Run the client analyzer on macOS and Linux

Applies to:

Running the analyzer through GUI scenario

  1. Download the XMDE Client Analyzer tool to the macOS or Linux machine you need to investigate.


    The current SHA256 hash of '' that is downloaded from the above link is: 'AD8D9D90F9C953E206E57971E9BA399471CA6E61F7034099A686E7DD6757D7C6'

  2. Extract the contents of on the machine.

  3. Open a terminal session, change directory to the extracted location and run:

    ./ -d


    On Linux, if the script does not have permissions to execute, then you'll need to first run:

    chmod a+x

Running the analyzer using a terminal or SSH scenario

Open a terminal or SSH into the relevant machine and run the following commands:

  1. wget --quiet -O

  2. unzip -q

  3. cd XMDEClientAnalyzer

  4. chmod +x

  5. Run as non-root use to install required pip and lxml which components: ./

  6. To collect actual diagnostic package and generate the result archive file run again as root: ./ -d


  • For Linux, the analyzer requires 'lxml' to produce the result output. If not installed, the analyzer will try to fetch it from the official repository for python packages below:

  • In addition, the tool currently requires Python version 3 or later to be installed.

  • If you are running on a machine that cannot use Python 3 or fetch the lxml component, then you can download a binary based version of the analyzer that does not have any of the requirements: XMDE Client Analyzer Binary.
    Note that the binary is currently unsigned. To allow the package run on MacOS, you will need to use the syntax: "spctl --add /Path/To/".

  • The current SHA256 hash of '' that is downloaded from the above link is: '678866D7F14318BD7FEFCDC0259147C34366BCE84A547B5E18BCD07957A21C72'

  • If your device is behind a proxy, then you can simply pass the proxy server as an environment variable to the script. For example: https_proxy= ./"


The  command line example

Additional syntax help:

-h # Help
# Show help message

performance # Performance
# Collects extensive tracing for analysis of a performance issue that can be reproduced on demand. Using --length=<seconds> to specify the duration of the benchmark.

-o # Output
# Specify the destination path for the result file

-nz # No-Zip
# If set, a directory will be created instead of a resulting archive file

-f # Force
# Overwrite if output already exists in destination path

Result package contents on macOS and Linux

  • report.html

    Description: The main HTML output file that will contain the findings and guidance that the analyzer script run on the machine can produce.


    Description: Same diagnostic output that gets generated when running mdatp diagnostic create on either macOS



  • mde.xml

    Description: XML output that is generated while running and is used to build the html report file.

  • Processes_information.txt

    Description: contains the details of the running Microsoft Defender for Endpoint related processes on the system.

  • Log.txt

    Description: contains the same log messages written on screen during the data collection.

  • Health.txt

    Description: The same basic health output that is shown when running mdatp health command.

  • Events.xml

    Description: Additional XML file used by the analyzer when building the HTML report.

  • Audited_info.txt

    Description: details on audited service and related components for Linux OS

  • perf_benchmark.tar.gz

    Description: The performance test reports. You will see this only if you are using the performance parameter.