Behavior monitoring in Microsoft Defender Antivirus on macOS
Applies to:
- Microsoft Defender for XDR
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Business
- Microsoft Defender for Individuals
- Microsoft Defender Antivirus
- Supported versions of macOS
Important
Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Prerequisites
- Device is onboarded to Microsoft Defender for Endpoint.
- Preview features is enabled in the Microsoft XDR portal (https://security.microsoft.com).
- Device must be in the Beta channel (formerly InsiderFast).
- Minimal Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): 101.24042.0002 or newer. Version number refers to the app_version (also known as Platform update).
- Ensure that Real-Time Protection (RTP) is enabled.
- Ensure cloud-delivered protection is enabled.
- Device must be explicitly enrolled into the preview.
Overview
Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them.
Deployment instructions
To deploy behavior monitoring in Microsoft Defender for Endpoint on macOS, you must change the behavior monitoring policy using one of the following methods:
The following sections describe each of these methods in detail.
Intune deployment
Copy the following XML to create a .plist file and save it as BehaviorMonitoring_for_MDE_on_macOS.mobileconfig
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadUUID</key> <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>Microsoft</string> <key>PayloadIdentifier</key> <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string> <key>PayloadDisplayName</key> <string>Microsoft Defender for Endpoint settings</string> <key>PayloadDescription</key> <string>Microsoft Defender for Endpoint configuration settings</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadContent</key> <array> <dict> <key>PayloadUUID</key> <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string> <key>PayloadType</key> <string>com.microsoft.wdav</string> <key>PayloadOrganization</key> <string>Microsoft</string> <key>PayloadIdentifier</key> <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string> <key>PayloadDisplayName</key> <string>Microsoft Defender for Endpoint configuration settings</string> <key>PayloadDescription</key> <string/> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>antivirusEngine</key> <dict> <key>behaviorMonitoring</key> <string>enabled</string> </dict> <key>features</key> <dict> <key>behaviorMonitoring</key> <string>enabled</string> <key>behaviorMonitoringConfigurations</key> <dict> <key>blockExecution</key> <string>enabled</string> <key>notifyForks</key> <string>enabled</string> <key>forwardRtpToBm</key> <string>enabled</string> <key>avoidOpenCache</key> <string>enabled</string> </dict> </dict> </dict> </array> </dict> </plist>
Open Devices > Configuration profiles.
Select Create profile and select New Policy.
Give the profile a name. Change Platform=macOS to Profile type=Templates and choose Custom in the template name section. Select Configure.
Go to the plist file you saved earlier and save it as
com.microsoft.wdav.xml
.Enter
com.microsoft.wdav
as the custom configuration profile name.Open the configuration profile and upload the
com.microsoft.wdav.xml
file and select OK.Select Manage > Assignments. In the Include tab, select Assign to All Users & All devices or to a Device Group or User Group.
Via JamF deployment
Copy the following XML to create a .plist file and save it as Save as BehaviorMonitoring_for_MDE_on_macOS.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>antivirusEngine</key> <dict> <key>behaviorMonitoring</key> <string>enabled</string> </dict> <key>features</key> <dict> <key>behaviorMonitoring</key> <string>enabled</string> <key>behaviorMonitoringConfigurations</key> <dict> <key>blockExecution</key> <string>enabled</string> <key>notifyForks</key> <string>enabled</string> <key>forwardRtpToBm</key> <string>enabled</string> <key>avoidOpenCache</key> <string>enabled</string> </dict> </dict> </dict> </plist>
In Computers > Configuration Profiles, select Options > Applications & Custom Settings,
Select Upload File (.plist file).
Set preference domain to com.microsoft.wdav
Upload the plist file saved earlier.
For more information, see: Set preferences for Microsoft Defender for Endpoint on macOS.
Manual deployment
You can enable Behavior Monitoring on Microsoft Defender for Endpoint on macOS by running the following command from the Terminal:
sudo mdatp config behavior-monitoring --value enabled
To disable:
sudo mdatp config behavior-monitoring --value disabled
For more information, see: Resources for Microsoft Defender for Endpoint on macOS.
To test behavior monitoring (prevention/block) detection
See Behavior Monitoring demonstration.
Verifying Behavior Monitoring detection
The existing Microsoft Defender for Endpoint on macOS command line interface can be used to review behavior monitoring details and artifacts.
sudo mdatp threat list
Frequently Asked Questions (FAQ)
What if I see an increase in cpu utilization or memory utilization?
Disable Behavior Monitoring and see if the issue goes away.
- If the issue doesn't go away, it is not related to Behavior Monitoring.
- If the issue goes away, take an aka.ms/xMDEClientAnalyzer and contact Microsoft support.