microsoft / mdatp-xplat Goto Github PK

View Code? Open in Web Editor NEW

165.0 35.0 178.0 39.83 MB

Microsoft Defender for macOS/Linux - config samples, auxiliary tools

License: MIT License

Python 29.21% Shell 56.41% PowerShell 14.38%

mdatp-xplat's Introduction

page_type

languages

products

description

urlFragment

sample

python

mdatp-xplat

Auxiliary tools and sampled for Microsoft Defender Cross-Platform

update-this-to-unique-url-stub

Outline the file contents of the repository. It helps users navigate the codebase, build configuration and any related assets.

File/folder	Description
`macos`	macOS related content
`linux`	Linux related content
`CONTRIBUTING.md`	Guidelines for contributing to the sample.
`README.md`	This README file.
`LICENSE`	The license for the sample.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

mdatp-xplat's People

Contributors

Stargazers

Watchers

Forkers

maximvelichko taffywrinkle claudiusgonzo yongrhee-msft matiatmicrosoft global-localhost global19 global19-atlassian-net kyle-4 mrowell davidortiz-byte bryan-lipinski allenkarns ispirals mycodeself linuxkd grimtrate qpc-database jamiemcclennon jitenderprasad isold89 jacki030 kevets egw352 satoshi-hamayashiki ychemacias cameron-lloyd jrineck jasonrbeer johancloud ddddyyy theseguy standardgalactic dominikseebach vboyev-msft fredriksvantes collinjc scovetta ktg6 muellertobi al0537343 odedlaz liam-x joeatmsft danielioit christiansway thomasvpetersen benhhms stjernfeldt geezinit jannisokay geechs-kuchino skypodo airtudor bmrodrigues lodener dogborne danieltaylor25 mmkholy paruthiparas02 peterlewis andreamnzt lirgu mihaigavrila daniel-lindgren semiozbas logicalniko vleasikss hit-junsakai dvsjr wilhan1 dvs-bcg werkcloud lamontg jamesrodgers17 lispaul rosie0530 ananta17 timnottom bmgfmobilityengineer alexanderhappe test-mass-forker-org-1 skoldzer whoch1 jponf wvmudd lcarlos02 sweetasnz ascent-solutions-llc isabella232 khanson-str xapol-shunsuke-yamamoto camposrc quentinbeauger luck-ey-cyber test-ishiguro mokafuri hellothereimtom hacks4snacks kimgustavsen

mdatp-xplat's Issues

apt key is depreciated

It says that apt key is depreciated and I waited too long for it to install. Like over 1 hour. Ideally it should have a progress bar or something to tell you how long its going to take to install. I ended up doing it manually. I also have pop os 22.04 which is based on ubuntu 22.04 so I had to change a couple of variables to make it run.

packages repo misconfigured on RHEL 8 following latest PR125

Hello,

Following PR #125, the repo file that is created references an incorrect url on RHEL 8 systems (and maybe others ?) which gives the following error:

2024-02-15T10:12:27 INFO  [v] required pkgs are installed
2024-02-15T10:12:27 INFO  [i] repository already configured
2024-02-15T10:12:28 INFO  [>] installing MDE
2024-02-15T10:12:31 DEBUG [>] Running command: yum -y --enablerepo=packages-microsoft-com-prod install mdatp
2024-02-15T10:12:31 DEBUG [>] Command output: packages-microsoft-com-prod                     5.4  B/s |  14  B     00:02
Errors during downloading metadata for repository 'packages-microsoft-com-prod':
  - Status code: 404 for https://packages.microsoft.com/rhel/8.0/prod/repodata/repomd.xml
Error: Failed to download metadata for repo 'packages-microsoft-com-prod': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

Looking at https://packages.microsoft.com/rhel/, the correct url should be 8 instead of 8.0

Would you be able to either revert or amend the change so that we get back a working installation of MDE extension on azure rhel 8 ?

Thank you !

mde_installer broken by run_quietly function

After the introduction of the run_quietly function, installation now hangs indefinitely unless -y is passed as an option to mde_installer. This is not terribly obvious to the user. While there are at least two potential solutions to this problem, I believe one is significantly better than the other.

Solution 1 (easiest, but probably not the best one to go with)

The easiest solution is obviously to simply add a -y to any interactive command that is invoked by run_quietly. This will allow for the command to complete without prompting for user input. The major downside of this is that it is generally a bad idea to blindly perform package manager operations without explicit user confirmation. This brings me to Solution 2.

Solution 2 (the correct solution, in my opinion)

Interactive commands that are now invoked by run_quietly should only do so if -y is passed as an option to mde_installer. When -y is passed, the user is explicitly stating that they do not wish to be prompted for user input and that they are accepting whatever risks are associated with that choice.

Script is not working to offboard the VM from Defender / M365 Security portal

Hi Team
i am trying to offboard the VM from Defender Security portal using the script.
./mde_installer.sh -o <offboarding_script>
its showing output has VM successfully onboarded to console.

Can you please confirm dose script will help to offboarding the VM ?

mde_installer.sh does not differentiate between supported Amazon Linux 2 & Unsupported Amazon Linux AMI 2018

mde_installer.sh is currently not differentiating between the supported Amazon Linux 2 distro and the unsupported Amazon Linux AMI 2018 distro. Would like to see it return the error about unsupported distro whenever this gets runs against an old Amazon Linux AMI 2018 server.

Currently, it looks like the code only checks the $ID variable within the /etc/os-release file which would be "amzn" in either case. In the same file there is a $VERSION_ID variable that will have something like "2018.03" in the case of Amazon Linux AMI 2018 instead of "2" for Amazon Linux 2.

Errors in notif.mobileconfig and sysext.mobileconfig

Cannot upload notif.mobileconfig to jamf. Getting error: File cannot be processed

sysext.mobileconfig is empty when uploaded to jamf.

Script does not support Amazon Linux distros. Are any plans to support it ?

Error on Intune upload : Must be a well formed XML string : Accessibility.mobileconfig

When following this guide to upload the accessibility.mobileconfig file we see an error "Must be a well formed XML string"

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-worldwide#step-6-accessibility-settings

macOS JAMF Schema Out of Date

It looks like some of the antivirus engine settings in schema.json are incorrect. On Jan 11th a change was made on Microsoft Docs with updated preference keys: MicrosoftDocs/microsoft-365-docs@100cf7e

The main change appears to merge the multiple boolean preference keys for enableRealTimeProtection and passiveMode into a single enforcementLevel string key.

Profiles for other Microsoft tools

I know this is the wrong place to ask but, it would be nice to have the same kind of mobileconfig profiles for other applications like these for Defender.
I noticed that these are also listed since macOS 13.x.x

according to me these are also essential certenly full disk access.

com.microsoft.autoupdate
Microsoft Intune Agent
OneDrive or just any other Microsoft 365 app

Linux Tagging with Spaces

It seems using the -t option does not honor tags with spaces. Tag "ServerTeam" will work while "Server Team" will only tag with "Server".

mde_installer broken by run_quietly function

This issue may look suspiciously like the one here, and that's because it is. I'm re-opening this because it is still broken. Below is my last comment on issue #25:

I don't believe it is, actually [fixed]. While I do see that my pull request was apparently merged in, it appears to have been obliterated, leaving the same broken functionality since the introduction of run_quietly. I have created a brand new machine running Fedora 35, checked out the current branch, and ran

sudo ./mde_installer -i

and the script hangs indefinitely at

[>] installing yum-utils

As mentioned before, this is because run_quietly is suppressing the output of the command (in this case yum install yum-utils). Without ASSUMEYES being asserted yum and dnf (most package managers, I assume) require the user to respond with 'y' to proceed. I can only assume that you are either always running

sudo ./mde_installer.sh -i -y

or you are running this on a machine that already has all of the required dependencies installed, and therefore does not need to invoke the package manager. Remember that neither of these cases are representative of the potential install-base. I'd certainly be happy to create another pull request to fix this functionality yet again, hopefully this time in a timely manner and without immediately removing the fix. In the meantime, this is a problem that is trivial to reproduce. Simply perform a fresh installation of your distro of choice, and execute mde_installer.sh without the -y option.

Originally posted by @collinjc in #25 (comment)

MDATP blocking his own installation

Hi,
I have noticed that mde_installer.sh will throw the error below if it is already installed but not succesfully onboarded or if it is running a very old version.

[x] found conflicting applications: [/opt/microsoft/mdatp/sbin/wdavdaemon], aborting

My fix was to uninstall mdatp and run the script again. A quick fix in the script would be to add a line here to verify if it is mdatp that blocks itself and just uninstall it automatically.

ENV

h-4.2$ cat /etc/os-release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.9 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.9"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.9 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.9:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.9
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.9"

sh-4.2$ mdatp version
Product version: 101.62.74
sh-4.2$

Hopefully someone can tackle that soon.
Thank you

mde_installer.sh not working. It always finds itself as conflicting application.

sudo ./mde_installer.sh --install --channel prod --onboard onboarding.py --tag GROUP <generic_name> --min_req --yes
--- mde_installer.sh v0.5.9 ---
./mde_installer.sh: Zeile 369: [: -lt: Einstelliger (unärer) Operator erwartet.
[v] minimal requirements met
[>] detected: ubuntu 20.04 focal (debian)
[>] scaled: 20.04
[v] set package manager: apt
/usr/bin/wget
[final] connected=OK
[v] connected
./mde_installer.sh: Zeile 401: Warnung: Kommansosubstitution: NULL byte in der Eingabe ignoriert.
[S] MDE not installed.
[x] found conflicting applications: [/opt/microsoft/mdatp/sbin/wdavdaemon], aborting
[*] exiting (5)

The script finds its binaries and thinks that these are conflicting binaries.

Furthermore, because set -euo pipefail is not set, the script ignores some errors.

How to set MDE/EPP from Passive mode to Active mode?

Default installation folder

So far I didn't manage to find a way on how to change the destination folder for the installation of mdatp with mde.installer.sh. Is it possible at all?

fulldiskaccess.mobileconfig not working properly

It looks like even thou the profile is pushed to the user the system extension is not allowed Full Disk Access.

This is the latest download and pushed through intune as described in the microsoft docs.

Install fails on immutable OS like fedora silverblue

Hi folks,

not sure if this is the right place, but I can't install mdatp on fedora silverblue. Silverblue is based on ostree and rpm-ostree.

$ rpm-ostree install mdatp
...
error: Running %post for mdatp: bwrap(/bin/sh): Child process killed by signal 1; run `journalctl -t 'rpm-ostree(mdatp.post)'` for more information

the issue seems to be the post install script that tries to move files after installation and it is not allowed because it is run in a sandbox (see https://coreos.github.io/rpm-ostree/architecture-core/#sandboxing-scripts)

$ journalctl -t 'rpm-ostree(mdatp.post)'
...
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3359]: mkdir: cannot create directory ‘/var/opt’: Read-only file system
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3360]: chmod: cannot access '/var/opt/microsoft': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3361]: mv: cannot move '/opt/microsoft/mdatp/definitions/libmpengine.so' to '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3363]: chmod: cannot access '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000/libmpengine.so': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3364]: mv: cannot move '/opt/microsoft/mdatp/definitions/mpavbase.vdm' to '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3365]: mv: cannot move '/opt/microsoft/mdatp/definitions/mpasbase.vdm' to '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3366]: mv: cannot move '/opt/microsoft/mdatp/definitions/mpavdlta.vdm' to '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3367]: mv: cannot move '/opt/microsoft/mdatp/definitions/mpasdlta.vdm' to '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3368]: chmod: cannot access '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000/mpavbase.vdm': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3368]: chmod: cannot access '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000/mpasbase.vdm': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3368]: chmod: cannot access '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000/mpavdlta.vdm': No such file or directory
Mar 13 13:04:48 myhost rpm-ostree(mdatp.post)[3368]: chmod: cannot access '/var/opt/microsoft/mdatp/definitions.noindex/00000000-0000-0000-0000-000000000000/mpasdlta.vdm': No such file or directory

related issue (on the rpm-ostree site):
coreos/rpm-ostree#233

Is it possible to have the files in the right directory already in the RPM package, so we don't have to move them in the post install script?

Install runs (failing) on ARM architacure

the mde_installer.sh script does not check on which cpu architecture the system is running.

I tried it on an ubuntu aarch64 and thus it runs and fails with:
`--- mde_installer.sh v0.5.10 ---
[v] minimal requirements met
[>] detected: ubuntu 20.04 focal (debian)
[>] scaled: 20.04
[v] set package manager: apt
/usr/bin/wget
[final] connected=OK
[v] connected
[v] no conflicting applications found
[v] required pkgs are installed
[>] installing MDE
[>] Running command: apt -t focal install mdatp
[>] Command output:
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
Building dependency tree...
Reading state information...
E: Unable to locate package mdatp
100
[>] Command exit_code: 100
[S] MDE not installed.
[x] unable to install MDE (1)
[*] exiting (21)
`

Of course: there is no arm package yet.
The installer script should Fail on Beginning.

downloading mde_installer.sh file with the file creation timestamp

hi guys,

As the title indicates, how can I download the install script with the time stamp of the file instead of the timestamp of the date that I downloaded. I tried using curl -R or wget -S but still the file is getting timestamped with the download date instead of the file creation date.
Thank you.

Support for Linux Mint

Linux Mint (in my case 19.3) seems to be unsupported by now. mde_installer.sh checks for $ID in /etc/os-release instead of $ID_LIKE. Changing this, the installer runs without issues.

Script fails - line 47: /etc/os-release: Permission denied

Hello.
The script was failing due to an empty elif on line 50.
After changing it to an else, I get this error message:

--- mde_installer.sh v0.1 ---
verifying minimal reuirements: 1 cores, 1024 MB RAM, 1024 MB disk space
device qualifies
./mde_installer.sh: line 47: /etc/os-release: Permission denied

mde_installer.sh fails on Amazon Linux 2

This script seems to have issues with certain Linux variants at the moment.

Here is the error on Amazon Linux 2

[ec2-user@ip-10-1-15-188 ~]$ uname -a
Linux ip-10-1-15-188.ec2.internal 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

[ec2-user@ip-10-1-15-188 ~]$ sudo ./mde_installer.sh
./mde_installer.sh: line 55: syntax error near unexpected token `fi'
./mde_installer.sh: line 55: `        fi'

Same issue on RHEL 8

[ec2-user@ip-172-31-50-93 ~]$ uname -a
Linux ip-172-31-50-93.ec2.internal 4.18.0-305.el8.x86_64 #1 SMP Thu Apr 29 08:54:30 EDT 2021 x86_64 x86_64 x86_64 GNU/Linux
[ec2-user@ip-172-31-50-93 ~]$
[ec2-user@ip-172-31-50-93 ~]$ sudo ./mde_installer.sh
./mde_installer.sh: line 55: syntax error near unexpected token `fi'
./mde_installer.sh: line 55: `        fi'

Also for Ubuntu

ubuntu@ip-172-31-53-78:~$ uname -a
Linux ip-172-31-53-78 5.8.0-1035-aws #37~20.04.1-Ubuntu SMP Tue Jun 1 09:54:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

ubuntu@ip-172-31-53-78:~$ curl -s -o mde_installer.sh https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/installation/mde_installer.sh
ubuntu@ip-172-31-53-78:~$ chmod +x mde_installer.sh
ubuntu@ip-172-31-53-78:~$ sudo ./mde_installer.sh
./mde_installer.sh: line 55: syntax error near unexpected token `fi'
./mde_installer.sh: line 55: `        fi'

"Command Not Found" Errors

Trying to install on a clean Ubuntu 22.04.4 server but getting the following:

someone@logforwarder-26022024:~/downloads$ sudo bash ./mde_installer.sh --install
./mde_installer.sh: line 1: get_python: command not found
./mde_installer.sh: line 1: parse_uri: command not found
./mde_installer.sh: line 1: parse_uri: command not found
./mde_installer.sh: line 1: parse_uri: command not found
./mde_installer.sh: line 1: parse_uri: command not found
./mde_installer.sh: line 1: --install-: syntax error: operand expected (error token is "-")

Python3 is installed.

What am I missing?

Can onboarding script be used on only one Linux server?

I downloaded an onboarding script from the Defender portal, and applied it to a Linux server in Azure. Ran successfully, showed healthy, showed my org_id correctly.

I applied the same script to another Linux server in Azure, the script ran successfully, but showed unhealthy, missing license.

I tried restarting mdatp, which did not resolve the problem.

I downloaded another onboarding package from the Defender portal, applied it to the second server, and it worked.

The takeaway I'm reaching here is that I need a unique onboarding script per Linux server. Is that true? I need to apply this to scale set instances, so I either need a script that works on multiple servers, or I need a curl/wget URI from which to generate it on the fly.

Use shellcheck for better compatibility in mde_installer.sh

I would suggest to use https://www.shellcheck.net/, to verify that the script works in more environments and also to have some sort of static code analysis.

Here is the current output of shellcheck.

In mde_installer.sh line 64:
    msg="${@:3}"
        ^------^ SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.


In mde_installer.sh line 101:
    if [ -n $DEBUG ]; then
            ^----^ SC2070: -n doesn't work with unquoted arguments. Quote or use [[ ]].


In mde_installer.sh line 117:
	    exit $2
                 ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
	    exit "$2"


In mde_installer.sh line 122:
   if which python3 &> /dev/null; then
      ^---^ SC2230: which is non-standard. Use builtin 'command -v' instead.


In mde_installer.sh line 124:
   elif which python2 &> /dev/null; then
        ^---^ SC2230: which is non-standard. Use builtin 'command -v' instead.


In mde_installer.sh line 133:
   cat <<EOF | /usr/bin/env $(get_python)
                            ^-----------^ SC2046: Quote this to prevent word splitting.


In mde_installer.sh line 172:
    echo $proxy_params
         ^-----------^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    echo "$proxy_params"


In mde_installer.sh line 177:
    if [ -z $(which mdatp) ]; then
            ^------------^ SC2046: Quote this to prevent word splitting.
              ^---^ SC2230: which is non-standard. Use builtin 'command -v' instead.


In mde_installer.sh line 200:
    local out=$(eval $1 2>&1; echo "$?")
          ^-^ SC2155: Declare and assign separately to avoid masking return values.
                     ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    local out=$(eval "$1" 2>&1; echo "$?")


In mde_installer.sh line 201:
    local exit_code=$(echo "$out" | tail -n1)
          ^-------^ SC2155: Declare and assign separately to avoid masking return values.


In mde_installer.sh line 208:
        if [ -n $DEBUG ]; then
                ^----^ SC2070: -n doesn't work with unquoted arguments. Quote or use [[ ]].


In mde_installer.sh line 215:
            log_error $2
                      ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
            log_error "$2"


In mde_installer.sh line 221:
    return $exit_code
           ^--------^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    return "$exit_code"


In mde_installer.sh line 237:
    while [ $retries -gt 0 ]
            ^------^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    while [ "$retries" -gt 0 ]


In mde_installer.sh line 249:
            log_info "[r] $(($1-$retries))/$1"
                                ^------^ SC2004: $/${} is unnecessary on arithmetic variables.


In mde_installer.sh line 266:
        . /etc/os-release
          ^-------------^ SC1091: Not following: /etc/os-release was not specified as input (see shellcheck -x).


In mde_installer.sh line 273:
        elif [[ $(grep -o -i "Red\ Hat" /etc/redhat-release) ]]; then
                ^-- SC2143: Use grep -q instead of comparing output with [ -n .. ].


In mde_installer.sh line 275:
        elif [[ $(grep -o -i "Centos" /etc/redhat-release) ]]; then
                ^-- SC2143: Use grep -q instead of comparing output with [ -n .. ].


In mde_installer.sh line 309:
    if which wget; then
       ^---^ SC2230: which is non-standard. Use builtin 'command -v' instead.


In mde_installer.sh line 311:
    elif which curl; then
         ^---^ SC2230: which is non-standard. Use builtin 'command -v' instead.


In mde_installer.sh line 353:
    if [ $(id -u) -ne 0 ]; then
         ^------^ SC2046: Quote this to prevent word splitting.


In mde_installer.sh line 362:
    local cores=$(nproc --all)
          ^---^ SC2155: Declare and assign separately to avoid masking return values.


In mde_installer.sh line 363:
    if [ $cores -lt $MIN_CORES ]; then
         ^----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    if [ "$cores" -lt $MIN_CORES ]; then


In mde_installer.sh line 367:
    local mem_mb=$(free -m | grep Mem | awk '{print $2}')
          ^----^ SC2155: Declare and assign separately to avoid masking return values.


In mde_installer.sh line 368:
    if [ $mem_mb -lt $MIN_MEM_MB ]; then
         ^-----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    if [ "$mem_mb" -lt $MIN_MEM_MB ]; then


In mde_installer.sh line 372:
    local disk_space_mb=$(df -m . | tail -1 | awk '{print $4}')
          ^-----------^ SC2155: Declare and assign separately to avoid masking return values.


In mde_installer.sh line 373:
    if [ $disk_space_mb -lt $MIN_DISK_SPACE_MB ]; then
         ^------------^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    if [ "$disk_space_mb" -lt $MIN_DISK_SPACE_MB ]; then


In mde_installer.sh line 386:
	lines=$(systemctl status $1 2>&1 | grep "Active: active" | wc -l)
                                 ^-- SC2086: Double quote to prevent globbing and word splitting.
                                           ^-------------------^ SC2126: Consider using grep -c instead of grep|wc -l.

Did you mean: 
	lines=$(systemctl status "$1" 2>&1 | grep "Active: active" | wc -l)


In mde_installer.sh line 388:
    if [ $lines -eq 0 ]; then
         ^----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    if [ "$lines" -eq 0 ]; then


In mde_installer.sh line 400:
    local conflicting_apps=$(timeout 5m find /proc/*/fdinfo/ -type f -print0 2>/dev/null | xargs -r0 grep -Fl "fanotify mnt_id" 2>/dev/null | xargs -I {} -r sh -c 'cat "$(dirname {})/../cmdline"')
          ^--------------^ SC2155: Declare and assign separately to avoid masking return values.
                                                                                                                                                                   ^-- SC2016: Expressions don't expand in single quotes, use double quotes for that.


In mde_installer.sh line 402:
    if [ ! -z $conflicting_apps ]; then
         ^-- SC2236: Use -n instead of ! -z.
              ^---------------^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    if [ ! -z "$conflicting_apps" ]; then


In mde_installer.sh line 417:
        set -- $t
               ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
        set -- "$t"


In mde_installer.sh line 419:
        if find_service $1; then
                        ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
        if find_service "$1"; then


In mde_installer.sh line 458:
        dpkg -s $1 2> /dev/null | grep Status | grep "install ok installed" 1> /dev/null
                ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
        dpkg -s "$1" 2> /dev/null | grep Status | grep "install ok installed" 1> /dev/null


In mde_installer.sh line 460:
        rpm --quiet --query $(get_rpm_proxy_params) $1
                            ^---------------------^ SC2046: Quote this to prevent word splitting.
                                                    ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
        rpm --quiet --query $(get_rpm_proxy_params) "$1"


In mde_installer.sh line 483:
    if [ ! -z "$pkgs_to_be_installed" ]; then
         ^-- SC2236: Use -n instead of ! -z.


In mde_installer.sh line 498:
        lines=$(ps axo pid,comm | grep "$PKG_MGR" | grep -v grep -c)
                ^-- SC2009: Consider using pgrep instead of grepping ps output.


In mde_installer.sh line 512:
    local packages=
          ^------^ SC2178: Variable was used as an array but is now assigned a string.


In mde_installer.sh line 514:
    local success=
          ^-----^ SC2034: success appears unused. Verify use (or export if used externally).


In mde_installer.sh line 524:
    install_required_pkgs ${packages[@]}
                          ^------------^ SC2068: Double quote array expansions to avoid re-splitting elements.


In mde_installer.sh line 553:
    local packages=
          ^------^ SC2178: Variable was used as an array but is now assigned a string.


In mde_installer.sh line 564:
    repo=packages-microsoft-com
         ^--------------------^ SC2100: Use $((..)) for arithmetics, e.g. i=$((i - 2))


In mde_installer.sh line 568:
        packages=($packages deltarpm)
                  ^-------^ SC2128: Expanding an array without an index only gives the first element.
                  ^-------^ SC2206: Quote to prevent word splitting/globbing, or split robustly with mapfile or read -a.


In mde_installer.sh line 571:
    install_required_pkgs ${packages[@]}
                          ^------------^ SC2068: Double quote array expansions to avoid re-splitting elements.


In mde_installer.sh line 575:
        repo=packages-microsoft-com-prod
             ^-------------------------^ SC2100: Use $((..)) for arithmetics, e.g. i=$((i - 2))


In mde_installer.sh line 601:
    local packages=
          ^------^ SC2178: Variable was used as an array but is now assigned a string.


In mde_installer.sh line 611:
    repo=packages-microsoft-com
         ^--------------------^ SC2100: Use $((..)) for arithmetics, e.g. i=$((i - 2))


In mde_installer.sh line 614:
    install_required_pkgs ${packages[@]}
                          ^------------^ SC2068: Double quote array expansions to avoid re-splitting elements.


In mde_installer.sh line 620:
    lines=$($PKG_MGR_INVOKER lr | grep "packages-microsoft-com-$CHANNEL" | wc -l)
                                  ^-- SC2126: Consider using grep -c instead of grep|wc -l.


In mde_installer.sh line 622:
    if [ $lines -eq 0 ]; then
         ^----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
    if [ "$lines" -eq 0 ]; then


In mde_installer.sh line 648:
    local packages=
          ^------^ SC2178: Variable was used as an array but is now assigned a string.


In mde_installer.sh line 659:
    install_required_pkgs ${packages[@]}
                          ^------------^ SC2068: Double quote array expansions to avoid re-splitting elements.


In mde_installer.sh line 685:
            repo=packages-microsoft-com-prod
                 ^-------------------------^ SC2100: Use $((..)) for arithmetics, e.g. i=$((i - 2))


In mde_installer.sh line 731:
    for version in ${SUPPORTED_RHEL6_VERSIONS[@]}; do
                   ^----------------------------^ SC2068: Double quote array expansions to avoid re-splitting elements.


In mde_installer.sh line 744:
            if rhel6_supported_version $VERSION; then # support versions 6.7+
                                       ^------^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
            if rhel6_supported_version "$VERSION"; then # support versions 6.7+


In mde_installer.sh line 792:
        PYTHON=$(which python || which python3)
                 ^---^ SC2230: which is non-standard. Use builtin 'command -v' instead.
                                 ^---^ SC2230: which is non-standard. Use builtin 'command -v' instead.


In mde_installer.sh line 794:
        if [ -z $PYTHON ]; then
                ^-----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
        if [ -z "$PYTHON" ]; then


In mde_installer.sh line 824:
    if [ $(mdatp health --field passive_mode_enabled | tail -1) == "false" ]; then
         ^-- SC2046: Quote this to prevent word splitting.


In mde_installer.sh line 838:
        set -- $t
               ^-- SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
        set -- "$t"


In mde_installer.sh line 840:
            local set_tags=$(mdatp health --field edr_device_tags)
                  ^------^ SC2155: Declare and assign separately to avoid masking return values.


In mde_installer.sh line 843:
            local result=$(echo "$set_tags" | grep -q "\"key\":\"$1\""; echo "$?")
                  ^----^ SC2155: Declare and assign separately to avoid masking return values.


In mde_installer.sh line 844:
            if [ $result -eq 0 ]; then
                 ^-----^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
            if [ "$result" -eq 0 ]; then


In mde_installer.sh line 845:
                local value=$(echo "$set_tags" | grep -o "\"key\":\"$1\".*\"" | cut -d '"' -f 8)
                      ^---^ SC2155: Declare and assign separately to avoid masking return values.


In mde_installer.sh line 854:
                local tag_value="\"${@:2}\""
                                ^----------^ SC2124: Assigning an array to a string! Assign as array, or use * instead of @ to concatenate.


In mde_installer.sh line 1076:
if [ ! -z $PASSIVE_MODE ]; then
     ^-- SC2236: Use -n instead of ! -z.


In mde_installer.sh line 1080:
if [ ! -z $ONBOARDING_SCRIPT ]; then
     ^-- SC2236: Use -n instead of ! -z.
          ^----------------^ SC2086: Double quote to prevent globbing and word splitting.

Did you mean: 
if [ ! -z "$ONBOARDING_SCRIPT" ]; then

For more information:
  https://www.shellcheck.net/wiki/SC2068 -- Double quote array expansions to ...
  https://www.shellcheck.net/wiki/SC2070 -- -n doesn't work with unquoted arg...
  https://www.shellcheck.net/wiki/SC2034 -- success appears unused. Verify us...

I would also suggest addressing these warnings and errors.

Rasberry Pi

Hi,

Not sure if Raspberry Pi's are supported? Running Ubuntu 22.04.1 LTS on arm64.

I just get unable to locate package when trying to install package, the lists are installed along with the GPG key.

Full Disk Access Not Enforced for Microsoft Defender on MacOS Sonoma

Good afternoon,

We tried to enable the Full Disk Access [1] for Microsoft Defender via Intune on MacOS Sonoma, but it does not seem to work. Can you please confirm us the issue ?

Best,
L.

[1] https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig

Jamf Pro 10.33.0: Changes to "Antivirus engine > Disallowed threat actions" not retained when saving

First, thanks for providing such excellent documentation and resources.

When using the provided JSON in Jamf Pro 10.33.0, changes to "Antivirus engine > Disallowed threat actions" are not retained when saving.

Additionally, if "Antivirus engine > Disallowed threat actions" is configured before saving, no modifications will be retained when saving.

Steps to reproduce:

Follow the steps as outlined in Step 3: Configure Microsoft Defender for Endpoint settings
For Step 3.6, select:
1. Antivirus engine > Add/Remove Properties > Disallowed threat actions > Apply
2. Enable "allow" and "restore"
3. Save the Configuration Profile
4. Click Plist preview
5. Observe that "Disallowed threat actions" remains un-configured
Edit the Configuration Profile, adding all Antivirus engine properties and omitting "Disallowed threat actions"
Save the Configuration Profile
Click Plist preview
Observe that the plist is as expected
Repeat Step 2 and observe that "Disallowed threat actions" remains un-configured

Intune FullDisk Access mobileconfig does not enable Setting

I have installed the macos/mobileconfig/profiles/fulldisk.mobileconfig and deployed it via Intune.

Although it gets transfered to the device, the mac that has the profile installed shows both Defender and Extension with no FullDisk Access:

Is this profile still operational?
Is Defender for Endpoint able to access full disk for scanning and protection with these two settings disabled?

macOS 13.4 (22F66) Ventura on m1 max

high_cpu_parser.py is broken on Ubuntu Bionic

Greetings,

Since MR #17, running linux/high_cpu_parser.py with the --group 1 option on an Ubuntu Bionic system, with both stock versions of Python (2.7.17 and 3.6.9) results in the following error:

# python high_cpu_parser.py --group 1 < x.json
Traceback (most recent call last):
  File "high_cpu_parser.py.1", line 28, in <module>
    groups[name][0] = groups[name] + cnt
TypeError: unsupported operand type(s) for +: 'set' and 'int'

Onboarding automation possibilities

Hi,

Sorry if this is not the place...

I cant find a way, after parsing the doc, to automatically onboard servers (Could be VM's, Could be VMSS nodes.)

I generate gold images where mdatp gets pre-installed. And i deploy the VM's and VMSS's using terraform only. I want the VM's to be disposable though secured. I understand i need to run the onboarding python script, and id like to dig the best approach for this, without needing to ansible this or puppet that.

I read that the onboarding script cant be used before snapshot (packer build actually) because of Duplicate Sense GUID's, i suppose.

I trying to get around this, and the only way im thinking of is to use custom data of VM and VMSS resources so the onboarding script is ran at deployment stage.

Would this be a recommended approach, the only one, or a bad one ?

Any feedback appreciated.

Support for Fedora

When running this script on a Fedora system, it throws an error that it is an Unsupported distro. However, it does appear that the necessary Microsoft repositories and packages to install mde exist. I made a couple very small modifications to the script to allow it to work for Fedora and would be more than happy to submit a pull request if desired.

Intune Kernel extensions settings cannot be applied to Mac with Apple M1 - Results in failure

https://github.com/MicrosoftDocs/microsoft-365-docs/issues/4557

https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-kernel-extensions-on-macs-running-apple-silicon-are/ba-p/2238727

https://support.apple.com/en-us/HT211860#silicon

The combined MacOS profile cannot be applied because of the above. I think it may be a good idea to either mention it in the readme, or create another profile for Apple Silicon devices only or remove the kernel extensions configs altogether if this is not required by Defender ATP anymore but maybe some people still use Defender ATP with kernel extensions and old MacOS version and they may still require the kernel extensions configs, that's why I did not simply did a pull request removing the kernel extensions config instead of opening an Issue to decide how to handle it.

I'll let you decide how this should be approached/fixed for Apple Silicon devices under Intune management. Else it prevents the profile from being loaded and applied and thus ATP doesn't run properly (no rights, configs, etc...)

On my side, since we run the latest Defender ATP and we also only run Big Sur, I simply removed the kernel extensions from the combined profile and it fixed the issue.

Microsoft Update Assistant failed to be managed by applied profile:notif.mobileconfig

Hello Expert,

I tried the below link to apply allow notification to autoupdate on macOS.
However, i could see the notification profiles in my macOS, but toggle for "allow notification" can still be changed.
it can be reproduced on multiple devices, could you please kindly check?
https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig

mde_installer is selecting ubuntu 18.04 when running on 22.04

see these lines:

mdatp-xplat/linux/installation/mde_installer.sh

Lines 716 to 717 in a2a4164

 elif [ $DISTRO == "ubuntu" ] && [[ $VERSION != "16.04" ]] && [[ $VERSION != "18.04" ]] && [[ $VERSION != "20.04" ]]; then 

 SCALED_VERSION=18.04

mdatp is available for ubuntu jammy at https://packages.microsoft.com/ubuntu/22.04/prod/ so the installer script should probably allow 22.04 here instead of falling back to the bionic repo

Tons of errors in MS documentation

The official Microsoft documentation (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-worldwide#step-14-download-the-onboarding-package) referencing the files in this repo is awfully messed up. Here are the issues I found:

Step 1 / 1: not in Microsoft Defender portal, but in Endpoint/Intune portal
Step 2 / 9: missing file selection
Step 4 / 6: someone copypasted name from Step 3 (FullDiskAccess), it should say something like BackgroundService
Step 4 / 8: again wrong suggested name (should be background_services.mobileconfig)
Step 5 / 6: same issue as step 4/6
Step 7: wrong github link (needs to be raw, as is downloads a github json)
Step 7: doesn't mention that user should look for ChannelName in the XML to choose one of the channels (default set to Production, which is OK)
Step 8: the "Microsoft Defender portal" link is all wrong and links to some weird place that requires a MS (non-365) account
Step 11: why can't DLP be included in the .mobileconfig file we download in step4, also which .mobileconfig do we update with features/dataLossPrevention/enabled?
Step 15: it would be nice to say we're switching back from Defender portal to Intune portal.
Step 15 / 6+7: why are you callling it Autoupdate? that was Step 7. It should be something like "Licensing" or "Onboarding"
Step 15 / 10: which effing file?? (it's the one in the intune directory inside the zip we downloaded in step 14)

Documentation does not describe how to offboard and remove the product

Hi,

The installer script options show that the -o|--onboard option can be used to onboard and offboard the device from the MDE service using the onboarding script. Could you please clarify that the above switch and same onboarding script will in fact offboard a server that is currently onboarded? If possible could you provide an example command line for offboarding and product removal?

Many thanks

	elif [ $DISTRO == "ubuntu" ] && [[ $VERSION != "16.04" ]] && [[ $VERSION != "18.04" ]] && [[ $VERSION != "20.04" ]]; then
	SCALED_VERSION=18.04