Microsoft Defender for Endpoint on Linux — Manual Scan Tips

Andre Camillo, CISSP
CloudnSec
Published in
3 min readFeb 14, 2024

--

Deploying and managing Defender for Endpoint on linux at Scale is something you’ll have to use linux management tools, think of Puppet or Ansible. Manual is an option, but not ideal at scale.

However, there is definitely a use case for manual operations and troubleshooting of the agent — especially locally at and endpoint — that’s why there’s a powerful Command line interface built into the agent.

and the magic all happens behind the initial command:

mdatp

It’s all fun uphill from there!

MDE Linux Command Flowchart

Always referring bac kto original and official guidance in Microsoft Learn, of course.

Investigate agent health issues | Microsoft Learn

From it I managed to verify all the local commands available for MDE in supported linux endpoints.

So I created this Flowchart to help understand what kind of commands you can isue locally and what kind of settings can be configured locally too.

Source: MDE in linux tests and trial.

You can find this in my Github also. The mermaid format is available there too, please attribute if you re-use/build upon.

The key point here is that settings can be changed, but also reports and actions taken — with the proper credentials, of course.

Settings

Settings include any changes to how the agent operates locally anc incldue scan settings, monitoring, EDR, Network configuration. etc.

Actions

What I call actions are to the operation of the local agent, think of active instructions such as starting a manual scan, for example:

Outputs

Lastly, what I call “Outputs” are commands that create inline reports/results, for example checking out scan results via command line:

Summary

As a result of this short learning exercise, you can infer and understand that you can create powerful policies to exclude specific files / paths to be verified.

And that the most powerful local command is

mdatp health

Check it out yourself! 😉

Learn more about my Cloud and Security Projects: https://linktr.ee/acamillo

Consider subscribing to Medium (here) to access more content that will empower you!

Thank you for reading and leave your thoughts/comments!

References

Scattered throughout the document.

--

--

Andre Camillo, CISSP
CloudnSec

Cloud and Security technologies, Career, Growth Mindset. Follow: https://linktr.ee/acamillo . Technical Specialist @Microsoft. Opinions are my own.