Linux ATP Configuration and Operation Command List

Hello Blog Readers,

I have summarized the Configuration and Operation commands in this cheat sheet for your convenient use. Enjoy ATP run!

ATP Commands

GroupScenarioCommand
ConfigurationTurn on/off real-time protectionmdatp config real-time-protection –value [enabled|disabled]
ConfigurationTurn on/off cloud protectionmdatp config cloud –value [enabled|disabled]
ConfigurationTurn on/off product diagnosticsmdatp config cloud-diagnostic –value [enabled|disabled]
ConfigurationTurn on/off automatic sample submissionmdatp config cloud-automatic-sample-submission –value [enabled|disabled]
ConfigurationTurn on/off AV passive modemdatp config passive-mode [enabled|disabled]
ConfigurationAdd/remove an exclusion for a file extensionmdatp exclusion extension [add|remove] –name [extension]
ConfigurationAdd/remove an exclusion for a filemdatp exclusion file [add|remove] –path [path-to-file]
ConfigurationAdd/remove an exclusion for a directorymdatp exclusion folder [add|remove] –path [path-to-directory]
ConfigurationAdd/remove an antivirus exclusion for a processmdatp exclusion process [add|remove] –path [path-to-process]
mdatp exclusion process [add|remove] –name [process-name]
ConfigurationList all antivirus exclusionsmdatp exclusion list
ConfigurationTurn on PUA (Potentially Unwanted Applications) protectionmdatp threat policy set –type potentially_unwanted_application –action block
ConfigurationTurn off PUA protectionmdatp threat policy set –type potentially_unwanted_application –action off
ConfigurationTurn on audit mode for PUA protectionmdatp threat policy set –type potentially_unwanted_application –action audit
DiagnosticsChange the log levelmdatp log level set –level verbose [error|warning|info|verbose]
DiagnosticsGenerate diagnostic logsmdatp diagnostic create
HealthCheck the product's healthmdatp health
ProtectionScan a pathmdatp scan custom –path [path]
ProtectionDo a quick scanmdatp scan quick
ProtectionDo a full scanmdatp scan full
ProtectionCancel an ongoing on-demand scanmdatp scan cancel
ProtectionRequest a security intelligence updatemdatp definitions update
Protection historyPrint the full protection historymdatp threat list
Protection historyGet threat detailsmdatp threat get –id [threat-id]
Quarantine managementList all quarantined filesmdatp threat quarantine list
Quarantine managementRemove all files from the quarantinemdatp threat quarantine remove-all
Quarantine managementAdd a file detected as a threat to the quarantinemdatp threat quarantine add –id [threat-id]
Quarantine managementRemove a file detected as a threat from the quarantinemdatp threat quarantine add –id [threat-id]
Quarantine managementRestore a file from the quarantinemdatp threat quarantine add –id [threat-id]

Examples:

 To enable ATP diagnostic

mdatp config cloud-diagnostic –value enabled

To check ATP Configuration Settings:

mdatp health

tantran55_0-1597056629964.png

To Check ATP Virus History

mdatp threat list

tantran55_1-1597056629969.png

To view the Quarantine list and remove the non-threat file based on threat ID

mdatp threat quarantine add –id “Your threat ID”
mdatp threat quarantine list

tantran55_2-1597056629974.png
tantran55_3-1597056629976.png

To Create a PUA Policy (Potentially Unwanted Applications Policy)  in audit mode

mdatp threat policy list
mdatp threat policy set –type potentially_unwanted_application –action audit
mdatp threat policy list

tantran55_4-1597056629980.png

To update ATP Definition

mdatp definitions update

tantran55_5-1597056629984.png

More info:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-resources

I hope the command list is helpful.

___________________________________________________________________________________

Disclaimer: The sample are not supported under any Microsoft standard support program or service. The sample are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.