deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2131 from MicrosoftDocs/amrutk-working

Browse Source 
Amrutk working
This commit is contained in:
Thomas Raya 2020-02-24 16:17:34 -06:00 committed by GitHub
commit d0a3d89596
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 1438 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
windows/security/threat-protection/TOC.md
View File

@ -341,6 +341,19 @@
#### [Privacy](microsoft-defender-atp/mac-privacy.md)
#### [Resources](microsoft-defender-atp/mac-resources.md)
### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
#### [Deploy]()
##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
#### [Update](microsoft-defender-atp/linux-updates.md)
#### [Configure]()
##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
#### [Resources](microsoft-defender-atp/linux-resources.md)
### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
### [Management and API support]()

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 261 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 270 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-win-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

255
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md Normal file
View File

@ -0,0 +1,255 @@
---
title: Deploy Microsoft Defender ATP for Linux manually
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Deploy Microsoft Defender ATP for Linux manually
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic describes how to deploy Microsoft Defender ATP for Linux manually. A successful deployment requires the completion of all of the following tasks:
- [Configure the Linux software repository](#configure-the-linux-software-repository)
- [Application installation](#application-installation)
- [Download the onboarding package](#download-the-onboarding-package)
- [Client configuration](#client-configuration)
## Prerequisites and system requirements
Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
## Configure the Linux software repository
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
### RHEL and variants (CentOS and Oracle EL)
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
> [!NOTE]
> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”.
```bash
$ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
$ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
```
- Install the Microsoft GPG public key:
```bash
$ curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
$ sudo rpm --import microsoft.asc
```
- Download and make usable all the metadata for the currently enabled yum repositories:
```bash
$ yum makecache
```
### SLES and variants
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified:
```bash
$ sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
$ sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
```
- Install the Microsoft GPG public key:
```bash
$ curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
$ rpm --import microsoft.asc
```
### Ubuntu and Debian systems
- Install `curl` if it is not already installed:
```bash
$ sudo apt-get install curl
```
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`.
In the below command, replace *[distro]* and *[version]* with the information you've identified:
```bash
$ curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
```
For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
$ curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
```
- Install the repository configuration:
```bash
$ sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
```
- Install the gpg package if not already installed:
```bash
$ sudo apt-get install gpg
```
- Install the Microsoft GPG public key:
```bash
$ curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
$ sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
```
- Install the https driver if it's not already present:
```bash
$ sudo apt-get install apt-transport-https
```
- Update the repository metadata:
```bash
$ sudo apt-get update
```
## Application installation
- RHEL and variants (CentOS and Oracle EL):
```bash
sudo yum install mdatp
```
- SLES and variants:
```bash
sudo zypper install mdatp
```
- Ubuntu and Debian system:
```bash
sudo apt-get install mdatp
```
## Download the onboarding package
Download the onboarding package from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 machines)** as the deployment method.
3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux.png)
4. From a command prompt, verify that you have the file.
Extract the contents of the archive:
```bash
$ ls -l
total 8
-rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: WindowsDefenderATPOnboarding.py
```
## Client configuration
1. Copy WindowsDefenderATPOnboarding.py to the target machine.
Initially the client machine is not associated with an organization. Note that the *orgId* attribute is blank:
```bash
$ mdatp --health orgId
```
2. Run WindowsDefenderATPOnboarding.py, and note that, in order to run this command, you must have `python` installed on the device:
```bash
$ python WindowsDefenderATPOnboarding.py
```
3. Verify that the machine is now associated with your organization and reports a valid organization identifier:
```bash
$ mdatp --health orgId
[your organization identifier]
```
4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected:
```bash
$ mdatp --health healthy
1
```
5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine:
- Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
```bash
$ mdatp --health realTimeProtectionEnabled
1
```
- Open a Terminal window. Copy and execute the following command:
``` bash
$ curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt
```
- The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:
```bash
$ mdatp --threat --list --pretty
```
## Log installation issues
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## Uninstallation
See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.

261
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md Normal file
View File

@ -0,0 +1,261 @@
---
title: Deploy Microsoft Defender ATP for Linux with Ansible
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Deploy Microsoft Defender ATP for Linux with Ansible
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Ansible YAML files](#create-ansible-yaml-files)
- [Deployment](#deployment)
- [References](#references)
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
- Ansible needs to be installed on at least on one computer (we will call it the master).
- Passwordless SSH must be configured for the root user between the master and all clients.
- The following software must be installed on all clients:
- Python-apt
- Curl
- Unzip
- All host must be listed in the following format in the `/etc/ansible/hosts` file:
```bash
[servers]
host1 ansible_ssh_host=10.171.134.39
host2 ansible_ssh_host=51.143.50.51
```
- Ping test:
```bash
$ ansible -m ping all
```
## Download the onboarding package
Download the onboarding package from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
$ ls -l
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
## Create Ansible YAML files
Create subtask or role files that contribute to an actual task. Create the following files under the `/etc/ansible/roles` directory.
- Copy the onboarding package to all client machines:
```bash
$ cat /etc/ansible/roles/copy_onboarding_pkg.yml
- name: Copy the zip file
copy:
src: /root/WindowsDefenderATPOnboardingPackage.zip
dest: /root/WindowsDefenderATPOnboardingPackage.zip
owner: root
group: root
mode: '0644'
```
- Create a `setup.sh` script that operates on the onboarding file:
```bash
$ cat /root/setup.sh
#!/bin/bash
# Unzip the archive and create the onboarding file
mkdir -p /etc/opt/microsoft/mdatp/
unzip WindowsDefenderATPOnboardingPackage.zip
cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
# get the GPG key
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
```
- Create the onboarding file:
```bash
$ cat setup_blob.yml
- name: Copy the setup script file
copy:
src: /root/setup.sh
dest: /root/setup.sh
owner: root
group: root
mode: '0744'
- name: Run a script to create the onboarding file
script: /root/setup.sh
```
- Add the Microsoft Defender ATP repository and key.
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified.
> [!NOTE]
> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”.
- For apt-based distributions use the following YAML file:
```bash
$ cat add_apt_repo.yml
- name: Add Microsoft repository for MDATP
apt_repository:
repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
update_cache: yes
state: present
filename: microsoft-[channel].list
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229C
```
- For yum-based distributions use the following YAML file:
```bash
$ cat add_yum_repo.yml
- name: Add Microsoft repository for MDATP
yum_repository:
name: packages-microsoft-com-prod-[channel]
description: Microsoft Defender ATP
file: microsoft-[channel]
baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
gpgcheck: yes
enabled: Yes
```
- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`.
- For apt-based distributions use the following YAML file:
```bash
$ cat install_mdatp.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/add_apt_repo.yml
- apt:
name: mdatp
state: latest
update_cache: yes
```
```bash
$ cat uninstall_mdatp.yml
- hosts: servers
tasks:
- apt:
name: mdatp
state: absent
```
- For yum-based distributions use the following YAML file:
```bash
$ cat install_mdatp_yum.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/add_yum_repo.yml
- yum:
name: mdatp
state: latest
enablerepo: packages-microsoft-com-prod-[channel]
```
```bash
$ cat uninstall_mdatp_yum.yml
- hosts: servers
tasks:
- yum:
name: mdatp
state: absent
```
## Deployment
Now run the tasks files under `/etc/ansible/playbooks/`.
- Installation:
```bash
$ ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
```
- Validation/configuration:
```bash
$ ansible -m shell -a 'mdatp --connectivity-test' all
$ ansible -m shell -a 'mdatp --health' all
```
- Uninstallation:
```bash
$ ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
```
## Log installation issues
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## References
- [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html)
- [Manage packages with the yum package manager](https://docs.ansible.com/ansible/latest/modules/yum_module.html)
- [Add and remove APT repositories](https://docs.ansible.com/ansible/latest/modules/apt_repository_module.html)
- [Manage apt-packages](https://docs.ansible.com/ansible/latest/modules/apt_module.html)

189
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md Normal file
View File

@ -0,0 +1,189 @@
---
title: Deploy Microsoft Defender ATP for Linux with Puppet
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Deploy Microsoft Defender ATP for Linux with Puppet
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
- [Download the onboarding package](#download-the-onboarding-package)
- [Create Puppet manifest](#create-a-puppet-manifest)
- [Deployment](#deployment)
- [Check onboarding status](#check-onboarding-status)
## Prerequisites and system requirements
Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Please refer to the [Puppet documentation](https://puppet.com/docs) for details.
## Download the onboarding package
Download the onboarding package from Microsoft Defender Security Center:
1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**.
2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png)
4. From a command prompt, verify that you have the file. Extract the contents of the archive:
```bash
$ ls -l
total 8
-rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
$ unzip WindowsDefenderATPOnboardingPackage.zip
Archive: WindowsDefenderATPOnboardingPackage.zip
inflating: mdatp_onboard.json
```
## Create a Puppet manifest
You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* module available from puppetlabs, and assumes that the apt module has been installed on your Puppet server.
Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
```bash
$ pwd
/etc/puppetlabs/code/environments/production/modules
$ tree install_mdatp
install_mdatp
├── files
│   └── mdatp_onboard.json
└── manifests
└── init.pp
```
### Contents of `install_mdatp/manifests/init.pp`
Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insider-fast* or *prod*. Each of these channels corresponds to a Linux software repository.
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insider-fast* can try out new features before devices in *prod*.
In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use the *insider-fast* channel.
Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
> [!NOTE]
> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”.
```puppet
class install_mdatp {
if ($osfamily == 'Debian') {
apt::source { 'microsoftpackages' :
location => 'https://packages.microsoft.com/[distro]/[version]/prod', # change the version and distro based on your OS
release => '[channel]',
repos => 'main',
key => {
'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF',
'server' => 'https://packages.microsoft.com/keys/microsoft.asc',
},
}
}
else {
yumrepo { 'microsoftpackages' :
baseurl => 'https://packages.microsoft.com/[distro]/[version]/[channel]', # change the version and distro based on your OS
enabled => 1,
gpgcheck => 1,
gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc'
}
}
package { 'mdatp':
ensure => 'installed',
}
file { ['/etc', '/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']:
ensure => directory,
}
file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':
mode => "0644",
source => 'puppet:///modules/install_mdatp/mdatp_onboard.json',
}
}
```
## Deployment
Include the above manifest in your site.pp file:
```bash
$ cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node "default" {
include install_mdatp
}
```
Enrolled agent devices periodically poll the Puppet Server, and install new configuration profiles and policies as soon as they are detected.
## Monitor Puppet deployment
On the agent machine, you can also check the onboarding status by running:
```bash
$ mdatp --health
...
licensed : true
orgId : "[your organization identifier]"
...
```
- **licensed**: This confirms that the device is tied to your organization.
- **orgId**: This is your Microsoft Defender ATP organization identifier.
## Check onboarding status
You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
```bash
$ mdatp --health healthy
```
The above command prints `1` if the product is onboarded and functioning as expected.
If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
- 1 if the device is not yet onboarded.
- 3 if the connection to the daemon cannot be established.
## Log installation issues
See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
## Uninstallation
Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file:
```bash
class remove_mdatp {
package { 'mdatp':
ensure => 'purged',
}
}
```

356
windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md Normal file
View File

@ -0,0 +1,356 @@
---
title: Set preferences for Microsoft Defender ATP for Linux
ms.reviewer:
description: Describes how to configure Microsoft Defender ATP for Linux in enterprises.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Set preferences for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
>[!IMPORTANT]
>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line).
In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
This topic describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
## Configuration profile structure
The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.
Typically, you would use a configuration management tool to push a file with the name ```mdatp_maanged.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```.
The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
### Antivirus engine preferences
The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.
|||
|:---|:---|
| **Key** | antivirusEngine |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
#### Enable / disable real-time protection
Detemines whether real-time protection (scan files as they are accessed) is enabled or not.
|||
|:---|:---|
| **Key** | enableRealTimeProtection |
| **Data type** | Boolean |
| **Possible values** | true (default) <br/> false |
#### Enable / disable passive mode
Detemines whether the antivirus engine runs in passive mode or not. In passive mode:
- Real-time protection is turned off.
- On-demand scanning is turned on.
- Automatic threat remediation is turned off.
- Security intelligence updates are turned on.
- Status menu icon is hidden.
|||
|:---|:---|
| **Key** | passiveMode |
| **Data type** | Boolean |
| **Possible values** | false (default) <br/> true |
| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
#### Exclusion merge policy
Specifies the merge policy for exclusions. It can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions.
|||
|:---|:---|
| **Key** | exclusionsMergePolicy |
| **Data type** | String |
| **Possible values** | merge (default) <br/> admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
#### Scan exclusions
Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
|||
|:---|:---|
| **Key** | exclusions |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
**Type of exclusion**
Specifies the type of content excluded from the scan.
|||
|:---|:---|
| **Key** | $type |
| **Data type** | String |
| **Possible values** | excludedPath <br/> excludedFileExtension <br/> excludedFileName |
**Path to excluded content**
Used to exclude content from the scan by full file path.
|||
|:---|:---|
| **Key** | path |
| **Data type** | String |
| **Possible values** | valid paths |
| **Comments** | Applicable only if *$type* is *excludedPath* |
**Path type (file / directory)**
Indicates if the *path* property refers to a file or directory.
|||
|:---|:---|
| **Key** | isDirectory |
| **Data type** | Boolean |
| **Possible values** | false (default) <br/> true |
| **Comments** | Applicable only if *$type* is *excludedPath* |
**File extension excluded from the scan**
Used to exclude content from the scan by file extension.
|||
|:---|:---|
| **Key** | extension |
| **Data type** | String |
| **Possible values** | valid file extensions |
| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
**Process excluded from the scan**
Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
|||
|:---|:---|
| **Key** | name |
| **Data type** | String |
| **Possible values** | any string |
| **Comments** | Applicable only if *$type* is *excludedFileName* |
#### Allowed threats
List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
|||
|:---|:---|
| **Key** | allowedThreats |
| **Data type** | Array of strings |
#### Disallowed threat actions
Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.
|||
|:---|:---|
| **Key** | disallowedThreatActions |
| **Data type** | Array of strings |
| **Possible values** | allow (restricts users from allowing threats) <br/> restore (restricts users from restoring threats from the quarantine) |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
#### Threat type settings
The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
|||
|:---|:---|
| **Key** | threatTypeSettings |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
**Threat type**
Type of threat for which the behavior is configured.
|||
|:---|:---|
| **Key** | key |
| **Data type** | String |
| **Possible values** | potentially_unwanted_application <br/> archive_bomb |
**Action to take**
Action to take when coming across a threat of the type specified in the preceding section. Can be:
- **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged.
- **Block**: The device is protected against this type of threat and you are notified in the user interface and the security console.
- **Off**: The device is not protected against this type of threat and nothing is logged.
|||
|:---|:---|
| **Key** | value |
| **Data type** | String |
| **Possible values** | audit (default) <br/> block <br/> off |
#### Threat type settings merge policy
Specifies the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types.
|||
|:---|:---|
| **Key** | threatTypeSettingsMergePolicy |
| **Data type** | String |
| **Possible values** | merge (default) <br/> admin_only |
| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
### Cloud-delivered protection preferences
The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
|||
|:---|:---|
| **Key** | cloudService |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
#### Enable / disable cloud delivered protection
Determines whether cloud-delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
|||
|:---|:---|
| **Key** | enabled |
| **Data type** | Boolean |
| **Possible values** | true (default) <br/> false |
#### Diagnostic collection level
Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
|||
|:---|:---|
| **Key** | diagnosticLevel |
| **Data type** | String |
| **Possible values** | optional (default) <br/> required |
#### Enable / disable automatic sample submissions
Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
|||
|:---|:---|
| **Key** | automaticSampleSubmission |
| **Data type** | Boolean |
| **Possible values** | true (default) <br/> false |
## Recommended configuration profile
To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
The following configuration profile will:
- Enable real-time protection (RTP).
- Specify how the following threat types are handled:
- **Potentially unwanted applications (PUA)** are blocked.
- **Archive bombs** (file with a high compression rate) are audited to the product logs.
- Enable cloud-delivered protection.
- Enable automatic sample submission.
### Sample profile
```JSON
{
"antivirusEngine":{
"enableRealTimeProtection":true,
"threatTypeSettings":[
{
"key":"potentially_unwanted_application",
"value":"block"
},
{
"key":"archive_bomb",
"value":"audit"
}
]
},
"cloudService":{
"automaticSampleSubmission":true,
"enabled":true
}
}
```
## Full configuration profile example
The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
### Full profile
```JSON
{
"antivirusEngine":{
"enableRealTimeProtection":true,
"passiveMode":false,
"exclusionsMergePolicy":"merge",
"exclusions":[
{
"$type":"excludedPath",
"isDirectory":false,
"path":"/var/log/system.log"
},
{
"$type":"excludedPath",
"isDirectory":true,
"path":"/home"
},
{
"$type":"excludedFileExtension",
"extension":"pdf"
},
{
"$type":"excludedFileName",
"name":"cat"
}
],
"allowedThreats":[
"EICAR-Test-File (not a virus)"
],
"disallowedThreatActions":[
"allow",
"restore"
],
"threatTypeSettingsMergePolicy":"merge",
"threatTypeSettings":[
{
"key":"potentially_unwanted_application",
"value":"block"
},
{
"key":"archive_bomb",
"value":"audit"
}
]
},
"cloudService":{
"enabled":true,
"diagnosticLevel":"optional",
"automaticSampleSubmission":true
}
}
```
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.

116
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md Normal file
View File

@ -0,0 +1,116 @@
---
title: Microsoft Defender ATP for Linux resources
ms.reviewer:
description: Describes resources for Microsoft Defender ATP for Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Resources
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
## Collect diagnostic information
If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
1. Increase logging level:
```bash
$ mdatp --log-level verbose
Creating connection to daemon
Connection established
Operation succeeded
```
2. Reproduce the problem.
3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
```bash
$ sudo mdatp --diagnostic --create
Creating connection to daemon
Connection established
```
4. Restore logging level:
```bash
$ mdatp --log-level info
Creating connection to daemon
Connection established
Operation succeeded
```
## Log installation issues
If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstall
There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool.
### Manual uninstallation
- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle EL).
- ```sudo zypper remove mdatp``` for SLES and variants.
- ```sudo apt-get purge mdatp``` for Ubuntu and Debian systems.
## Configure from the command line
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
|Group |Scenario |Command |
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
|Health |Check the product's health |`mdatp --health` |
|Protection |Scan a path |`mdatp --scan --path [path]` |
|Protection |Do a quick scan |`mdatp --scan --quick` |
|Protection |Do a full scan |`mdatp --scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
|Protection |Request a security intelligence update |`mdatp --definition-update` |
## Microsoft Defender ATP portal information
In the Microsoft Defender ATP portal, you'll see two categories of information:
- Antivirus alerts, including:
- Severity
- Scan type
- Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
- File information (name, path, size, and hash)
- Threat information (name, type, and state)
- Device information, including:
- Machine identifier
- Tenant identifier
- App version
- Hostname
- OS type
- OS version
- Computer model
- Processor architecture
- Whether the device is a virtual machine

77
windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Microsoft Defender ATP for Linux static proxy discovery
ms.reviewer:
description: Describes how to configure Microsoft Defender ATP for static proxy discovery.
keywords: microsoft, defender, atp, linux, installation, proxy
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configuring Microsoft Defender ATP for static proxy discovery
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed.
## Installation time configuration
During installation, the ```HTTPS_PROXY``` environment variable must be passed to the package manager. The package manager can read this variable in any of the following ways:
- The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line:
```bash
HTTPS_PROXY=”http://proxy.server:port/”
```
- The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
```bash
Acquire::https::Proxy "http://proxy.server:port/";
```
> [!CAUTION]
> Note that above two methods could define the proxy to use for other applications on your system. Use this method with caution, or only if this is meant to be a generally global configuration.
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
```bash
$ HTTPS_PROXY=”http://proxy.server:port/" apt install mdatp
```
> [!NOTE]
> Do not add sudo between the environment variable definition and apt, otherwise the variable will not be propagated.
The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take significantly longer due to network timeouts.
## Post installation configuration
After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
- Uncomment the line `#Environment=HTTPS_PROXY="http://address:port”` and specify your static proxy address.
- Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
```bash
HTTPS_PROXY=”http://proxy.server:port/”
```
After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
```bash
$ systemctl daemon-reload; systemctl restart mdatp
```

47
windows/security/threat-protection/microsoft-defender-atp/linux-updates.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Deploy updates for Microsoft Defender ATP for Linux
ms.reviewer:
description: Describes how to deploy updates for Microsoft Defender ATP for Linux in enterprise environments.
keywords: microsoft, defender, atp, linux, updates, deploy
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Deploy updates for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
To update Microsoft Defender ATP for Linux manually, execute one of the following commands:
## RHEL and variants (CentOS and Oracle EL)
```bash
sudo yum update mdatp
```
## SLES and variants
```bash
sudo zypper update mdatp
```
## Ubuntu and Debian systems
```bash
sudo apt-get install --only-upgrade mdatp
```

124
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md Normal file
View File

@ -0,0 +1,124 @@
---
title: Microsoft Defender ATP for Linux
ms.reviewer:
description: Describes how to install and use Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Defender ATP for Linux
This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux.
> [!CAUTION]
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors.
## How to install Microsoft Defender ATP for Linux
### Prerequisites
- Access to the Microsoft Defender Security Center portal
- Beginner-level experience in Linux and BASH scripting
- Administrative privileges on the device (in case of manual deployment)
### Known issues
- Logged on users do not appear in the ATP portal.
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
```bash
$ sudoSUSEConnect --status-text
```
### Installation instructions
There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux.
In general you need to take the following steps:
- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the Microsoft Defender ATP portal.
- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods:
- The command-line tool:
- [Manual deployment](linux-install-manually.md)
- Third-party management tools:
- [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
- [Deploy using Ansbile configuration management tool](linux-install-with-ansible.md)
### System requirements
- Supported Linux server distributions and versions:
- Red Hat Enterprise Linux 7 or higher
- CentOS 7 or higher
- Ubuntu 16.04 LTS or higher LTS
- Debian 9 or higher
- SUSE Linux Enterprise Server 12 or higher
- Oracle Enterprise Linux 7
- Minimum kernel version 2.6.38
- The `fanotify` kernel option must be enabled
- Disk space: 650 MB
After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
### Network connections
The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
| Service location | DNS record |
| ---------------------------------------- | ----------------------- |
| Common URLs for all locations | x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> *.blob.core.windows.net <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/> events.data.microsoft.com |
| European Union | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com |
| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com |
| United States | unitedstates.x.cp.wd.microsoft.com <br/> us-v20.events.data.microsoft.com |
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
- Transparent proxy
- Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
## Validating cloud connectivity
To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to the following:
> `OK https://x.cp.wd.microsoft.com/api/report`
> `OK https://cdn.x.cp.wd.microsoft.com/ping`
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
```bash
$ mdatp --connectivity-test
```
## How to update Microsoft Defender ATP for Linux
Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](linux-updates.md).
## How to configure Microsoft Defender ATP for Linux
Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
## Resources
- For more information about logging, uninstalling, or other topics, see the [Resources](linux-resources.md) page.