About Tools Blog
Angelique Dawnbringer

Microsoft Defender ATP for Linux on Debian 10 (Preview)

Never before was it so easy to get a corporate antivirus and edr running! Today I installed Microsoft Defender ATP in all my docker layers and Debian machines.

Other operating systems like SUSE etc are also available. I have checked the steps for Bookworm (12) and it works. The principles remain the same. For more details: click here

Install Microsoft Defender ATP for Linux

# Onboard Microsoft Repository to Aptitude
$ cd /etc/apt/sources.list.d/

# You can find your distribution here: https://packages.microsoft.com/config/
# It is formatted like:  https://packages.microsoft.com/config/[distro]/[version]/[channel].list
# $ sudo curl -o microsoft.list https://packages.microsoft.com/config/debian/12/prod.list #Bookworm
$ sudo curl -o microsoft.list https://packages.microsoft.com/config/debian/10/prod.list


# Install Microsoft Signature Key
$ curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -

# Update Aptitude's source list and do a pre-install update
$ sudo apt-get update
$ sudo apt-get upgrade

# Install Microsoft Defender ATP for Linux (Debian 10)
$ sudo apt-get install mdatp

Onboarding

Time for some configuration. Let's focus on onboarding for now and get Microsoft Defender ATP to run with default settings yet reporting to our tenant.

There is also a python onboarding script. I recommend taking the ansible/puppet (conf-management) road instead as it gives you a little bit more knowledge around what it does, however, the python onboarding script (if you actually have python running) does do its magic as it should.

  1. Go to: https://securitycenter.windows.com/preferences2/onboarding

  2. Change the Operating system to Linux.

  3. In the second segment, under deployment method; select Your preferred linux configuration management... in the drop-down.

  4. Click Download.

  5. Now open the zip-file and copy the contents of the .json-file

  6. Go to your server and open your favorite texteditor

  7. Paste the contents and save it as /etc/opt/microsoft/mdatp/mdatp_onboard.json

  8. Time to do a health check :)

The default settings work just fine. However I can highly recommend creating a /etc/opt/microsoft/mdatp/managed/mdatp_managed.json as well especially when using heavy weight docker containers and what not. Scroll down below on a good example config you can use.

Healthcheck

Verify EDR and realtime protection is enabled

$ mdatp --health realTimeProtectionEnabled
1

You can also double check that the machine is actually sending the data to the correct Microsoft Tenant... 

$ mdatp --health
cloudAutomaticSampleSubmission          : true
cloudDiagnosticEnabled                  : true
cloudEnabled                            : true
definitionsUpdated                      : "1585149852321"
definitionsUpdatedMinutesAgo            : 43
definitionsVersion                      : 80131
edrDeviceTags                           : []
edrEarlyPreviewEnabled                  : "enabled"
edrMachineId                            : "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
healthy                                 : true
licensed                                : true
logLevel                                : "info"
machineGuid                             : "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
orgId                                   : "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
realTimeProtectionAvailable             : true
realTimeProtectionEnabled               : true
releaseRing                             : "Production"
versionEngine                           : "100.87.66"

Please verify that early EDR etc is turned on. If it isn't you can use sudo mdatp --edr --early-preview on to do so. (you need elevated privileges to do so)

Now download the EICAR anti-virus test.

curl -o ~/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

After a few minutes you will see a investigation and warning popping up in the security dashboard alerting you that a machine downloaded the eicar test etc. That was all there was to it! Enjoy!

 

Managed Configuration Example

Of course, I give you my not so default settings too... My /etc/opt/microsoft/mdatp/managed/mdatp_managed.json preferences example:

{
   "antivirusEngine":{
      "enableRealTimeProtection":true,
      "passiveMode":false,
      "exclusionsMergePolicy":"merge",
      "exclusions":[
      ],
      "allowedThreats":[
      ],
      "disallowedThreatActions":[
         "allow",
         "restore"
      ],
      "threatTypeSettingsMergePolicy":"merge",
      "threatTypeSettings":[
         {
            "key":"potentially_unwanted_application",
            "value":"block"
         },
         {
            "key":"archive_bomb",
            "value":"audit"
         }
      ]
   },
   "cloudService":{
      "enabled":true,
      "diagnosticLevel":"optional",
      "automaticSampleSubmission":true
   }
}

Additional Debugging

All log files are stored in /var/log/microsoft/mdatp and readable by elevated users.

/var/log/microsoft/mdatp$ sudo cat microsoft_defender_enterprise.log
Mar 25 15:38:52 local wdavdaemon: [{microsoft_defender_enterprise}]: [3497][2020-03-25 14:38:52.096392 UTC][info]: Starting EDR process
Mar 25 15:38:52 local wdavdaemon: [{microsoft_defender_enterprise}]: [3497][2020-03-25 14:38:52.097428 UTC][info]: Connected to privileged client
Mar 25 15:38:52 local wdavdaemon: [{microsoft_defender_enterprise}]: [3497][2020-03-25 14:38:52.099736 UTC][info]: EDR server created.
Mar 25 16:23:35 local wdavdaemon: [{microsoft_defender_enterprise}]: [3497][2020-03-25 15:23:35.548918 UTC][info]: Remote process disconnected.
Mar 25 16:23:35 local wdavdaemon: [{microsoft_defender_enterprise}]: [24506][2020-03-25 15:23:35.692029 UTC][info]: Starting EDR process
Mar 25 16:23:35 local wdavdaemon: [{microsoft_defender_enterprise}]: [24506][2020-03-25 15:23:35.692427 UTC][info]: Connected to privileged client
Mar 25 16:23:35 local wdavdaemon: [{microsoft_defender_enterprise}]: [24506][2020-03-25 15:23:35.694685 UTC][info]: EDR server created.
Mar 25 16:23:38 local wdavdaemon: [{microsoft_defender_enterprise}]: [24623][2020-03-25 15:23:38.810235 UTC][info]: Starting EDR process
Mar 25 16:23:38 local wdavdaemon: [{microsoft_defender_enterprise}]: [24623][2020-03-25 15:23:38.810892 UTC][info]: Connected to privileged client
Mar 25 16:23:38 local wdavdaemon: [{microsoft_defender_enterprise}]: [24623][2020-03-25 15:23:38.813242 UTC][info]: EDR server created.
Mar 25 16:29:58 local wdavdaemon: [{microsoft_defender_enterprise}]: [24623][2020-03-25 15:29:58.738275 UTC][info]: [EDR]: New state: {"sense_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","org_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","preferred_geo":"europe"}
Mar 25 16:30:11 local wdavdaemon: [{microsoft_defender_enterprise}]: [25733][2020-03-25 15:30:11.288233 UTC][info]: Starting EDR process
Mar 25 16:30:11 local wdavdaemon: [{microsoft_defender_enterprise}]: [25733][2020-03-25 15:30:11.289275 UTC][info]: Connected to privileged client
Mar 25 16:30:11 local wdavdaemon: [{microsoft_defender_enterprise}]: [25733][2020-03-25 15:30:11.300022 UTC][info]: [{persistedObject}]: Persisted state has not been modified. Current state: '{"machine_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","enterprise":{"sense_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","org_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","preferred_geo":"europe"},"engine_core":{"license_key":"XXXXXXXXXXXXXXXXXX","database_root_path":"/var/opt/microsoft/mdatp/signatures.noindex","active_database_path":"/var/opt/microsoft/mdatp/signatures.noindex/45d45900-2a1d-4dc4-9122-2d09de0a01b5","database_version":80131,"database_installation_time":1585149852321},"edr":{"configuration_command":"","epoch_reset_count":0},"release_ring":"Production","crash_report":null}'
Mar 25 16:30:11 local wdavdaemon: [{microsoft_defender_enterprise}]: [25733][2020-03-25 15:30:11.300648 UTC][info]: EDR server created.
Mar 25 16:30:21 local wdavdaemon: [{microsoft_defender_enterprise}]: [25733][2020-03-25 15:30:21.879309 UTC][info]: [{persistedObject}]: Persisted state has not been modified. Current state: '{"machine_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","enterprise":{"sense_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","org_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","preferred_geo":"europe"},"engine_core":{"license_key":"XXXXXXXXXXXXXXXXXX","database_root_path":"/var/opt/microsoft/mdatp/signatures.noindex","active_database_path":"/var/opt/microsoft/mdatp/signatures.noindex/45d45900-2a1d-4dc4-9122-2d09de0a01b5","database_version":80131,"database_installation_time":1585149852321},"edr":{"configuration_command":"","epoch_reset_count":0},"release_ring":"Production","crash_report":null}'
Mar 25 17:23:21 local wdavdaemon: [{microsoft_defender_enterprise}]: [25733][2020-03-25 16:23:21.609266 UTC][info]: [{persistedObject}]: Persisted state has not been modified. Current state: '{"machine_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","enterprise":{"sense_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","org_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","preferred_geo":"europe"},"engine_core":{"license_key":"XXXXXXXXXXXXXXXXXX","database_root_path":"/var/opt/microsoft/mdatp/signatures.noindex","active_database_path":"/var/opt/microsoft/mdatp/signatures.noindex/45d45900-2a1d-4dc4-9122-2d09de0a01b5","database_version":80131,"database_installation_time":1585149852321},"edr":{"configuration_command":"","epoch_reset_count":0},"release_ring":"Production","crash_report":null}'
Mar 25 17:23:35 local wdavdaemon: [{microsoft_defender_enterprise}]: [17274][2020-03-25 16:23:35.083215 UTC][info]: Starting EDR process
Mar 25 17:23:35 local wdavdaemon: [{microsoft_defender_enterprise}]: [17274][2020-03-25 16:23:35.083417 UTC][info]: Connected to privileged client
Mar 25 17:23:35 local wdavdaemon: [{microsoft_defender_enterprise}]: [17274][2020-03-25 16:23:35.096638 UTC][info]: EDR server created.
Mar 25 17:23:35 local wdavdaemon: [{microsoft_defender_enterprise}]: [17274][2020-03-25 16:23:35.097207 UTC][info]: [{persistedObject}]: Persisted state has not been modified. Current state: '{"machine_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","enterprise":{"sense_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","org_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","preferred_geo":"europe"},"engine_core":{"license_key":"XXXXXXXXXXXXXXXXXX","database_root_path":"/var/opt/microsoft/mdatp/signatures.noindex","active_database_path":"/var/opt/microsoft/mdatp/signatures.noindex/45d45900-2a1d-4dc4-9122-2d09de0a01b5","database_version":80131,"database_installation_time":1585149852321},"edr":{"configuration_command":"","epoch_reset_count":0},"release_ring":"Production","crash_report":null}'
Mar 25 17:23:37 local wdavdaemon: [{microsoft_defender_enterprise}]: [17274][2020-03-25 16:23:37.384299 UTC][info]: [{persistedObject}]: Persisted state has not been modified. Current state: '{"machine_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","enterprise":{"sense_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","org_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","preferred_geo":"europe"},"engine_core":{"license_key":"XXXXXXXXXXXXXXXXXX","database_root_path":"/var/opt/microsoft/mdatp/signatures.noindex","active_database_path":"/var/opt/microsoft/mdatp/signatures.noindex/45d45900-2a1d-4dc4-9122-2d09de0a01b5","database_version":80131,"database_installation_time":1585149852321},"edr":{"configuration_command":"","epoch_reset_count":0},"release_ring":"Production","crash_report":null}'
Mar 25 17:31:25 local wdavdaemon: [{microsoft_defender_enterprise}]: [17274][2020-03-25 16:31:25.143636 UTC][info]: [{persistedObject}]: Persisted state has not been modified. Current state: '{"machine_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","enterprise":{"sense_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","org_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","preferred_geo":"europe"},"engine_core":{"license_key":"XXXXXXXXXXXXXXXXXX","database_root_path":"/var/opt/microsoft/mdatp/signatures.noindex","active_database_path":"/var/opt/microsoft/mdatp/signatures.noindex/45d45900-2a1d-4dc4-9122-2d09de0a01b5","database_version":80131,"database_installation_time":1585149852321},"edr":{"configuration_command":"","epoch_reset_count":0},"release_ring":"Production","crash_report":null}'
Mar 25 17:31:30 local wdavdaemon: [{microsoft_defender_enterprise}]: [21089][2020-03-25 16:31:30.422554 UTC][info]: Starting EDR process
Mar 25 17:31:30 local wdavdaemon: [{microsoft_defender_enterprise}]: [21089][2020-03-25 16:31:30.422723 UTC][info]: Connected to privileged client
Mar 25 17:31:30 local wdavdaemon: [{microsoft_defender_enterprise}]: [21089][2020-03-25 16:31:30.425004 UTC][info]: [{persistedObject}]: Persisted state has not been modified. Current state: '{"machine_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","enterprise":{"sense_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","org_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","preferred_geo":"europe"},"engine_core":{"license_key":"XXXXXXXXXXXXXXXXXX","database_root_path":"/var/opt/microsoft/mdatp/signatures.noindex","active_database_path":"/var/opt/microsoft/mdatp/signatures.noindex/45d45900-2a1d-4dc4-9122-2d09de0a01b5","database_version":80131,"database_installation_time":1585149852321},"edr":{"configuration_command":"","epoch_reset_count":0},"release_ring":"Production","crash_report":null}'
Mar 25 17:31:30 local wdavdaemon: [{microsoft_defender_enterprise}]: [21089][2020-03-25 16:31:30.425228 UTC][info]: EDR server created.
Mar 25 17:31:32 local wdavdaemon: [{microsoft_defender_enterprise}]: [21089][2020-03-25 16:31:32.618147 UTC][info]: [{persistedObject}]: Persisted state has not been modified. Current state: '{"machine_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","enterprise":{"sense_guid":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","org_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","preferred_geo":"europe"},"engine_core":{"license_key":"XXXXXXXXXXXXXXXXXX","database_root_path":"/var/opt/microsoft/mdatp/signatures.noindex","active_database_path":"/var/opt/microsoft/mdatp/signatures.noindex/45d45900-2a1d-4dc4-9122-2d09de0a01b5","database_version":80131,"database_installation_time":1585149852321},"edr":{"configuration_command":"","epoch_reset_count":0},"release_ring":"Production","crash_report":null}'

I've been playing a bit with the settings etc. Hence all the starting etc ^^

User not present on system

If the service is not running and not starting, or says cannot connect to socket, you might have run into an issue of the following kind:

/opt/microsoft/mdatp/sbin$ mdatp health
Could not connect to the daemon
        Error connecting to server socket

cd /opt/microsoft/mdatp/sbin
./wdavdaemon
**BLANK NO OUTPUT**
id "mdatp"
**BLANK NO OUTPUT**

The user is not present on your system, so let's add it:

sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
sudo service mdatp restart

Segmentation Fault

If the service is not running and not starting, or says cannot connect to socket, you might have run into an issue of the following kind:

/opt/microsoft/mdatp/sbin$ mdatp health
Could not connect to the daemon
        Error connecting to server socket

cd /opt/microsoft/mdatp/sbin
./wdavdaemon
Segmentation Fault

For me this specific built (101.04.76) didn't work. So what I ended up doing as I am running a mixed unstable/buster OS, I ended up taking the latest external in the slow-ring release (101.08.40-external) instead which works just fine.

cd /etc/apt/sources.list.d/
sudo curl -o microsoft-slow.list https://packages.microsoft.com/config/debian/10/insiders-slow.list
sudo apt-get update
sudo apt-cache madison mdatp
/opt/microsoft/mdatp/sbin$ sudo apt-cache madison mdatp
     mdatp | 101.08.40-external | https://packages.microsoft.com/debian/10/prod insiders-slow/main amd64 Packages
     mdatp | 101.04.76-external | https://packages.microsoft.com/debian/10/prod insiders-slow/main amd64 Packages
     mdatp |  101.04.76 | https://packages.microsoft.com/debian/10/prod buster/main amd64 Packages
     mdatp | 101.03.48-external | https://packages.microsoft.com/debian/10/prod insiders-slow/main amd64 Packages
     mdatp |  101.03.48 | https://packages.microsoft.com/debian/10/prod buster/main amd64 Packages
     mdatp | 101.02.55-external | https://packages.microsoft.com/debian/10/prod insiders-slow/main amd64 Packages
     mdatp |  101.02.55 | https://packages.microsoft.com/debian/10/prod buster/main amd64 Packages
     mdatp | 101.02.48-external | https://packages.microsoft.com/debian/10/prod insiders-slow/main amd64 Packages
     mdatp |  101.02.48 | https://packages.microsoft.com/debian/10/prod buster/main amd64 Packages
     mdatp | 101.00.75-external | https://packages.microsoft.com/debian/10/prod insiders-slow/main amd64 Packages
     mdatp |  101.00.75 | https://packages.microsoft.com/debian/10/prod buster/main amd64 Packages
     mdatp | 100.90.70-external | https://packages.microsoft.com/debian/10/prod insiders-slow/main amd64 Packages
     mdatp |  100.90.70 | https://packages.microsoft.com/debian/10/prod buster/main amd64 Packages
     mdatp | 100.87.66-external | https://packages.microsoft.com/debian/10/prod insiders-slow/main amd64 Packages
     mdatp |  100.87.66 | https://packages.microsoft.com/debian/10/prod buster/main amd64 Packages

Pick a version you want to try. The external ones are the ones meant for testing at the moment.

#Install an earlier version or newer version
#sudo apt-get install mdatp=101.03.48 --reinstall #This is an older non-slow release
sudo apt-get install mdatp=101.08.40-external --reinstall
sudo service mdatp restart
#It takes some time for it to start so please wait
sleep 10
sudo mdatp health

This might end up fixing your issues. Segmentation Faults are always hard to debug and I recommend not looking into it as such if such occurs. Simply try a newer version than the stable release and it usually works out as it should. The reverse could be the same of course if you run an outdated system, but if you, like me, work with nightlies (which I don't recommend but I live on the edge lol), it might just do the trick.

Author: Angelique Dawnbringer Published: 2020-03-25 00:00:00 Keywords:
  • Microsoft Defender ATP
  • Debian
  • Linux
  • EDR
Modified: 2024-02-26 21:27:25