings.
All policies are located under `Computer Configuration\Policies\Administrative Templates`.
**Policy location:** \Windows Components\Windows Defender ATP
Policy | Setting
:---|:---
Enable\Disable Sample collection| Enabled - "Enable sample collection on machines" checked
**Policy location:** \Windows Components\Windows Defender Antivirus
Policy | Setting
:---|:---
Configure detection for potentially unwanted applications | Enabled, Block
**Policy location:** \Windows Components\Windows Defender Antivirus\MAPS
Policy | Setting
:---|:---
Join Microsoft MAPS | Enabled, Advanced MAPS
Send file samples when further analysis is required | Enabled, Send safe samples
**Policy location:** \Windows Components\Windows Defender Antivirus\Real-time Protection
Policy | Setting
:---|:---
Turn off real-time protection|Disabled
Turn on behavior monitoring|Enabled
Scan all downloaded files and attachments|Enabled
Monitor file and program activity on your computer|Enabled
**Policy location:** \Windows Components\Windows Defender Antivirus\Scan
These settings configure periodic scans of the endpoint. We recommend performing a weekly quick scan, performance permitting.
Policy | Setting
:---|:---
Check for the latest virus and spyware security intelligence before running a scheduled scan |Enabled
**Policy location:** \Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
Get the current list of attack surface reduction GUIDs from [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
1. Open the **Configure Attack Surface Reduction** policy.
2. Select **Enabled**.
3. Select the **Show…** button.
4. Add each GUID in the **Value Name** field with a Value of 2.
This will set each up for audit only.
![Image of attack surface reduction configuration](images/asr-guid.png)
Policy | Setting
:---|:---
Configure Controlled folder access| Enabled, Audit Mode
## Offboard devices using Group Policy
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.

3
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/06/2018
---
# Onboard Windows 10 devices using Mobile Device Management tools
@ -51,6 +50,8 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
>[!TIP]
> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
## Offboard and monitor devices using Mobile Device Management tools
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.

75
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
View File

@ -28,17 +28,24 @@ ms.date: 02/07/2020
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
<span id="sccm1606"/>
## Supported client operating systems
## Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager current branch
Based on the version of Configuration Manager you're running, the following client operating systems can be onboarded:
Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
#### Configuration Manager version 1910 and prior
<span id="sccm1602"/>
- Clients computers running Windows 10, version 1607 and later
## Onboard Windows 10 devices using earlier versions of System Center Configuration Manager
#### Configuration Manager version 2002 and later
You can use existing Configuration Manager functionality to create a policy to configure your devices. This action is supported in System Center 2012 R2 Configuration Manager.
Starting in Configuration Manager version 2002, you can onboard the following operating systems:
- Windows 8.1
- Windows 10, version 1607 or later
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2016, version 1803 or later
- Windows Server 2019
### Onboard devices using System Center Configuration Manager
@ -50,7 +57,7 @@ You can use existing Configuration Manager functionality to create a policy to c
c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
d. Click **Download package**, and save the .zip file.
d. Select **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
@ -75,7 +82,11 @@ For more information, see [Configure Detection Methods in System Center 2012 R2
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a device.
>[!NOTE]
>These configuration settings are typically done through Configuration Manager.
You can set a compliance rule for configuration item in Configuration Manager to change the sample share setting on a device.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure theyre complaint.
The configuration is set through the following registry key entry:
@ -93,13 +104,49 @@ Possible values are:
The default value in case the registry key doesnt exist is 1.
For more information about System Center Configuration Manager Compliance see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
## Other recommended configuration settings
After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.
### Device collection configuration
If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
### Next generation protection configuration
The following configuration settings are recommended:
**Scan** <br>
- Scan removable storage devices such as USB drives: Yes
**Real-time Protection** <br>
- Enable Behavioral Monitoring: Yes
- Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes
**Cloud Protection Service**
- Cloud Protection Service membership type: Advanced membership
**Attack surface reduction**
Configure all available rules to Audit.
>[!NOTE]
> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
**Network protection** <br>
Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/en-us/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing).
**Controlled folder access**<br>
Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories.
For more information, see [Evaluate controlled folder access](evaluate-controlled-folder-access.md).
## Offboard devices using Configuration Manager
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
@ -118,7 +165,7 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create
c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
d. Click **Download package**, and save the .zip file.
d. Select **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
@ -144,13 +191,13 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists
1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane.
2. Click **Overview** and then **Deployments**.
2. Select **Overview** and then **Deployments**.
3. Click on the deployment with the package name.
3. Select on the deployment with the package name.
4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
![Configuration Manager showing successful deployment with no errors](images/sccm-deployment.png)

4
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -140,8 +140,8 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo
- [Local script](configure-endpoints-script.md)
- [Group Policy](configure-endpoints-gp.md)
- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md#onboard-windows-10-devices-using-microsoft-endpoint-configuration-manager-current-branch)
- [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md)
> [!NOTE]

4
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -33,6 +33,10 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
>[!IMPORTANT]
>To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
#### Required columns in the query results
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/asr-guid.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

20
windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md
View File

@ -64,7 +64,7 @@ For more information on how to configure exclusions from Puppet, Ansible, or ano
Run the following command to see the available switches for managing exclusions:
```bash
$ mdatp exclusion
mdatp exclusion
```
Examples:
@ -72,28 +72,36 @@ Examples:
- Add an exclusion for a file extension:
```bash
$ mdatp exclusion extension add --name .txt
mdatp exclusion extension add --name .txt
```
```Output
Extension exclusion configured successfully
```
- Add an exclusion for a file:
```bash
$ mdatp exclusion file add --path /var/log/dummy.log
mdatp exclusion file add --path /var/log/dummy.log
```
```Output
File exclusion configured successfully
```
- Add an exclusion for a folder:
```bash
$ mdatp exclusion folder add --path /var/log/
mdatp exclusion folder add --path /var/log/
```
```Output
Folder exclusion configured successfully
```
- Add an exclusion for a process:
```bash
$ mdatp exclusion process add --name cat
mdatp exclusion process add --name cat
```
```Output
Process exclusion configured successfully
```
@ -104,7 +112,7 @@ You can validate that your exclusion lists are working by using `curl` to downlo
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).

48
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -71,7 +71,7 @@ In order to preview new features and provide early feedback, it is recommended t
sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
```
- Install `yum-utils` if it is not already installed:
- Install `yum-utils` if it isn't installed yet:
```bash
sudo yum install yum-utils
@ -107,13 +107,13 @@ In order to preview new features and provide early feedback, it is recommended t
### Ubuntu and Debian systems
- Install `curl` if it is not already installed:
- Install `curl` if it isn't installed yet:
```bash
sudo apt-get install curl
```
- Install `libplist-utils` if it is not already installed:
- Install `libplist-utils` if it isn't installed yet:
```bash
sudo apt-get install libplist-utils
@ -177,14 +177,17 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
# list all repositories
$ yum repolist
yum repolist
```
```Output
...
packages-microsoft-com-prod packages-microsoft-com-prod 316
packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2
...
```
```bash
# install the package from the production repository
$ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
```
- SLES and variants:
@ -196,16 +199,18 @@ In order to preview new features and provide early feedback, it is recommended t
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
```bash
# list all repositories
$ zypper repos
zypper repos
```
```Output
...
# | Alias | Name | ...
XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
XX | packages-microsoft-com-prod | microsoft-prod | ...
...
# install the package from the production repository
$ sudo zypper install packages-microsoft-com-prod:mdatp
```
```bash
sudo zypper install packages-microsoft-com-prod:mdatp
```
- Ubuntu and Debian system:
@ -217,13 +222,14 @@ In order to preview new features and provide early feedback, it is recommended t
If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
```bash
# list all repositories
$ cat /etc/apt/sources.list.d/*
cat /etc/apt/sources.list.d/*
```
```Output
deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
# install the package from the production repository
$ sudo apt -t bionic install mdatp
```
```bash
sudo apt -t bionic install mdatp
```
## Download the onboarding package
@ -243,17 +249,19 @@ Download the onboarding package from Microsoft Defender Security Center:
ls -l
```
`total 8`
`-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip`
```Output
total 8
-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
```
```bash
unzip WindowsDefenderATPOnboardingPackage.zip
```
```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
```
`Archive: WindowsDefenderATPOnboardingPackage.zip`
`inflating: WindowsDefenderATPOnboarding.py`
## Client configuration

48
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -24,7 +24,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
This article describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Ansible YAML files](#create-ansible-yaml-files)
@ -33,12 +33,12 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Please refer to the [Ansible documentation](https://docs.ansible.com/) for details.
In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details.
- Ansible needs to be installed on at least on one computer (we will call it the master).
- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
- Ansible needs to be installed on at least one computer (we will call it the primary computer).
- SSH must be configured for an administrator account between the primary computer and all clients, and it is recommended be configured with public key authentication.
- The following software must be installed on all clients:
- curl
- python-apt
@ -54,7 +54,7 @@ In addition, for Ansible deployment, you need to be familiar with Ansible admini
- Ping test:
```bash
$ ansible -m ping all
ansible -m ping all
```
## Download the onboarding package
@ -70,10 +70,16 @@ Download the onboarding package from Microsoft Defender Security Center:
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
$ ls -l
ls -l
```
```Output
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
```
```bash
unzip WindowsDefenderATPOnboardingPackage.zip
```
```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
@ -158,7 +164,9 @@ Create a subtask or role files that contribute to an playbook or task.
- For apt-based distributions use the following YAML file:
```bash
$ cat install_mdatp.yml
cat install_mdatp.yml
```
```Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
@ -170,7 +178,9 @@ Create a subtask or role files that contribute to an playbook or task.
```
```bash
$ cat uninstall_mdatp.yml
cat uninstall_mdatp.yml
```
```Output
- hosts: servers
tasks:
- apt:
@ -181,7 +191,9 @@ Create a subtask or role files that contribute to an playbook or task.
- For yum-based distributions use the following YAML file:
```bash
$ cat install_mdatp_yum.yml
cat install_mdatp_yum.yml
```
```Output
- hosts: servers
tasks:
- include: ../roles/onboarding_setup.yml
@ -193,7 +205,9 @@ Create a subtask or role files that contribute to an playbook or task.
```
```bash
$ cat uninstall_mdatp_yum.yml
cat uninstall_mdatp_yum.yml
```
```Output
- hosts: servers
tasks:
- yum:
@ -208,7 +222,7 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Installation:
```bash
$ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
```
> [!IMPORTANT]
@ -217,14 +231,16 @@ Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Validation/configuration:
```bash
$ ansible -m shell -a 'mdatp connectivity test' all
$ ansible -m shell -a 'mdatp health' all
ansible -m shell -a 'mdatp connectivity test' all
```
```bash
ansible -m shell -a 'mdatp health' all
```
- Uninstallation:
```bash
$ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
```
## Log installation issues

41
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
View File

@ -24,7 +24,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
This article describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Puppet manifest](#create-a-puppet-manifest)
@ -35,7 +35,7 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet
For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md).
In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details.
In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
## Download the onboarding package
@ -47,13 +47,20 @@ Download the onboarding package from Microsoft Defender Security Center:
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
4. From a command prompt, verify that you have the file.
```bash
$ ls -l
ls -l
```
```Output
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
```
5. Extract the contents of the archive.
```bash
unzip WindowsDefenderATPOnboardingPackage.zip
```
```Output
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
@ -62,13 +69,19 @@ Download the onboarding package from Microsoft Defender Security Center:
You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
```bash
$ pwd
pwd
```
```Output
/etc/puppetlabs/code/environments/production/modules
```
$ tree install_mdatp
```bash
tree install_mdatp
```
```Output
install_mdatp
├── files
│   └── mdatp_onboard.json
@ -161,20 +174,24 @@ $version = undef
Include the above manifest in your site.pp file:
```bash
$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp
cat /etc/puppetlabs/code/environments/production/manifests/site.pp
```
```Output
node "default" {
include install_mdatp
}
```
Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected.
Enrolled agent devices periodically poll the Puppet Server and install new configuration profiles and policies as soon as they are detected.
## Monitor Puppet deployment
On the agent device, you can also check the onboarding status by running:
```bash
$ mdatp health
mdatp health
```
```Output
...
licensed : true
org_id : "[your organization identifier]"
@ -200,7 +217,7 @@ The above command prints `1` if the product is onboarded and functioning as expe
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
- 1 if the device is not yet onboarded.
- 1 if the device isn't onboarded yet.
- 3 if the connection to the daemon cannot be established.
## Log installation issues

6
windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
View File

@ -29,7 +29,7 @@ ms.topic: conceptual
In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
## Configuration profile structure
@ -141,7 +141,7 @@ Used to exclude content from the scan by file extension.
**Process excluded from the scan**
Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (for example, `cat`) or full path (for example, `/bin/cat`).
|||
|:---|:---|
@ -373,7 +373,7 @@ The following configuration profile contains entries for all settings described
The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
```bash
$ python -m json.tool mdatp_managed.json
python -m json.tool mdatp_managed.json
```
If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.

6
windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
View File

@ -53,13 +53,13 @@ You can configure how PUA files are handled from the command line or from the ma
In Terminal, execute the following command to configure PUA protection:
```bash
$ mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
```
### Use the management console to configure PUA protection:
In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic.
In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) article.
## Related topics
## Related articles
- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)

23
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -26,28 +26,35 @@ ms.topic: conceptual
## Collect diagnostic information
If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
If you can reproduce a problem, first increase the logging level, run the system for some time, and then restore the logging level to the default.
1. Increase logging level:
```bash
$ mdatp log level set --level verbose
mdatp log level set --level verbose
```
```Output
Log level configured successfully
```
2. Reproduce the problem.
3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
3. Run the following command to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive.
```bash
$ sudo mdatp diagnostic create
sudo mdatp diagnostic create
```
This command will also print out the file path to the backup after the operation succeeds:
```Output
Diagnostic file created: <path to file>
```
4. Restore logging level:
```bash
$ mdatp log level set --level info
mdatp log level set --level info
```
```Output
Log level configured successfully
```
@ -59,7 +66,7 @@ The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you
## Uninstall
There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool.
There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
### Manual uninstallation
@ -73,7 +80,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
### Global options
By default, the command-line tool outputs the result in human-readable format. In addition to this, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
By default, the command-line tool outputs the result in human-readable format. In addition, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
### Supported commands
@ -138,5 +145,5 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
```bash
$ sudoSUSEConnect --status-text
sudoSUSEConnect --status-text
```

6
windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
View File

@ -48,7 +48,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
```bash
$ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
```
> [!NOTE]
@ -56,7 +56,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take significantly longer due to network timeouts.
Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take much longer due to network timeouts.
## Post installation configuration
@ -73,5 +73,5 @@ After installation, the `HTTPS_PROXY` environment variable must be defined in th
After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
```bash
$ systemctl daemon-reload; systemctl restart mdatp
systemctl daemon-reload; systemctl restart mdatp
```

10
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
View File

@ -29,7 +29,7 @@ ms.topic: conceptual
To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```bash
$ mdatp connectivity test
mdatp connectivity test
```
If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
@ -44,7 +44,7 @@ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https:
The output from this command should be similar to:
```bash
```Output
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
```
@ -59,7 +59,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
```bash
$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
@ -78,13 +78,13 @@ Also ensure that the correct static proxy address is filled in to replace `addre
If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
```bash
$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
sudo systemctl daemon-reload; sudo systemctl restart mdatp
```
Upon success, attempt another connectivity test from the command line:
```bash
$ mdatp connectivity test
mdatp connectivity test
```
If the problem persists, contact customer support.

56
windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
View File

@ -26,12 +26,15 @@ ms.topic: conceptual
## Verify if installation succeeded
An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
```bash
$ sudo journalctl | grep 'microsoft-mdatp' > installation.log
$ grep 'postinstall end' installation.log
sudo journalctl | grep 'microsoft-mdatp' > installation.log
```
```bash
grep 'postinstall end' installation.log
```
```Output
microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
```
@ -44,8 +47,9 @@ Also check the [Client configuration](linux-install-manually.md#client-configura
Check if the mdatp service is running:
```bash
$ systemctl status mdatp
systemctl status mdatp
```
```Output
● mdatp.service - Microsoft Defender ATP
Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
@ -61,41 +65,43 @@ Check if the mdatp service is running:
1. Check if "mdatp" user exists:
```bash
$ id "mdatp"
id "mdatp"
```
If theres no output, run
```bash
$ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
```
2. Try enabling and restarting the service using:
```bash
$ sudo systemctl enable mdatp
$ sudo systemctl restart mdatp
sudo systemctl enable mdatp
```
3. If mdatp.service isn't found upon running the previous command, run
```bash
$ sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
where <systemd_path> is
/lib/systemd/system for Ubuntu and Debian distributions
/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
sudo systemctl restart mdatp
```
and then rerun step 2.
3. If mdatp.service isn't found upon running the previous command, run:
```bash
sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
```
where ```<systemd_path>``` is
```/lib/systemd/system``` for Ubuntu and Debian distributions and
```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES.
Then rerun step 2.
4. If the above steps dont work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
5. Ensure that the daemon has executable permission.
```bash
$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
```
```Output
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
```
If the daemon doesn't have executable permissions, make it executable using:
```bash
$ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
```
and retry running step 2.
@ -105,7 +111,7 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
1. Check the file system type using:
```bash
$ findmnt -T <path_of_EICAR_file>
findmnt -T <path_of_EICAR_file>
```
Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
@ -113,13 +119,15 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
```bash
$ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
```
and try again.
If none of the above steps help, collect the diagnostic logs:
```bash
$ sudo mdatp diagnostic create
sudo mdatp diagnostic create
```
```Output
Diagnostic file created: <path to file>
```
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.

16
windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
View File

@ -23,7 +23,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
This article provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
@ -36,7 +36,9 @@ The following steps can be used to troubleshoot and mitigate these issues:
If your device is not managed by your organization, real-time protection can be disabled from the command line:
```bash
$ mdatp config real-time-protection --value disabled
mdatp config real-time-protection --value disabled
```
```Output
Configuration property updated
```
@ -50,26 +52,28 @@ The following steps can be used to troubleshoot and mitigate these issues:
This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
$ mdatp config real-time-protection-statistics --value enabled
mdatp config real-time-protection-statistics --value enabled
```
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
```bash
$ mdatp health --field real_time_protection_enabled
mdatp health --field real_time_protection_enabled
```
Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
```bash
$ mdatp config real-time-protection --value enabled
mdatp config real-time-protection --value enabled
```
```Output
Configuration property updated
```
To collect current statistics, run:
```bash
$ mdatp diagnostic real_time_protection_statistics # you can use > stat.log to redirect to file
mdatp diagnostic real_time_protection_statistics # you can use > stat.log to redirect to file
```
The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).

2
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -129,7 +129,7 @@ To enable autocompletion in `zsh`:
echo "autoload -Uz compinit && compinit" >> ~/.zshrc
```
- Run the following command to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
- Run the following commands to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session:
```zsh
sudo mkdir -p /usr/local/share/zsh/site-functions

3
windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
View File

@ -103,8 +103,9 @@ The hardware requirements for Microsoft Defender ATP on devices are the same for
### Other supported operating systems
- macOS
- Android
- Linux (currently, Microsoft Defender ATP is only available in the Public Preview Edition for Linux)
- macOS
> [!NOTE]
> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.