deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-22 10:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update linux-schedule-scan-atp.md

Browse Source
This commit is contained in:
Lovina Saldanha 2020-10-12 14:22:47 +05:30
parent cb04295981
commit da50b63b45
1 changed files with 15 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md
View File

@ -26,14 +26,16 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to
## Pre-requisite
> [!NOTE]
> To get a list of all the time zones, run the following command:
> timedatectl list-timezones
To get a list of all the time zones, run the following command:
timedatectl list-timezones
> Examples for timezones:
> America/Los_Angeles
> America/New_York
> America/Chicago
> America/Denver
America/Los_Angeles
America/New_York
America/Chicago
America/Denver
## To set the Cron job
@ -42,12 +44,13 @@ Linux (and Unix) have the tool called **crontab** (similar to Task Scheduler) to
sudo crontab -l > /var/tmp/cron_backup_200919.dat
> [!NOTE]
> Where 200919 == YRMMDD
Where 200919 == YRMMDD
> TIP:
> Do this before you edit or remove.
> To edit the crontab and add a new job as a root user:
> sudo crontab -e
Do this before you edit or remove.
To edit the crontab and add a new job as a root user:
sudo crontab -e
> [!NOTE]
> The default editor is VIM
@ -65,14 +68,14 @@ CRON_TZ=America/Los_Angeles
0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log
> [!NOTE]
> In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC 8)
In this example, we are setting it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC 8)
Press “Esc”
Type “:wq” w/o the double quotes.
> [!NOTE]
> w == write, q == quit
w == write, q == quit
To view your cron jobs, type sudo crontab -l
@ -163,85 +166,3 @@ crontab -u username -r
* * * * * command to be executed
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week.
## Schedule a scan with *launchd*
You can create a scanning schedule using the *launchd* daemon on a macOS device.
1. The following code shows the schema you need to use to schedule a scan. Open a text editor and use this example as a guide for your own scheduled scan file.
For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website.
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.microsoft.wdav.schedquickscan</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>/usr/local/bin/mdatp --scan --quick</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartCalendarInterval</key>
<dict>
<key>Day</key>
<integer>3</integer>
<key>Hour</key>
<integer>2</integer>
<key>Minute</key>
<integer>0</integer>
<key>Weekday</key>
<integer>5</integer>
</dict>
<key>StartInterval</key>
<integer>604800</integer>
<key>WorkingDirectory</key>
<string>/usr/local/bin/</string>
</dict>
</plist>
```
2. Save the file as *com.microsoft.wdav.schedquickscan.plist*.
> [!TIP]
> To run a full scan instead of a quick scan, change line 12, `<string>/usr/local/bin/mdatp --scan --quick</string>`, to use the `--full` option instead of `--quick` (i.e. `<string>/usr/local/bin/mdatp --scan --full</string>`) and save the file as *com.microsoft.wdav.sched**full**scan.plist* instead of *com.microsoft.wdav.sched**quick**scan.plist*.
3. Open **Terminal**.
4. Enter the following commands to load your file:
```bash
launchctl load /Library/LaunchDaemons/<your file name.plist>
launchctl start <your file name>
```
5. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the example, the scan runs at 2:00 AM every Friday.
Note that the `StartInterval` value is in seconds, indicating that scans should run every 604,800 seconds (one week), while the `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday.
> [!IMPORTANT]
> Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode.
>
> If the device is turned off, the scan will run at the next scheduled scan time.
## Schedule a scan with Intune
You can also schedule scans with Microsoft Intune. The [runMDATPQuickScan.sh](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP#runmdatpquickscansh) shell script available at [Scripts for Microsoft Defender Advanced Threat Protection](https://github.com/microsoft/shell-intune-samples/tree/master/Misc/MDATP) will persist when the device resumes from sleep mode.
See [Use shell scripts on macOS devices in Intune](https://docs.microsoft.com/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise.