You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/mde-linux-deployment-on-sap.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -57,14 +57,14 @@ Conventional security defenses that have been commonly used to protect SAP syste
57
57
- Microsoft Defender for Endpoint on Linux requires connectivity to [specific Internet endpoints](microsoft-defender-endpoint-linux.md#network-connections) from VMs to update antivirus Definitions.
58
58
- Microsoft Defender for Endpoint on Linux requires some crontab (or other task scheduler) entries to schedule scans, log rotation, and Microsoft Defender for Endpoint updates. Enterprise Security teams normally manage these entries. Refer to [How to schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-mde-linux.md).
59
59
60
-
The default configuration option for deployment as an Azure Extension for AntiVirus (AV) is Passive Mode. This means that the AV component of Microsoft Defender for Endpoint doesn't intercept IO calls. It's recommended to run Microsoft Defender for Endpoint in Passive Mode on all SAP applications and to schedule a scan once per day. In this mode:
60
+
The default configuration option for deployment as an Azure Extension for AntiVirus (AV) is Passive Mode. This means that Microsoft Defender Antivirus, the AV component of Microsoft Defender for Endpoint, doesn't intercept IO calls. It's recommended to run Microsoft Defender for Endpoint in Passive Mode on all SAP applications and to schedule a scan once per day. In this mode:
61
61
62
62
-**Real-time protection is turned off**: Threats aren't remediated by Microsoft Defender Antivirus.
63
63
-**On-demand scanning is turned on**: Still use the scan capabilities on the endpoint.
64
64
-**Automatic threat remediation is turned off**: No files are moved and the security administrator is expected to take required action.
65
65
-**Security intelligence updates are turned on**: Alerts are available on security administrator's tenant.
66
66
67
-
Online Kernel patching tools such as Ksplice or similar can lead to unpredictable OS stability if Defender for Endpoint is running. It is recommended to temporarily stop the MDE daemon prior to performing online Kernel patching. After the Kernel is updated MDE for Linux can be safely restarted. This is especially important on large SAP HANA VMs with huge memory contexts.
67
+
Online Kernel patching tools such as Ksplice or similar can lead to unpredictable OS stability if Defender for Endpoint is running. It is recommended to temporarily stop the MDE daemon prior to performing online Kernel patching. After the Kernel is updated MDE for Linux can be safely restarted. This is especially important on large SAP HANA VMs with huge memory contexts.
68
68
69
69
The Linux crontab is typically used to schedule Microsoft Defender for Endpoint AV scan and log rotation tasks:
70
70
[How to schedule scans with Microsoft Defender for Endpoint (Linux)](linux-schedule-scan-mde.md)
@@ -73,18 +73,18 @@ Endpoint Detection and Response (EDR) functionality is active whenever Microsoft
73
73
74
74
## Important Configuration Settings for Microsoft Defender for Endpoint on SAP on Linux
75
75
76
-
It's recommended to check the installation and configuration of Defender for Endpoint with the command mdatp health.
76
+
It's recommended to check the installation and configuration of Defender for Endpoint with the command `mdatp health`.
77
77
78
78
The key parameters recommended for SAP applications are:
79
79
80
-
- healthy = true
81
-
- release_ring = Production. Prerelease and insider rings shouldn't be used with SAP Applications.
82
-
- real_time_protection_enabled = false. Real-time protection is off in passive mode, which is the default mode and prevents real-time IO interception.
83
-
- automatic_definition_update_enabled = true
84
-
- definition_status = "up_to_date". Run a manual update if a new value is identified.
85
-
- edr_early_preview_enabled = "disabled". If enabled on SAP systems it might lead to system instability.
86
-
- conflicting_applications = []. Other AV or security software installed on a VM such as Clam.
87
-
- supplementary_events_subsystem = "ebpf". Don't proceed if ebpf isn't displayed. Contact the security admin team.
80
+
-`healthy = true`
81
+
-`release_ring = Production`. Prerelease and insider rings shouldn't be used with SAP Applications.
82
+
-`real_time_protection_enabled = false`. Real-time protection is off in passive mode, which is the default mode and prevents real-time IO interception.
83
+
-`automatic_definition_update_enabled = true`
84
+
-`definition_status = "up_to_date"`. Run a manual update if a new value is identified.
85
+
-`edr_early_preview_enabled = "disabled"`. If enabled on SAP systems it might lead to system instability.
86
+
-`conflicting_applications = [ ]`. Other AV or security software installed on a VM such as Clam.
87
+
-`supplementary_events_subsystem = "ebpf"`. Don't proceed if ebpf isn't displayed. Contact the security admin team.
88
88
89
89
This article has some useful hints on troubleshooting installation issues for Microsoft Defender for Endpoint:
90
90
[Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](linux-support-install.md#installation-failed)
0 commit comments