Run the client analyzer on macOS and Linux

Applies to:

Running the analyzer using a terminal or SSH scenario

Open a terminal or SSH into the relevant machine and run the following commands:


wget --quiet -O


echo '815F3E83EB1E6C33D712F101618018E1E38211D4E2807C3A9EF3CC0B0F95225C' | sha256sum -c


unzip -q -d XMDEClientAnalyzer

Change to the tool's directory

cd XMDEClientAnalyzer

Install the components

Run as a non-root user to install required pip and lxml components.


Collect the diagnosics

To collect the actual diagnostic package and generate the result archive file, run again as root.

sudo ./ -d


  • For Linux, the analyzer requires 'lxml' to produce the result output. If not installed, the analyzer will try to fetch it from the official repository for python packages below:

  • In addition, the tool currently requires Python version 3 or later to be installed.

  • If you are running on a machine that cannot use Python 3 or fetch the lxml component, then you can download a binary based version of the analyzer that does not have any of the requirements: XMDE Client Analyzer Binary.
    Note that the binary is currently unsigned. To allow the package run on MacOS, you will need to use the syntax: "spctl --add /Path/To/".

  • If your device is behind a proxy, then you can simply pass the proxy server as an environment variable to the script. For example: https_proxy= ./"


The  command line example

Additional syntax help:

-h # Help
# Show help message

performance # Performance
# Collects extensive tracing for analysis of a performance issue that can be reproduced on demand. Using --length=<seconds> to specify the duration of the benchmark.

-o # Output
# Specify the destination path for the result file

-nz # No-Zip
# If set, a directory will be created instead of a resulting archive file

-f # Force
# Overwrite if output already exists in destination path

Result package contents on macOS and Linux

  • report.html

    Description: The main HTML output file that will contain the findings and guidance that the analyzer script run on the machine can produce.


    Description: Same diagnostic output that gets generated when running mdatp diagnostic create on either macOS



  • mde.xml

    Description: XML output that is generated while running and is used to build the html report file.

  • Processes_information.txt

    Description: contains the details of the running Microsoft Defender for Endpoint related processes on the system.

  • Log.txt

    Description: contains the same log messages written on screen during the data collection.

  • Health.txt

    Description: The same basic health output that is shown when running mdatp health command.

  • Events.xml

    Description: Additional XML file used by the analyzer when building the HTML report.

  • Audited_info.txt

    Description: details on audited service and related components for Linux OS

  • perf_benchmark.tar.gz

    Description: The performance test reports. You will see this only if you are using the performance parameter.