Microsoft Defender for Endpoint Linux – Configuration and Operation Command List

Hello Blog Readers,

I have summarized the Configuration and Operation commands in this cheat sheet for your convenient use. Enjoy your MD for Endpoint run!

MD for Endpoint Commands

Group Scenario Command
Configuration Turn on/off real-time protection mdatp config real-time-protection –value [enabled|disabled]
Configuration Turn on/off cloud protection mdatp config cloud –value [enabled|disabled]
Configuration Turn on/off product diagnostics mdatp config cloud-diagnostic –value [enabled|disabled]
Configuration Turn on/off automatic sample submission mdatp config cloud-automatic-sample-submission –value [enabled|disabled]
Configuration Turn on/off AV passive mode mdatp config passive-mode [enabled|disabled]
Configuration Add/remove an exclusion for a file extension mdatp exclusion extension [add|remove] –name [extension]
Configuration Add/remove an exclusion for a file mdatp exclusion file [add|remove] –path [path-to-file]
Configuration Add/remove an exclusion for a directory mdatp exclusion folder [add|remove] –path [path-to-directory]
Configuration Add/remove an antivirus exclusion for a process mdatp exclusion process [add|remove] –path [path-to-process]
mdatp exclusion process [add|remove] –name [process-name]
Configuration List all antivirus exclusions mdatp exclusion list
Configuration Turn on PUA (Potentially Unwanted Applications) protection mdatp threat policy set –type potentially_unwanted_application –action block
Configuration Turn off PUA protection mdatp threat policy set –type potentially_unwanted_application –action off
Configuration Turn on audit mode for PUA protection mdatp threat policy set –type potentially_unwanted_application –action audit
Diagnostics Change the log level mdatp log level set –level verbose [error|warning|info|verbose]
Diagnostics Generate diagnostic logs mdatp diagnostic create
Health Check the product's health mdatp health
Protection Scan a path mdatp scan custom –path [path]
Protection Do a quick scan mdatp scan quick
Protection Do a full scan mdatp scan full
Protection Cancel an ongoing on-demand scan mdatp scan cancel
Protection Request a security intelligence update mdatp definitions update
Protection history Print the full protection history mdatp threat list
Protection history Get threat details mdatp threat get –id [threat-id]
Quarantine management List all quarantined files mdatp threat quarantine list
Quarantine management Remove all files from the quarantine mdatp threat quarantine remove-all
Quarantine management Add a file detected as a threat to the quarantine mdatp threat quarantine add –id [threat-id]
Quarantine management Remove a file detected as a threat from the quarantine mdatp threat quarantine add –id [threat-id]
Quarantine management Restore a file from the quarantine mdatp threat quarantine add –id [threat-id]

Examples:

 To enable ATP diagnostic

mdatp config cloud-diagnostic –value enabled

                           

To check ATP Configuration Settings:

mdatp health

tantran55_0-1597056629964.png

To Check MD for Endpoint Linux's  Virus History

mdatp threat list

tantran55_1-1597056629969.png

To view the Quarantine list and remove the non-threat file based on threat ID

mdatp threat quarantine add –id “Your threat ID”
mdatp threat quarantine list

tantran55_2-1597056629974.png

tantran55_3-1597056629976.png

To Create a PUA Policy (Potentially Unwanted Applications Policy)  in audit mode

mdatp threat policy list
mdatp threat policy set –type potentially_unwanted_application –action audit
mdatp threat policy list

 tantran55_4-1597056629980.png

To update MD for Endpoint Linux's  AV Definition

mdatp definitions update

tantran55_5-1597056629984.png

More info:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-resources

I hope the command list is helpful.

___________________________________________________________________________________

Disclaimer: The sample are not supported under any Microsoft standard support program or service. The sample are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

This article was originally published by Microsoft's Secure Blog. You can find the original article here.