Merge pull request #5074 from zeeshan1995/patch-8

paulinbar · web-flow · commit 8820d2129bdb · 2025-09-23T12:38:35.000+03:00
Revise XMDE Client Analyzer instructions for Linux
diff --git a/defender-endpoint/run-analyzer-linux.md b/defender-endpoint/run-analyzer-linux.md
@@ -1,15 +1,15 @@
 ---
 title: Run the client analyzer on Linux
 description: Run the Defender for Endpoint client analyzer on Linux
-author: batamig
-ms.author: bagol
+author: paulinbar
+ms.author: painbar
 manager: bagol
 ms.reviewer: yongrhee
 ms.service: defender-endpoint
 ms.subservice: linux
 ms.localizationpriority: medium
 ms.topic: troubleshooting-general
-ms.date: 05/24/2025
+ms.date: 09/23/2025
 ms.custom: partner-contribution
 ms.collection:
 - m365-security
@@ -29,42 +29,48 @@ f1.keywords: NOCSH
 
 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://go.microsoft.com/fwlink/p/?linkid=2225630)
 
-If you have issues with Microsoft Defender for Endpoint on Linux and need support, you might be asked to provide the output from the Client Analyzer tool. This article explains how to use the tool on your device or with live response. You can use either a Python-based solution or a binary version that doesn't need Python.
+If you have issues with Microsoft Defender for Endpoint on Linux and need support, you might be asked to provide the output from the Client Analyzer tool. It is a diagnostic tool which help administrators and support teams troubleshoot issues with Microsoft Defender for Endpoint. It collects detailed information about installation, configuration, service health, logs, connectivity status, etc. This tool is primarily used for checking system health, validating configurations, and helping troubleshoot potential issues.
+
+This article explains how to use the tool on your device or with live response. You can use either a Python-based solution or a binary version that doesn't need Python.
 
 > [!TIP]
 > Watch this video to get an overview of the client analyzer: [Defender for Endpoint client analyzer overview](https://www.youtube.com/watch?v=GnqDsvYYL6w)
 
-## Running the binary version of the client analyzer
+## Run the binary version of the client analyzer
+The binary version of client analyzer is made available in two ways:
+- Shipped with Microsoft Defender for Linux
+- Shipped as a standalone tool
 
-### Run ClientAnalyzer binary shipped MDE:
+### Run the Client Analyzer binary shipped with Microsoft Defender for Linux:
 > [!NOTE]
-> Starting with the Defender for Endpoint version `101.25062.0000`, the Client Analyzer is shipped with agent. It can be found at the location `/opt/microsoft/mdatp/conf/client_analyzer/binary`
+> Starting with the Defender for Endpoint version `101.25082.0000`, the Client Analyzer is shipped with an agent. It can be found at the following location: `/opt/microsoft/mdatp/tools/client_analyzer/binary`
+
+To run this client analyzer follow these steps:
 
-To run this client analyzer follow the steps:
-1. Go to directory `/opt/microsoft/mdatp/conf/client_analyzer/binary`:
+1. Go to the directory `/opt/microsoft/mdatp/tools/client_analyzer/binary`:
 
     ```bash
-    cd /opt/microsoft/mdatp/conf/client_analyzer/binary
+    cd /opt/microsoft/mdatp/tools/client_analyzer/binary
     ```
-2. Run the tool as _root_ to generate diagnostic package:
+2. Run the tool as _root_ to generate a diagnostic package:
 
    ```bash
    sudo ./MDESupportTool -d
    ```
-### Download and run ClientAnalyzer binary
+### Download and run the Client Analyzer standalone binary tool
 
-Follow the below steps if you are using Defender for Endpoint older than `101.25062.0000`
+Follow the steps below to use the standalone ClientAnalyzer binary
 
-1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the Linux machine that you're to investigating. If you're using a terminal, download the tool by entering the following command:
+1. Download the [XMDE Client Analyzer Binary](https://aka.ms/XMDEClientAnalyzerBinary) tool to the Linux machine that you need to investigate. If you're using a terminal, download the tool by entering the following command:
 
     ```bash
-    wget --quiet -O XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
+    wget --quiet -O XMDEClientAnalyzerBinary.zip "https://go.microsoft.com/fwlink/?linkid=2336125"
     ```
 
-2. Verify the download.
+2. Verify the download:
 
     ```bash
-    echo 'C65A4E4C6851D130942BFACD147A9D18B8A92B4F50FACF519477FD1C41A1C323 XMDEClientAnalyzerBinary.zip' | sha256sum -c
+    echo '042692269A7208AB30B4355A6FC1CD0A25FE59356D96CCD2E7F1F61DF9B4B85D XMDEClientAnalyzerBinary.zip' | sha256sum -c
     ```
 
 3. Extract the contents of `XMDEClientAnalyzerBinary.zip` on the machine.
@@ -81,21 +87,26 @@ Follow the below steps if you are using Defender for Endpoint older than `101.25
 
 5. Two new zip files are produced:
 
-   - **SupportToolLinuxBinary.zip**: For all Linux devices
-   - **SupportToolMacOSBinary.zip**: For Mac devices
+   - **SupportToolLinuxamd64Binary.zip**: For x86 Linux devices
+   - **SupportToolLinuxarm64Binary.zip**: For ARM Linux devices
 
-6. Unzip `SupportToolLinuxBinary.zip` file.
+6. Unzip the sepecific zip based on your Linux OS architecture. For example, we use here the `SupportToolLinuxamd64Binary.zip` file.
 
      ```bash
-     unzip -q SupportToolLinuxBinary.zip
+     unzip -q SupportToolLinuxamd64Binary.zip
      ```
-7. Run the tool as _root_ to generate diagnostic package:
+7. Run the tool as _root_ to generate a diagnostic package:
 
    ```bash
    sudo ./MDESupportTool -d
    ```
 
-## Running the Python-based client analyzer
+## Run the Python-based client analyzer
+
+The python version of client analyzer is made available in two ways:
+
+- Shipped with Microsoft Defender for Linux
+- Shipped as a standalone tool
 
 > [!NOTE]
 > - The analyzer depends on a few extra PIP packages (`decorator`, `sh`, `distro`, `lxml`, and `psutil`) which are installed in the operating system when in root to produce the result output. If not installed, the analyzer attempts to fetch it from the [official repository for Python packages](https://pypi.org/search/?q=lxml).
@@ -105,15 +116,17 @@ Follow the below steps if you are using Defender for Endpoint older than `101.25
 > [!WARNING]
 > Running the Python-based client analyzer requires the installation of PIP packages which could cause some issues in your environment. To avoid issues from occurring, we recommend that you install the packages into a user PIP environment.
 
-### Run ClientAnalyzer python version shipped MDE
+### Run Client Analyzer python version shipped with Microsoft Defender for Linux
+
 > [!NOTE]
-> Starting with the Defender for Endpoint version `101.25062.0000`, the Client Analyzer is shipped with agent. It can be found at the location `/opt/microsoft/mdatp/conf/client_analyzer/python`
+> Starting with the Defender for Endpoint version `101.25082.0000`, the Client Analyzer is shipped with an agent. It can be found at the following location: `/opt/microsoft/mdatp/tools/client_analyzer/python`
+
+To run this client analyzer follow these steps:
 
-To run this client analyzer follow the steps:
-1. Go to directory `/opt/microsoft/mdatp/conf/client_analyzer/python`:
+1. Go to directory `/opt/microsoft/mdatp/tools/client_analyzer/python`:
 
     ```bash
-    cd /opt/microsoft/mdatp/conf/client_analyzer/python
+    cd /opt/microsoft/mdatp/tools/client_analyzer/python
     ```
 2. Run as a root user to install required dependencies.
 
@@ -126,45 +139,45 @@ To run this client analyzer follow the steps:
     sudo ./mde_support_tool.sh -d
     ```
 
-### Download and run ClientAnalyzer python version
+### Download and run the Client Analyzer standalone python version
 
 1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool on the Linux machine you need to investigate. If you're using a terminal, download the tool by entering the following command:
 
     ```bash
-    wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
+    wget --quiet -O XMDEClientAnalyzerPython.zip "https://go.microsoft.com/fwlink/?linkid=2336046"
     ```
 
-2. Verify the download.
+2. Verify the download:
 
     ```bash
-    echo '07E6A7B89E28A78309D5B6F1E25E4CDFBA9CA141450E422D76441C03AD3477E7 XMDEClientAnalyzer.zip' | sha256sum -c
+    echo '9F29043CD3034DD4DF30B0EA25B37B5EE7BE5D81D5848CF047F9842B76C831EA XMDEClientAnalyzerPython.zip' | sha256sum -c
     ```
 
-3. Extract the contents of `XMDEClientAnalyzer.zip` on the machine.
+3. Extract the contents of `XMDEClientAnalyzer.zip` on the machine:
 
     ```bash
-    unzip -q XMDEClientAnalyzer.zip -d XMDEClientAnalyzer
+    unzip -q XMDEClientAnalyzerPython.zip -d XMDEClientAnalyzerPython
     ```
 
-4. Change the directory.
+4. Change the directory:
 
     ```bash
-    cd XMDEClientAnalyzer
+    cd XMDEClientAnalyzerPython
     ```
 
-5. Give the tool executable permission.
+5. Give the tool executable permission:
 
     ```bash
     chmod a+x mde_support_tool.sh
     ```
 
-6. Run as a nonroot user to install required dependencies.
+6. Run as a nonroot user to install required dependencies:
 
     ```bash
     ./mde_support_tool.sh
     ```
 
-7. To collect the diagnostic package and generate the result archive file, run again as root.
+7. To collect the diagnostic package and generate the result archive file, run again as root:
 
     ```bash
     sudo ./mde_support_tool.sh -d
@@ -174,7 +187,8 @@ To run this client analyzer follow the steps:
 > Watch this video to learn more about onboarding issues: [Defender for Endpoint client analyzer onboarding issues](https://www.youtube.com/watch?v=HdhePgMBqs8)
 
 ## Command line options
-Below are the command line options provided by client analyzer
+
+Below are the command line options provided by client analyzer:
 
 ```console
 
@@ -237,8 +251,7 @@ optional arguments:
 
 ### Diagnostics mode
 
-Diagnostics mode is used to collect extensive set of machine information, such as memory, disk, and MDATP logs.
-This set of files gives the primary set of information required to debug any issue related to Defender For Endpoint.
+Diagnostics mode is used to collect extensive set of machine information, such as memory, disk, and MDATP logs. This set of files gives the primary set of information required to debug any issue related to Defender For Endpoint.
 
 The options supported are as follows:
 
@@ -339,6 +352,7 @@ The files generated when using this mode are summarized in the following table:
 | `top_summary.txt` | Memory and CPU usage analytics of the process running |
 
 ### Optional arguments for Client Analyzer
+
 Client Analyzer provides the following optional arguments for extra data collection:
 
 #### Collect performance info
@@ -453,7 +467,8 @@ This mode adds exclusions for `audit-d` monitoring.
 
 ```
 
-Usage example: 
+Usage example:
+
 ```console
 sudo ./MDESupportTool exclude -d /var/foo/bar`
 ```
@@ -470,6 +485,7 @@ This option sets the rate limit globally for AuditD causing a drop in all the au
 ```
 
 Usage example: 
+
 ```console
 sudo ./mde_support_tool.sh ratelimit -e true
 ```
@@ -489,6 +505,7 @@ This option enables you to skip the faulty rules added in the auditd rules file
 ```
 
 Usage example: 
+
 ```console
 sudo ./mde_support_tool.sh skipfaultyrules -e true
 ```
@@ -511,8 +528,8 @@ The XMDE Client Analyzer tool can be downloaded as a [binary](https://aka.ms/XMD
 
 Download and extract the XMDE Client Analyzer. You can use either the binary or Python version, as follows:
 
-- [Binary version of the Client Analyzer](run-analyzer-linux.md#running-the-binary-version-of-the-client-analyzer)
-- [Python version of the Client Analyzer](run-analyzer-linux.md#running-the-python-based-client-analyzer)
+- [Binary version of the Client Analyzer](run-analyzer-linux.md#run-the-binary-version-of-the-client-analyzer)
+- [Python version of the Client Analyzer](run-analyzer-linux.md#run-the-python-based-client-analyzer)
 
 Due to the limited commands available in live response, the steps detailed must be executed in a bash script. By splitting the installation and execution portion of these commands, it's possible to run the install script once, and run the execution script multiple times.
 
@@ -521,7 +538,7 @@ Due to the limited commands available in live response, the steps detailed must
 
 #### Binary client analyzer install script
 
-The following script performs the first six steps of the [Running the Binary version of the Client Analyzer](run-analyzer-linux.md#running-the-binary-version-of-the-client-analyzer). When complete, the XMDE Client Analyzer binary is available from the `/tmp/XMDEClientAnalyzerBinary/ClientAnalyzer` directory.
+The following script performs the first six steps of the [Running the Binary version of the Client Analyzer](run-analyzer-linux.md#run-the-binary-version-of-the-client-analyzer). When complete, the XMDE Client Analyzer binary is available from the `/tmp/XMDEClientAnalyzerBinary/ClientAnalyzer` directory.
 
 1. Create a bash file `InstallXMDEClientAnalyzer.sh` and paste the following content into it.
 
@@ -547,7 +564,7 @@ The following script performs the first six steps of the [Running the Binary ver
    
 #### Python client analyzer install script
 
-The following script performs the first six steps of the [Running the Python version of the Client Analyzer](run-analyzer-linux.md#running-the-python-based-client-analyzer). When complete, the XMDE Client Analyzer Python scripts are available from the `/tmp/XMDEClientAnalyzer` directory.
+The following script performs the first six steps of the [Running the Python version of the Client Analyzer](run-analyzer-linux.md#run-the-python-based-client-analyzer). When complete, the XMDE Client Analyzer Python scripts are available from the `/tmp/XMDEClientAnalyzer` directory.
 
 1. Create a bash file `InstallXMDEClientAnalyzer.sh` and paste the following content into it.
 
@@ -673,8 +690,6 @@ The Python version of the client analyzer accepts command line parameters to per
 
 - [Address false positives/negatives in Microsoft Defender for Endpoint](/defender-endpoint/defender-endpoint-false-positives-negatives)
 
- 
-
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
 
 
