Share via

Microsoft Defender ATP for Linux failed to update definitions with server connected through static proxy

Vu Nguyen 1 Reputation point
May 21, 2021, 7:01 AM

My organization is currently testing Microsoft Defender ATP for Linux on a Redhat 7.9 server through a static proxy, mdatp installed successfully and is onboarding. The problem I met was it couldn't update the definitions, using both automatic update and manual update, it returned "update_failed" result 98375-mdatp-health.png

I have followed the proxy configuration: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration?view=o365-worldwide
and troubleshoot: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-support-connectivity?view=o365-worldwide

and tested with the following command
curl -x http://10.10.10.10:8080 -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
with http://10.10.10.10:8080 is my proxy, both returned Ok results
While connectivity test returned this:
98448-test.png

With this I suspected there might a server got blocked by our firewall so the RH server didn't connect to the definitions update server to get the update
But when I checked for the list of server, the definitions update server https://cdn.x.cp.wd.microsoft.com did send an Ok result so I have no idea which server should I allow through our firewall (I can't allow all server, just can only request 1-2 servers to my IT department)
Or if there is an alternative way to get the definition update packages to install offline on my server

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,446 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VipulSparsh-MSFT 16,281 Reputation points Microsoft Employee
    May 25, 2021, 8:01 AM

    @Vu Nguyen Thanks for reaching out.

    This might need a deeper investigation to understand which server got blocked. You can open a support case to understand this further.
    Or you can try getting a working and non working device, take a network trace on both and see what all server matches and which is getting blocked.

    Try to get a network trace with direct internet and verify which path it takes and which server it contacts, you would be able to narrow it down this way.

    -----------------------------------------------------------------------------------------------------------------

    If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.