Mokymas
Modulis
Perform device investigations in Microsoft Defender for Endpoint - Training
Perform device investigations in Microsoft Defender for Endpoint
Ši naršyklė nebepalaikoma.
Atnaujinkite į „Microsoft Edge“, kad pasinaudotumėte naujausiomis funkcijomis, saugos naujinimais ir techniniu palaikymu.
Applies to:
Want to experience Defender for Endpoint? Sign up for a free trial.
Svarbu
This article contains instructions for how to set preferences for Defender for Endpoint on Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see Resources.
In enterprise environments, Defender for Endpoint on Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise aren't able to change preferences that are set through this configuration profile. If exclusions were added through the managed configuration profile, they can only be removed through the managed configuration profile. The command line works for exclusions that were added locally.
This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
The configuration profile is a .json
file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.
Typically, you would use a configuration management tool to push a file with the name mdatp_managed.json
at the location /etc/opt/microsoft/mdatp/managed/
.
The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
The antivirusEngine section of the configuration profile is used to manage the preferences of the antivirus component of the product.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | antivirusEngine | Antivirus Engine |
Data type | Dictionary (nested preference) | Collapsed Section |
Comments | See the following sections for a description of the dictionary contents. | See the following sections for a description of the policy properties. |
Specifies the enforcement preference of antivirus engine. There are three values for setting enforcement level:
real_time
): Real-time protection (scan files as they're modified) is enabled.on_demand
): Files are scanned only on demand. In this:
automaticDefinitionUpdateEnabled
is set to true
in on-demand mode.passive
): Runs the antivirus engine in passive mode. In this case, all of the following apply:
automaticDefinitionUpdateEnabled
is set to true
in passive mode.Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enforcementLevel | Enforcement Level |
Data type | String | Drop down |
Possible values | real_time on_demand passive (default) |
Not configured Realtime OnDemand Passive (Default) |
Pastaba
Available in Defender for Endpoint version 101.10.72
or later. Default is changed from real_time
to passive
in Defender for Endpoint version 101.23062.0001
or later.
It is recommended to also use scheduled scans as per requirement.
Svarbu
This feature only works when the enforcement level is set to real-time
.
Determines whether behavior monitoring and blocking capability is enabled on the device or not.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | behaviorMonitoring | Enable behavior monitoring |
Data type | String | Drop down |
Possible values | disabled (default) |
Not configured Disabled (Default) Enabled |
Pastaba
Available in Defender for Endpoint version 101.45.00
or later.
Svarbu
This feature only works when the enforcement level is set to real-time
.
Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting triggers an antivirus scan on the running processes of the device.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | scanAfterDefinitionUpdate | Enable Scanning after definition update |
Data type | Boolean | Drop down |
Possible values | true (default) |
Not configured Disabled Enabled (Default) |
Pastaba
Available in Defender for Endpoint version 101.45.00
or later.
Specifies whether to scan archives during on-demand antivirus scans.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | scanArchives | Enable scanning of archives |
Data type | Boolean | Drop down |
Possible values | true (default)
|
Not configured Disabled Enabled (Default) |
Pastaba
Available in Microsoft Defender for Endpoint version 101.45.00
or later.
Archive files are never scanned during real-time protection. When the files in an archive are extracted, they are scanned. The scanArchives option can be used to force the scan of archives only during on-demand scan.
Specifies the degree of parallelism for on-demand scans. This corresponds to the number of threads used to perform the scan and impacts the CPU usage, and the duration of the on-demand scan.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | maximumOnDemandScanThreads | maximum on demand scan threads |
Data type | Integer | Toggle Switch & Integer |
Possible values | 2 (default). Allowed values are integers between 1 and 64. | Not Configured (Default toggle off defaults to 2) Configured (toggle on) and integer between 1 and 64. |
Pastaba
Available in Microsoft Defender for Endpoint version 101.45.00
or later.
Specifies the merge policy for exclusions. It can be a combination of administrator-defined and user-defined exclusions (merge
) or only administrator-defined exclusions (admin_only
). Administrator-defined (admin_only) are exclusions that are configured by Defender for Endpoint policy. This setting can be used to restrict local users from defining their own exclusions.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | exclusionsMergePolicy | Exclusions merge |
Data type | String | Drop down |
Possible values | merge (default)
|
Not configured merge (Default) admin_only |
Pastaba
Available in Defender for Endpoint version 100.83.73
or later.
Can also configure exclusions under exclusionSettings
Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names. (Exclusions are specified as an array of items, administrator can specify as many elements as necessary, in any order.)
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | exclusions | Scan exclusions |
Data type | Dictionary (nested preference) | Dynamic Properties List |
Comments | See the following sections for a description of the dictionary contents. |
Specifies the type of content excluded from the scan.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | $type | Type |
Data type | String | Drop Down |
Possible values | excludedPath
|
Path File extension Process name |
Used to exclude content from the scan by full file path.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | path | Path |
Data type | String | String |
Possible values | valid paths | valid paths |
Comments | Applicable only if $type is excludedPath | Accessed in Edit instance popup |
Indicates if the path property refers to a file or directory.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | isDirectory | Is directory |
Data type | Boolean | Drop down |
Possible values | false (default)
|
Enabled Disabled |
Comments | Applicable only if $type is excludedPath | Accessed in Edit instance popup |
Used to exclude content from the scan by file extension.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | extension | File extension |
Data type | String | String |
Possible values | valid file extensions | valid file extensions |
Comments | Applicable only if $type is excludedFileExtension | Accessed in Configure instance popup |
Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (for example, cat
) or full path (for example, /bin/cat
).
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | name | File name |
Data type | String | String |
Possible values | any string | any string |
Comments | Applicable only if $type is excludedFileName | Accessed in Configure instance popup |
Specifies the behavior of RTP on mount point marked as noexec. There are two values for setting are:
unmute
): The default value, all mount points are scanned as part of RTP.mute
): Mount points marked as noexec aren't scanned as part of RTP, these mount point can be created for:
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | nonExecMountPolicy | non execute mount mute |
Data type | String | Drop down |
Possible values | unmute (default)
|
Not configured unmute (Default) mute |
Pastaba
Available in Defender for Endpoint version 101.85.27
or later.
Configure filesystems to be unmonitored/excluded from real-time protection (RTP). The filesystems configured are validated against Microsoft Defender's list of permitted filesystems. Filesystems can only be monitored after successful validation. These configured unmonitored filesystems are still scanned by Quick, Full, and custom scans in Microsoft Defender Antivirus.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | unmonitoredFilesystems | Unmonitored Filesystems |
Data type | Array of strings | Dynamic String List |
Pastaba
Configured filesystem will be unmonitored only if it is present in Microsoft's list of permitted unmonitored filesystems.
By default, NFS and Fuse are unmonitored from RTP, Quick, and Full scans. However, they can still be scanned by a custom scan. For example, to remove NFS from the list of unmonitored filesystems list, update the managed config file as shown below. This will automatically add NFS to the list of monitored filesystems for RTP.
{
"antivirusEngine":{
"unmonitoredFilesystems": ["Fuse"]
}
}
To remove both NFS and Fuse from unmonitored list of filesystems, do the following
{
"antivirusEngine":{
"unmonitoredFilesystems": []
}
}
Pastaba
Here's the default list of monitored filesystems for RTP: btrfs
, ecryptfs
, ext2
, ext3
, ext4
, fuseblk
, jfs
, overlay
, ramfs
, reiserfs
, tmpfs
, vfat
, xfs
.
If any monitored filesystem needs to be added to the list of unmonitored filesystems, then it needs to be evaluated and enabled by Microsoft via cloud config. Following which customers can update managed_mdatp.json to unmonitor that filesystem.
Enables or disables file hash computation feature. When this feature is enabled, Defender for Endpoint computes hashes for files it scans. Note that enabling this feature might impact device performance. For more details, please refer to: Create indicators for files.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableFileHashComputation | Enable file hash computation |
Data type | Boolean | Drop down |
Possible values | false (default)
|
Not configured Disabled (default) Enabled |
Pastaba
Available in Defender for Endpoint version 101.85.27
or later.
List of threats (identified by their name) that aren't blocked by the product and are instead allowed to run.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | allowedThreats | Allowed threats |
Data type | Array of strings | Dynamic String List |
Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list aren't displayed in the user interface.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | disallowedThreatActions | Disallowed threat actions |
Data type | Array of strings | Dynamic String List |
Possible values | allow (restricts users from allowing threats)
|
allow (restricts users from allowing threats) restore (restricts users from restoring threats from the quarantine) |
Pastaba
Available in Defender for Endpoint version 100.83.73
or later.
The threatTypeSettings preference in the antivirus engine is used to control how certain threat types are handled by the product.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | threatTypeSettings | Threat type settings |
Data type | Dictionary (nested preference) | Dynamic Properties List |
Comments | See the following sections for a description of the dictionary contents. | See the following sections for a description of the dynamic properties. |
Type of threat for which the behavior is configured.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | key | Threat type |
Data type | String | Drop down |
Possible values | potentially_unwanted_application
|
potentially_unwanted_application archive_bomb |
Action to take when coming across a threat of the type specified in the preceding section. Can be:
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | value | Action to take |
Data type | String | Drop down |
Possible values | audit (default)
|
audit block off |
Specifies the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (merge
) or only administrator-defined settings (admin_only
). Administrator-defined (admin_only) are threat type settings that are configured by Defender for Endpoint policy. This setting can be used to restrict local users from defining their own settings for different threat types.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | threatTypeSettingsMergePolicy | Threat type settings merge |
Data type | String | Drop down |
Possible values | merge (default) admin_only |
Not configured merge (Default) admin_only |
Pastaba
Available in Defender for Endpoint version 100.83.73
or later.
Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | scanResultsRetentionDays | Scan results retention |
Data type | String | Toggle switch and Integer |
Possible values | 90 (default). Allowed values are from 1 day to 180 days. | Not configured (toggle off - 90-day default) Configured (toggle on) and allowed value 1 to 180 days. |
Pastaba
Available in Defender for Endpoint version 101.04.76
or later.
Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | scanHistoryMaximumItems | Scan history size |
Data type | String | Toggle and Integer |
Possible values | 10000 (default). Allowed values are from 5000 items to 15000 items. | Not configured (toggle off - 10000 default) Configured (toggle on) and allowed value from 5000 to 15000 items. |
Pastaba
Available in Defender for Endpoint version 101.04.76
or later.
Exclusion setting preferences are currently in preview.
Pastaba
Global exclusions are currently in public preview, and are available in Defender for Endpoint beginning with version 101.23092.0012
or later in the Insiders Slow and Production rings.
The exclusionSettings
section of the configuration profile is used to configure various exclusions for Microsoft Defender for Endpoint for Linux.
Description | JSON Value |
---|---|
Key | exclusionSettings |
Data type | Dictionary (nested preference) |
Comments | See the following sections for a description of the dictionary contents. |
Pastaba
Already configured antivirus exclusions under (antivirusEngine
) in managed JSON will continue to function as is with no impact. All new exclusions including antivirus exclusions can be added under this completely new section (exclusionSettings
). This section is outside the (antivirusEngine
) tag as its dedicated solely for configuring all types of exclusions that will come in future. You can also continue to use (antivirusEngine
) for configuring antivirus exclusions.
Specifies the merge policy for exclusions. It specifies if it can be a combination of administrator-defined and user-defined exclusions (merge
) or only administrator-defined exclusions (admin_only
). This setting can be used to restrict local users from defining their own exclusions. It is applicable for exclusions of all scopes.
Description | JSON Value |
---|---|
Key | mergePolicy |
Data type | String |
Possible values | merge (default) admin_only |
Comments | Available in Defender for Endpoint version Sept 2023 or higher. |
Entities that need to be excluded can be specified by full paths, extensions, or file names. Each exclusion entity, i.e., either full path, extension or file name has an optional scope that can be specified. If not specified, the default value of scope in this section is global. (Exclusions are specified as an array of items, administrator can specify as many elements as necessary, in any order.)
Description | JSON Value |
---|---|
Key | exclusions |
Data type | Dictionary (nested preference) |
Comments | See the following sections for a description of the dictionary contents. |
Specifies the type of content excluded from the scan.
Description | JSON Value |
---|---|
Key | $type |
Data type | String |
Possible values | excludedPath excludedFileExtension excludedFileName |
Specifies the set of exclusion scopes of content excluded. Currently supported scopes are epp
and global
.
If nothing is specified in for an exclusion under exclusionSettings in managed configuration, then global
is considered as scope.
Pastaba
Previously configured antivirus exclusions under (antivirusEngine
) in managed JSON will continue to function and their scope is considered (epp
) since they were added as antivirus exclusions.
Description | JSON Value |
---|---|
Key | scopes |
Data type | Set of strings |
Possible values | epp global |
Pastaba
Previously applied exclusions using (mdatp_managed.json
) or by CLI will remain unaffected. The scope for those exclusions will be (epp
) since they were added under (antivirusEngine
).
Used to exclude content from the scan by full file path.
Description | JSON Value |
---|---|
Key | path |
Data type | String |
Possible values | valid paths |
Comments | Applicable only if $type is excludedPath. Wildcard not supported if exclusion has global as a scope. |
Indicates if the path property refers to a file or directory.
Pastaba
File path must already exist if adding file exclusion with global scope.
Description | JSON Value |
---|---|
Key | isDirectory |
Data type | Boolean |
Possible values | false (default) true |
Comments | Applicable only if $type is excludedPath. Wildcard not supported if exclusion has global as a scope. |
Used to exclude content from the scan by file extension.
Description | JSON Value |
---|---|
Key | extension |
Data type | String |
Possible values | valid file extensions |
Comments | Applicable only if $type is excludedFileExtension. Not supported if exclusion has global as a scope. |
Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (for example, cat
) or full path (for example, /bin/cat
).
Description | JSON Value |
---|---|
Key | name |
Data type | String |
Possible values | any string |
Comments | Applicable only if $type is excludedFileName. Wildcard and process name not supported if exclusion has global as a scope, need to provide full path. |
The following settings can be configured to enable certain advanced scanning features.
Svarbu
Enabling these features might impact device performance. As such, it is recommended to keep the defaults unless recommended otherwise by Microsoft Support.
When this feature is enabled, Defender for Endpoint will scan files when their permissions have been changed to set the execute bit(s).
Pastaba
This feature is applicable only when the enableFilePermissionEvents
feature is enabled. For more information, see Advanced optional features section below for details.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | scanFileModifyPermissions | Not available |
Data type | Boolean | n/a |
Possible values | false (default) true |
n/a |
Pastaba
Available in Defender for Endpoint version 101.23062.0010
or later.
When this feature is enabled, Defender for Endpoint will scan files for which ownership has changed.
Pastaba
This feature is applicable only when the enableFileOwnershipEvents
feature is enabled. For more information, see Advanced optional features section below for details.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | scanFileModifyOwnership | Not available |
Data type | Boolean | n/a |
Possible values | false (default) true |
n/a |
Pastaba
Available in Defender for Endpoint version 101.23062.0010
or later.
When this feature is enabled, Defender for Endpoint will scan network socket events such as creation of raw sockets / packet sockets, or setting socket option.
Pastaba
This feature is applicable only when Behavior Monitoring is enabled.
This feature is applicable only when the enableRawSocketEvent
feature is enabled. For more information, see Advanced optional features section below for details.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | scanNetworkSocketEvent | Not available |
Data type | Boolean | n/a |
Possible values | false (default) true |
n/a |
Pastaba
Available in Defender for Endpoint version 101.23062.0010
or later.
The cloudService entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
Pastaba
Cloud-delivered protection is applicable with any Enforcement level settings (real_time, on_demand, passive).
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | cloudService | Cloud delivered protection preferences |
Data type | Dictionary (nested preference) | Collapsed section |
Comments | See the following sections for a description of the dictionary contents. | See the following sections for a description of the policy's settings. |
Determines whether cloud-delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enabled | Enable cloud delivered protection |
Data type | Boolean | Drop down |
Possible values | true (default)
|
Not configured Disabled Enabled (Default) |
Diagnostic data is used to keep Defender for Endpoint secure and up to date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft. For more details, see Privacy for Microsoft Defender for Endpoint on Linux.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | diagnosticLevel | Diagnostic data collection level |
Data type | String | Drop down |
Possible values | optional
|
Not configured optional (Default) required |
This setting determines how aggressive Defender for Endpoint is in blocking and scanning suspicious files. If this setting is on, Defender for Endpoint is more aggressive when identifying suspicious files to block and scan; otherwise, it is less aggressive and therefore blocks and scans with less frequency.
There are five values for setting cloud block level:
normal
): The default blocking level.moderate
): Delivers verdict only for high confidence detections.high
): Aggressively blocks unknown files while optimizing for performance (greater chance of blocking non-harmful files).high_plus
): Aggressively blocks unknown files and applies additional protection measures (might impact client device performance).zero_tolerance
): Blocks all unknown programs.Description | JSON Value | Defender Portal Value |
---|---|---|
Key | cloudBlockLevel | Configure cloud block level |
Data type | String | Drop down |
Possible values | normal (default)
|
Not configured Normal (default) Moderate High High_Plus Zero_Tolerance |
Pastaba
Available in Defender for Endpoint version 101.56.62
or later.
Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. There are three levels for controlling sample submission:
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | automaticSampleSubmissionConsent | Enable automatic sample submissions |
Data type | String | Drop down |
Possible values | none
|
Not configured None Safe (Default) All |
Determines whether security intelligence updates are installed automatically:
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | automaticDefinitionUpdateEnabled | Automatic security intelligence updates |
Data type | Boolean | Drop down |
Possible values | true (default)
|
Not configured Disabled Enabled (Default) |
Depending on the enforcement level, the automatic security intelligence updates are installed differently. In RTP mode, updates are installed periodically. In Passive/ On-Demand mode updates are installed before every scan.
The following settings can be configured to enable certain advanced features.
Svarbu
Enabling these features might impact device performance. It is recommended to keep the defaults unless recommended otherwise by Microsoft Support.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | features | Not available |
Data type | Dictionary (nested preference) | n/a |
Comments | See the following sections for a description of the dictionary contents. |
Determines whether module load events (file open events on shared libraries) are monitored.
Pastaba
This feature is applicable only when Behavior Monitoring is enabled.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | moduleLoad | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.68.80 or later. |
The following settings can be used to configure certain advanced supplementary sensor features.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | supplementarySensorConfigurations | Not available |
Data type | Dictionary (nested preference) | n/a |
Comments | See the following sections for a description of the dictionary contents. |
Determines whether file modify permissions events (chmod
) are monitored.
Pastaba
When this feature is enabled, Defender for Endpoint will monitor changes to the execute bits of files, but not scan these events. For more information, see Advanced scanning features section for more details.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableFilePermissionEvents | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.23062.0010 or later. |
Determines whether file modify ownership events (chown
) are monitored.
Pastaba
When this feature is enabled, Defender for Endpoint will monitor changes to the ownership of files, but not scan these events. For more information, see Advanced scanning features section for more details.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableFileOwnershipEvents | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.23062.0010 or later. |
Determines whether network socket events involving creation of raw sockets / packet sockets, or setting socket option, are monitored.
Pastaba
This feature is applicable only when Behavior Monitoring is enabled. When this feature is enabled, Defender for Endpoint will monitor these network socket events, but not scan these events. For more information, see Advanced scanning features section above for more details.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableRawSocketEvent | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.23062.0010 or later. |
Determines whether boot loader events are monitored and scanned.
Pastaba
This feature is applicable only when Behavior Monitoring is enabled.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableBootLoaderCalls | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.68.80 or later. |
Determines whether ptrace events are monitored and scanned.
Pastaba
This feature is applicable only when Behavior Monitoring is enabled.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableProcessCalls | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.68.80 or later. |
Determines whether pseudofs events are monitored and scanned.
Pastaba
This feature is applicable only when Behavior Monitoring is enabled.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enablePseudofsCalls | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.68.80 or later. |
Determines whether module load events are monitored using eBPF and scanned.
Pastaba
This feature is applicable only when Behavior Monitoring is enabled.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableEbpfModuleLoadEvents | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.68.80 or later. |
Determines whether open events from procfs are monitored by eBPF.
Pastaba
This feature is applicable only when Behavior Monitoring is enabled.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableOtherFsOpenEvents | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.24072.0001 or later. |
Determines whether events are enriched with metadata at source in eBPF.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableEbpfSourceEnrichment | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.24072.0001 or later. |
Determines whether metadata of events being scanned by the antivirus engine are cached or not.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enableAntivirusEngineCache | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.24072.0001 or later. |
Determines whether suspicious events from Antivirus are reported to EDR.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | sendLowfiEvents | Not available |
Data type | String | n/a |
Possible values | disabled (default) enabled |
n/a |
Comments | Available in Defender for Endpoint version 101.23062.0010 or later. |
Pastaba
This is a preview feature. For these to be effective, Network Protection has to be turned on. For more information, see Turn on network protection for Linux.
The following settings can be used to configure advanced Network Protection inspection features to control what traffic gets inspected by Network Protection.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | networkProtection | Network protection |
Data type | Dictionary (nested preference) | Collapsed section |
Comments | See the following sections for a description of the dictionary contents. | See the following sections for a description of the policy settings. |
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | enforcementLevel | Enforcement Level |
Data type | String | Drop down |
Possible values | disabled (default) audit block |
Not configured disabled (default) audit block |
Determines whether ICMP events are monitored and scanned.
Pastaba
This feature is applicable only when Behavior Monitoring is enabled.
Description | JSON Value | Defender Portal Value |
---|---|---|
Key | disableIcmpInspection | Not available |
Data type | Boolean | n/a |
Possible values | true (default)
|
n/a |
Comments | Available in Defender for Endpoint version 101.23062.0010 or later. |
To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Defender for Endpoint provides.
The following configuration profile:
safe
level{
"antivirusEngine":{
"enforcementLevel":"real_time",
"threatTypeSettings":[
{
"key":"potentially_unwanted_application",
"value":"block"
},
{
"key":"archive_bomb",
"value":"audit"
}
]
},
"cloudService":{
"automaticDefinitionUpdateEnabled":true,
"automaticSampleSubmissionConsent":"safe",
"enabled":true,
"proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/"
}
}
The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
Pastaba
It is not possible to control all Microsoft Defender for Endpoint communication with only a proxy setting in this JSON.
{
"antivirusEngine":{
"enforcementLevel":"passive",
"behaviorMonitoring": "disabled",
"scanAfterDefinitionUpdate":true,
"scanArchives":true,
"scanHistoryMaximumItems": 10000,
"scanResultsRetentionDays": 90,
"maximumOnDemandScanThreads":2,
"exclusionsMergePolicy":"merge",
"allowedThreats":[
"<EXAMPLE DO NOT USE>EICAR-Test-File (not a virus)"
],
"disallowedThreatActions":[
"allow",
"restore"
],
"nonExecMountPolicy":"unmute",
"unmonitoredFilesystems": ["nfs,fuse"],
"enableFileHashComputation": false,
"threatTypeSettingsMergePolicy":"merge",
"threatTypeSettings":[
{
"key":"potentially_unwanted_application",
"value":"block"
},
{
"key":"archive_bomb",
"value":"audit"
}
],
"scanFileModifyPermissions":false,
"scanFileModifyOwnership":false,
"scanNetworkSocketEvent":false,
"offlineDefinitionUpdateUrl": "http://172.22.199.67:8000/linux/production/<EXAMPLE DO NOT USE>",
"offlineDefintionUpdateFallbackToCloud":false,
"offlineDefinitionUpdate":"disabled"
},
"cloudService":{
"enabled":true,
"diagnosticLevel":"optional",
"automaticSampleSubmissionConsent":"safe",
"automaticDefinitionUpdateEnabled":true,
"proxy": "<EXAMPLE DO NOT USE> http://proxy.server:port/",
"definitionUpdatesInterval":28800
},
"features":{
"moduleLoad":"disabled",
"supplementarySensorConfigurations":{
"enableFilePermissionEvents":"disabled",
"enableFileOwnershipEvents":"disabled",
"enableRawSocketEvent":"disabled",
"enableBootLoaderCalls":"disabled",
"enableProcessCalls":"disabled",
"enablePseudofsCalls":"diabled",
"enableEbpfModuleLoadEvents":"disabled",
"sendLowfiEvents":"disabled"
},
"ebpfSupplementaryEventProvider":"enabled",
"offlineDefinitionUpdateVerifySig": "disabled"
},
"networkProtection":{
"enforcementLevel":"disabled",
"disableIcmpInspection":true
},
"edr":{
"groupIds":"GroupIdExample",
"tags": [
{
"key": "GROUP",
"value": "Tag"
}
]
},
"exclusionSettings":{
"exclusions":[
{
"$type":"excludedPath",
"isDirectory":true,
"path":"/home/*/git<EXAMPLE DO NOT USE>",
"scopes": [
"epp"
]
},
{
"$type":"excludedPath",
"isDirectory":true,
"path":"/run<EXAMPLE DO NOT USE>",
"scopes": [
"global"
]
},
{
"$type":"excludedPath",
"isDirectory":false,
"path":"/var/log/system.log<EXAMPLE DO NOT USE><EXCLUDED IN ALL SCENARIOS>",
"scopes": [
"epp", "global"
]
},
{
"$type":"excludedFileExtension",
"extension":".pdf<EXAMPLE DO NOT USE>",
"scopes": [
"epp"
]
},
{
"$type":"excludedFileName",
"name":"/bin/cat<EXAMPLE DO NOT USE><NO SCOPE PROVIDED - GLOBAL CONSIDERED>"
}
],
"mergePolicy":"admin_only"
}
}
When you run the mdatp health
command for the first time, the value for the tag and group ID will be blank. To add tag or group ID to the mdatp_managed.json
file, follow the below steps:
Open the configuration profile from the path /etc/opt/microsoft/mdatp/managed/mdatp_managed.json
.
Go down to the bottom of the file, where the cloudService
block is located.
Add the required tag or group ID as following example at the end of the closing curly bracket for the cloudService
.
},
"cloudService": {
"enabled": true,
"diagnosticLevel": "optional",
"automaticSampleSubmissionConsent": "safe",
"automaticDefinitionUpdateEnabled": true,
"proxy": "http://proxy.server:port/"
},
"edr": {
"groupIds":"GroupIdExample",
"tags": [
{
"key": "GROUP",
"value": "Tag"
}
]
}
}
Pastaba
Add the comma after the closing curly bracket at the end of the cloudService
block. Also, make sure that there are two closing curly brackets after adding Tag or Group ID block (please see the above example). At the moment, the only supported key name for tags is GROUP
.
The configuration profile must be a valid JSON-formatted file. There are many tools that can be used to verify this. For example, if you have python
installed on your device:
python -m json.tool mdatp_managed.json
If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of 0
. Otherwise, an error that describes the issue is displayed and the command returns an exit code of 1
.
To verify that your /etc/opt/microsoft/mdatp/managed/mdatp_managed.json
is working properly, you should see "[managed]" next to these settings:
cloud_enabled
cloud_automatic_sample_submission_consent
passive_mode_enabled
real_time_protection_enabled
automatic_definition_update_enabled
Pastaba
No restart of mdatp daemon is required for changes to most configurations in mdatp_managed.json
to take effect.
Exception: The following configurations require a daemon restart to take effect:
cloud-diagnostic
log-rotation-parameters
Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint on Linux reads the managed configuration from /etc/opt/microsoft/mdatp/managed/mdatp_managed.json
.
Arbatpinigiai
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Mokymas
Modulis
Perform device investigations in Microsoft Defender for Endpoint - Training
Perform device investigations in Microsoft Defender for Endpoint