Learn Editor: Update linux-support-ebpf.md

lakshmyav · lakshmyav · commit 874404a6f70b · 2024-11-27T14:16:42.000+05:30
diff --git a/defender-endpoint/linux-support-ebpf.md b/defender-endpoint/linux-support-ebpf.md
@@ -139,15 +139,21 @@ uname -a
     - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
     - Switch to AuditD mode if you need to use the same kernel version
 
-```bash
-sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
-```
+        ```bash
+        sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
+        ```
+
+    - The following two sets of data help analyze potential issues and determine the most effective resolution options.
+
+          1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
 
-The following two sets of data help analyze potential issues and determine the most effective resolution options.
+          2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
 
-1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
+3. System hangs on Oracle Linux 7.9 running Defender for Linux when ksplice is used for live kernel patching. 
 
-2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
+    - Auto-install patching of ksplice simply adds a cron job to the endpoint.
+    - To mitigate the hang issue, you can create a cron job which will first stop the mdatp service, apply ksplice based patching, then start the service.  
+    - As kernel patching is few seconds activity so this will not have major exposure in terms of security.  
 
 #### Troubleshooting performance issues
 
