Add documentation on exclusions and perf

windows/security/threat-protection/TOC.md

@@ -317,12 +317,11 @@
 ##### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md)
 #### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md)
 #### [Configure Microsoft Defender ATP for Mac]()
+##### [Configure and validate exclusions](windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md)
 ##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md)
 ##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/microsoft-defender-atp-mac-pua.md)
 #### [Troubleshoot Microsoft Defender ATP for Mac]()
-##### [Troubleshoot kernel extension approval](windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md)
 ##### [Troubleshoot performance issues](windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md)
-##### [Troubleshoot cloud connectivity](windows-defender-antivirus/microsoft-defender-atp-mac-support-cloud.md)
 #### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md)
 #### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md)
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md

@@ -0,0 +1,80 @@
+---
+title: Configure and validate exclusions for Microsoft Defender ATP for Mac
+ms.reviewer:
+description: Describes how to provide and validate exclusions for Microsoft Defender ATP for Mac. Exclusions can be set for files, folders, and processes.
+keywords: microsoft, defender, atp, mac, exclusions, scans, antivirus
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: conceptual
+---
+
+# Configure and validate exclusions for Microsoft Defender ATP for Mac
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
+
+This article provides information for how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
+
+>[!IMPORTANT]
+>The exclusions described in this article don't apply to other Microsoft Defender ATP for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+
+You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Mac scans.
+
+Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Mac.
+
+>[!WARNING]
+>Defining exclusions lowers the protection offered by Microsoft Defender ATP for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+
+## Supported exclusion types
+
+The follow table shows the exclusion types supported by Microsoft Defender ATP for Mac.
+
+Exclusion | Definition | Examples
+---|---|---
+File extension | All files with the extension, anywhere on the machine | .test
+File | A specific file in the specified folder | /var/log/test.log
+Folder | All files under the specified folder | /var/log/
+Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat<br/>cat
+
+## How to configure the list of exclusions
+
+### From the management console
+
+See [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) for more details on how to configure exclusions from JAMF, Intune, or another management console.
+
+### From the user interface
+
+Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot. Select the type of exclusion that you wish to add and follow the prompts.
+
+![Manage exclusions screenshot](images/MDATP_37_Exclusions.png)
+
+## Validate exclusions lists with the EICAR test file
+
+You can validate that your exclusion lists are working by using `curl` to download a test file.
+
+In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the command within that path.
+
+```bash
+$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt
+```
+
+If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
+
+If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following Bash command:
+
+```bash
+echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
+```
+
+You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md

@@ -24,8 +24,32 @@ ms.topic: conceptual
 
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
 
+This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Mac.
+
 Real-time protection (RTP) is a feature of Microsoft Defender ATP for Mac that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
 
-Depending on the applications that you are running and the characteristics of your device, you may experience suboptimal performance when running Microsoft Defender ATP for Mac.
+Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Mac. In particular, applications or system processes that access a large number of resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Mac.
 
+The following steps can be used to troubleshoot and mitigate these issues:
 
+1. Disable real-time protection using one of the following methods and observe whether the performance improves. This helps narrow down whether Microsoft Defender ATP for Mac is contributing to the performance issues.
+
+    If your device is not managed by your organization, real-time protection can be disabled using one of the following options:
+
+    - From the user interface. Open Microsoft Defender ATP for Mac and navigate to **Manage settings**.
+
+    ![Manage real-time protection screenshot](images/MDATP_36_RTP.png)
+
+    - From the Terminal using the following command. Note that, for security purposes, this operation requires elevation.
+
+    ```bash
+    $ mdatp --config realTimeProtectionEnabled false
+    ```
+
+    If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md).
+
+2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
+
+3. Configure Microsoft Defender ATP for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
+
+    See [Configure and validate exclusions for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-exclusions.md) for details.