You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/linux-install-manually.md
+34-35Lines changed: 34 additions & 35 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ ms.collection:
15
15
ms.topic: conceptual
16
16
ms.subservice: linux
17
17
search.appverid: met150
18
-
ms.date: 02/14/2025
18
+
ms.date: 03/04/2025
19
19
---
20
20
21
21
# Deploy Microsoft Defender for Endpoint on Linux manually
@@ -391,96 +391,95 @@ Download the onboarding package from the [Microsoft Defender portal](https://sec
391
391
392
392
> [!NOTE]
393
393
> Initially the client device isn't associated with an organization and the *orgId* attribute is blank.
394
-
394
+
395
395
```bash
396
396
mdatp health --field org_id
397
397
```
398
-
399
-
2. Run `MicrosoftDefenderATPOnboardingLinuxServer.py`.
398
+
399
+
1. Run one of the below scenarios.
400
400
401
401
> [!NOTE]
402
402
> To run this command, you must have `python` or `python3` installed on the device depending on the distro and version. If needed, see [Step-by-step Instructions for Installing Python on Linux](https://opensource.com/article/20/4/install-python-linux).
403
403
>
404
404
> To onboard a device that was previously offboard, you must remove the mdatp_offboard.json file located at /etc/opt/microsoft/mdatp.
405
-
406
-
If you're running RHEL 8.x or Ubuntu 20.04 or higher, you need to use `python3`.
407
-
405
+
406
+
If you're running RHEL 8.x or Ubuntu 20.04 or higher, you need to use `python3`. Run the following command:
3. Verify that the device is now associated with your organization and reports a valid organization identifier:
417
+
418
+
1. Verify that the device is now associated with your organization and reports a valid organization identifier:
419
419
420
420
```bash
421
421
mdatp health --field org_id
422
422
```
423
-
424
-
4. Check the health status of the product by running the following command. A return value of `true` denotes that the product is functioning as expected:
423
+
424
+
1. Check the health status of the product by running the following command. A return value of `true` denotes that the product is functioning as expected:
425
425
426
426
```bash
427
427
mdatp health --field healthy
428
428
```
429
-
429
+
430
430
> [!IMPORTANT]
431
431
> When the product starts for the first time, it downloads the latest anti-malware definitions. This process might take up to a few minutes depending on the network connectivity. During this time, the command mentioned earlier returns a value of `false`. You can check the status of the definition update using the following command:
432
-
>
432
+
>
433
433
> ```bash
434
434
> mdatp health --field definitions_status
435
435
> ```
436
-
>
437
436
> You might also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint on Linux for static proxy discovery: Post-installation configuration](linux-static-proxy-configuration.md#post-installation-configuration).
438
-
439
-
5. Run an antivirus detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
437
+
438
+
1. Run an antivirus detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
440
439
441
440
1. Ensure that real-time protection is enabled (denoted by a result of `true` from running the following command):
442
-
441
+
443
442
```bash
444
443
mdatp health --field real_time_protection_enabled
445
444
```
446
-
445
+
447
446
If it isn't enabled, execute the following command:
448
-
447
+
449
448
```bash
450
449
mdatp config real-time-protection --value enabled
451
450
```
452
-
453
-
2. Open a Terminal window and execute the following command to run a detection test:
451
+
452
+
1. To run a detection test, open a Terminal window. and then run the following command:
The files should be quarantined by Defender for Endpoint on Linux.
467
466
468
-
4. Use the following command to list all the detected threats:
467
+
1. Use the following command to list all the detected threats:
469
468
470
469
```bash
471
470
mdatp threat list
472
471
```
473
-
474
-
6. Run an EDR detection test and simulate a detection to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
472
+
473
+
1. Run an EDR detection test and simulate a detection to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
475
474
476
475
1. Verify that the onboarded Linux server appears in Microsoft Defender XDR. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.
477
-
478
-
2. Download and extract the [script file](https://aka.ms/MDE-Linux-EDR-DIY) to an onboarded Linux server, and then run the following command: `./mde_linux_edr_diy.sh`
479
-
476
+
477
+
1. Download and extract the [script file](https://aka.ms/MDE-Linux-EDR-DIY) to an onboarded Linux server, and then run the following command: `./mde_linux_edr_diy.sh`
478
+
480
479
After a few minutes, a detection should be raised in Microsoft Defender XDR.
481
-
482
-
3. Look at the alert details, machine timeline, and perform your typical investigation steps.
483
-
480
+
481
+
1. Look at the alert details, machine timeline, and perform your typical investigation steps.
482
+
484
483
## Microsoft Defender for Endpoint package external package dependencies
485
484
486
485
The following external package dependencies exist for the `mdatp` package:
0 commit comments