หมายเหตุ
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลอง ลงชื่อเข้าใช้หรือเปลี่ยนไดเรกทอรีได้
การเข้าถึงหน้านี้ต้องได้รับการอนุญาต คุณสามารถลองเปลี่ยนไดเรกทอรีได้
Applies to:
- Microsoft Defender for Endpoint for servers
- Microsoft Defender for Servers Plan 1 or Plan 2
Want to experience Defender for Endpoint? Sign up for a free trial.
This article provides resources for resolving issues or configuring Microsoft Defender for Endpoint on Linux. This article describes how to collect diagnostic information, log installation issues, and configure Defender for Endpoint on Linux using the command line. This article also describes how to uninstall Defender for Endpoint on Linux.
Collect diagnostic information
Tip
Run the Defender for Endpoint client analyzer with live response or locally on the device to collect diagnostic information from Defender for Endpoint on Linux.
If you can reproduce a problem, first increase the logging level, run the system for some time, and then restore the logging level to the default.
Increase logging level:
mdatp log level set --level debugLog level configured successfullyReproduce the problem.
Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive.
sudo mdatp diagnostic createThis command will also print out the file path to the backup after the operation succeeds:
Diagnostic file created: <path to file>Restore logging level:
mdatp log level set --level infoLog level configured successfully
Log installation issues
If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /var/log/microsoft/mdatp/install.log.
If you experience issues during installation, send us this file so we can help diagnose the cause.
Configure from the command line
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line.
Global options
By default, the command-line tool outputs the result in human-readable format. In addition, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass --output json to any of the below commands.
Supported commands
The following table lists commands for some of the most common scenarios. Run mdatp help from the Terminal to view the full list of supported commands.
| Group | Scenario | Command |
|---|---|---|
| Configuration | Turn on/off real-time protection | mdatp config real-time-protection --value [enabled\|disabled] |
| Configuration | Turn on/off behavior monitoring | mdatp config behavior-monitoring --value [enabled\|disabled] |
| Configuration | Turn on/off cloud protection | mdatp config cloud --value [enabled\|disabled] |
| Configuration | Turn on/off product diagnostics | mdatp config cloud-diagnostic --value [enabled\|disabled] |
| Configuration | Turn on/off automatic sample submission | mdatp config cloud-automatic-sample-submission --value [enabled\|disabled] |
| Configuration | Turn on/off antivirus passive mode | mdatp config passive-mode --value [enabled\|disabled] |
| Configuration | Add/remove an antivirus exclusion for a file extension | mdatp exclusion extension [add\|remove] --name [extension] |
| Configuration | Add/remove an antivirus exclusion for a file | mdatp exclusion file [add\|remove] --path [path-to-file] |
| Configuration | Add/remove an antivirus exclusion for a directory | mdatp exclusion folder [add\|remove] --path [path-to-directory] |
| Configuration | Add/remove an antivirus exclusion for a process | mdatp exclusion process [add\|remove] --path [path-to-process] |
| Configuration | Add/remove a global exclusion for a file | mdatp exclusion file [add\|remove] --path [path-to-file] --scope global |
| Configuration | Add/remove a global exclusion for a directory | mdatp exclusion folder [add\|remove] --path [path-to-directory] --scope global |
| Configuration | Add/remove a global exclusion for a process | mdatp exclusion process [add\|remove] --path [path-to-process] --scope global |
| Configuration | List all antivirus exclusions | mdatp exclusion list |
| Configuration | Add a threat name to the allowed list | mdatp threat allowed add --name [threat-name] |
| Configuration | Remove a threat name from the allowed list | mdatp threat allowed remove --name [threat-name] |
| Configuration | List all allowed threat names | mdatp threat allowed list |
| Configuration | Turn on PUA protection | mdatp threat policy set --type potentially_unwanted_application --action block |
| Configuration | Turn off PUA protection | mdatp threat policy set --type potentially_unwanted_application --action off |
| Configuration | Turn on audit mode for PUA protection | mdatp threat policy set --type potentially_unwanted_application --action audit |
| Configuration | Configure degree of parallelism for on-demand scans | mdatp config maximum-on-demand-scan-threads --value [numerical-value-between-1-and-64] |
| Configuration | Turn on/off scans after security intelligence updates | mdatp config scan-after-definition-update --value [enabled/disabled] |
| Configuration | Turn on/off archive scanning (on-demand scans only) | mdatp config scan-archives --value [enabled/disabled] |
| Configuration | Turn on/off file hash computation | mdatp config enable-file-hash-computation --value [enabled/disabled] |
| Diagnostics | Change the log level | mdatp log level set --level verbose [error|warning|info|verbose] |
| Diagnostics | Generate diagnostic logs | mdatp diagnostic create --path [directory] |
| Diagnostics | Size limits for retained product logs | mdatp config log-rotation-parameters [max-current-size/max-rotated-size] --size [value in MB] |
| Health | Check the product's health | mdatp health |
| Protection | Scan a path | mdatp scan custom --path [path] [--ignore-exclusions] |
| Protection | Do a quick scan | mdatp scan quick |
| Protection | Do a full scan | mdatp scan full |
| Protection | Cancel an ongoing on-demand scan | mdatp scan cancel |
| Protection | Request a security intelligence update | mdatp definitions update |
| Protection | Rollback security intelligence to the original default set | mdatp definitions restore |
| Protection history | Print the full protection history | mdatp threat list |
| Protection history | Get threat details | mdatp threat get --id [threat-id] |
| Quarantine management | List all quarantined files | mdatp threat quarantine list |
| Quarantine management | Remove all files from the quarantine | mdatp threat quarantine remove-all |
| Quarantine management | Add a file detected as a threat to the quarantine | mdatp threat quarantine add --id [threat-id] |
| Quarantine management | Remove a file detected as a threat from the quarantine | mdatp threat quarantine remove --id [threat-id] |
| Quarantine management | Restore a file from the quarantine. Available in Defender for Endpoint version earlier than 101.23092.0012. |
mdatp threat quarantine restore --id [threat-id] --path [destination-folder] |
| Quarantine management | Restore a file from the quarantine with Threat ID. Available in Defender for Endpoint version 101.23092.0012 or later. |
mdatp threat quarantine restore threat-id --id [threat-id] --destination-path [destination-folder] |
| Quarantine management | Restore a file from the quarantine with Threat Original Path. Available in Defender for Endpoint version 101.23092.0012 or later. |
mdatp threat quarantine restore threat-path --path [threat-original-path] --destination-path [destination-folder] |
| Endpoint Detection and Response | Set early preview | mdatp edr early-preview [enabled\|disabled] |
| Endpoint Detection and Response | Set group-id | mdatp edr group-ids --group-id [group-id] |
| Endpoint Detection and Response | Set / remove tag, only GROUP supported |
mdatp edr tag set --name GROUP --value [tag] |
| Endpoint Detection and Response | List exclusions (root) | mdatp edr exclusion list [processes|paths|extensions|all] |
Uninstall Defender for Endpoint on Linux
There are several ways to uninstall Defender for Endpoint on Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool.
Offboard Linux devices
To prevent decommissioned devices from showing up in your device inventory, and to help ensure a more accurate Secure Score rating, add device tags to devices that you want to offboard from Defender for Endpoint. Otherwise, you'll see those devices in the Device inventory for 180 days.
Create a device tag, and name the tag
decommissioned. Assign the tag to the Linux devices that you want to offboard from Defender for Endpoint.Create a Device group and name it something like,
Decommissioned Linux. Assign this tag to an appropriate user group.In the Microsoft Defender portal, in the navigation pane, select Settings > Offboard. In the Select operating system to start offboarding process, select Linux Server, and then select a deployment method.
Or, if you're using a non-Microsoft device management solution, disable integration with Defender for Endpoint.
Uninstall Defender for Endpoint on the devices.
Manual uninstallation
sudo yum remove mdatpfor RHEL and variants(CentOS and Oracle Linux).sudo zypper remove mdatpfor SLES and variants.sudo apt-get purge mdatpfor Ubuntu and Debian systems.sudo dnf remove mdatpfor Mariner.
Related content
- Microsoft Defender for Endpoint on Linux
- Prerequisites for Microsoft Defender for Endpoint on Linux
- Configure security settings in Microsoft Defender for Endpoint on Linux
- Run the client analyzer on Linux
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.