Merge branch 'main' into docs-editor/enable-attack-surface-reductio-1736764796

Author: rjagiewich

defender-endpoint/linux-preferences.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 10/14/2024
+ms.date: 01/13/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -79,7 +79,10 @@ Specifies the enforcement preference of antivirus engine. There are three values
 > Available in Defender for Endpoint version `101.10.72` or later. Default is changed from `real_time` to `passive` in Defender for Endpoint version `101.23062.0001` or later.
 > It is recommended to also use [scheduled scans](/defender-endpoint/linux-schedule-scan-mde) as per requirement.
 
-#### Enable/disable behavior monitoring 
+#### Enable/disable behavior monitoring [only if RTP is enabled]
+
+> [!IMPORTANT]
+> This feature only works when the enforcement level is set to `real-time`.
 
 Determines whether behavior monitoring and blocking capability is enabled on the device or not. 
 
@@ -91,10 +94,13 @@ Determines whether behavior monitoring and blocking capability is enabled on the
 
 > [!NOTE]
 > Available in Defender for Endpoint version `101.45.00` or later.
-> This feature is applicable only when real-time protection is enabled.
+
 
 #### Run a scan after definitions are updated
 
+> [!IMPORTANT]
+> This feature only works when the enforcement level is set to `real-time`.
+
 Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting triggers an antivirus scan on the running processes of the device.
 
 |Description|JSON Value|Defender Portal Value|
@@ -105,7 +111,6 @@ Specifies whether to start a process scan after new security intelligence update
 
 > [!NOTE]
 > Available in Defender for Endpoint version `101.45.00` or later.
-> This feature only works when the enforcement level is set to `real-time`.
 
 #### Scan archives (on-demand antivirus scans only)
 
@@ -266,7 +271,7 @@ To remove both NFS and Fuse from unmonitored list of filesystems, do the followi
 > [!NOTE]
 > Here's the default list of monitored filesystems for RTP: `btrfs`, `ecryptfs`, `ext2`, `ext3`, `ext4`, `fuseblk`, `jfs`, `overlay`, `ramfs`, `reiserfs`, `tmpfs`, `vfat`, `xfs`.
 >
-> If any monitored filesystem needs to be added to the list of unmonitored filesystems,then it needs to be evaluated and enabled by Microsoft via cloud config. Following which customers can update managed_mdatp.json to unmonitor that filesystem.
+> If any monitored filesystem needs to be added to the list of unmonitored filesystems, then it needs to be evaluated and enabled by Microsoft via cloud config. Following which customers can update managed_mdatp.json to unmonitor that filesystem.
 
 
 
@@ -380,7 +385,7 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu
 
 ### Exclusion setting preferences
 
-**Exlusion setting preferences are currently in preview**.
+**Exclusion setting preferences are currently in preview**.
 
 > [!NOTE] 
 > Global exclusions are currently in public preview, and are available in Defender for Endpoint beginning with version `101.23092.0012` or later in the Insiders Slow and Production rings.
@@ -429,7 +434,7 @@ Specifies the type of content excluded from the scan.
 
 ##### Scopes of exclusion (optional)
 
-Specifies the set of exlusion scopes of content excluded. Currently supported scopes are `epp` and `global`.
+Specifies the set of exclusion scopes of content excluded. Currently supported scopes are `epp` and `global`.
 
 If nothing is specified in for an exclusion under *exclusionSettings* in managed configuration, then `global` is considered as scope.
 
@@ -496,8 +501,8 @@ Specifies a process for which all file activity is excluded from scanning. The p
 
 The following settings can be configured to enable certain advanced scanning features. 
 
-> [!NOTE]
-> Enabling these features might impact device performance. As such, it is recommended to keep the defaults.
+> [!IMPORTANT]
+> Enabling these features might impact device performance. As such, it is recommended to keep the defaults unless recommended otherwise by Microsoft Support.
 
 ##### Configure scanning of file modify permissions events
 
@@ -632,8 +637,8 @@ Depending on the enforcement level, the automatic security intelligence updates
 
 The following settings can be configured to enable certain advanced features.
 
->[!NOTE]
->Enabling these features might impact device performance. It is recommended to keep the defaults.
+>[!IMPORTANT]
+>Enabling these features might impact device performance. It is recommended to keep the defaults unless recommended otherwise by Microsoft Support.
 
 |Description|JSON Value|Defender Portal Value|
 |---|---|---|
@@ -681,7 +686,7 @@ Determines whether file modify permissions events (`chmod`) are monitored.
 
 ##### Configure monitoring of file modify ownership events
 
-Determines whether file modify ownership events (chown) are monitored.
+Determines whether file modify ownership events (`chown`) are monitored.
 
 > [!NOTE]
 > When this feature is enabled, Defender for Endpoint will monitor changes to the ownership of files, but not scan these events. For more information, see [Advanced scanning features](linux-preferences.md#configure-scanning-of-file-modify-ownership-events) section for more details.
@@ -764,6 +769,42 @@ Determines whether module load events are monitored using eBPF and scanned.
 |**Possible values**|disabled (default) <p> enabled|*n/a*|
 |**Comments**|Available in Defender for Endpoint version `101.68.80` or later.|
 
+##### Configure monitoring of open events from specific filesystems using eBPF
+
+Determines whether open events from procfs are monitored by eBPF.
+
+> [!NOTE]
+> This feature is applicable only when Behavior Monitoring is enabled.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableOtherFsOpenEvents|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default) <p> enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
+##### Configure source enrichment of events using eBPF
+
+Determines whether events are enriched with metadata at source in eBPF.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableEbpfSourceEnrichment|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default) <p> enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
+#### Enable Antivirus Engine Cache
+
+Determines whether metadata of events being scanned by the antivirus engine are cached or not.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableAntivirusEngineCache|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default) <p> enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
 #### Report AV Suspicious Events to EDR
 
 Determines whether suspicious events from Antivirus are reported to EDR.
@@ -777,11 +818,12 @@ Determines whether suspicious events from Antivirus are reported to EDR.
 
 ### Network protection configurations
 
-The following settings can be used to configure advanced Network Protection inspection features to control what traffic gets inspected by Network Protection.
-
 > [!NOTE]
+> This is a preview feature.
 > For these to be effective, Network Protection has to be turned on. For more information, see [Turn on network protection for Linux](network-protection-linux.md).
 
+The following settings can be used to configure advanced Network Protection inspection features to control what traffic gets inspected by Network Protection.
+
 |Description|JSON Value|Defender Portal Value|
 |---|---|---|
 |**Key**|networkProtection|Network protection|
@@ -1023,7 +1065,7 @@ If the JSON is well-formed, the above command outputs it back to the Terminal an
 
 ## Verifying that the mdatp_managed.json file is working as expected
 
-To verify that your /etc/opt/microsoft/mdatp/managed/mdatp_managed.json is working properly, you should see "[managed]" next to these settings:
+To verify that your `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json` is working properly, you should see "[managed]" next to these settings:
 
 - `cloud_enabled`
 - `cloud_automatic_sample_submission_consent`

defender-endpoint/linux-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: deniseb
 author: denisebmsft
 ms.reviewer: kumasumit, gopkr
 ms.localizationpriority: medium
-ms.date: 01/09/2025
+ms.date: 01/13/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -43,6 +43,35 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
+### Jan-2025 Build: 101.24112.0001 | Release version: 30.124112.0001.0
+
+| Build:             | **101.24112.0001**    |
+|--------------------|-----------------------|
+| Released:          | **January 13, 2025** |
+| Published:         | **January 13, 2025** |
+| Release version:   | **30.124112.0001.0** |
+| Engine version:    | **1.1.24090.13**       |
+| Signature version: | **1.421.226.0**      |
+
+#### What's new
+
+- Upgraded the Bond version to 13.0.1 to address security vulnerabilities in versions 12 or lower.
+
+- Mdatp package no longer has a dependency on SELinux packages.
+  
+- User can now query the status of supplementary event provider eBPF using the threat hunting query in DeviceTvmInfoGathering. To learn more about this query check: [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-ebpf). The result of this query can return the following two values as eBPF status:
+  - Enabled: When eBPF is enabled as working as expected.
+  - Disabled: When eBPF is disabled due to one of the following reasons:
+    - When MDE is using auditD as a supplementary sensor
+    - When eBPF is not present and we fallback to Netlink as supplementary event provider
+    - There is no supplementary sensor present.
+
+- Starting from 2411, the MDATP package release to Production on packages.microsoft.com will follow a gradual rollout mechanism which spans over a week. The other release rings, insiderFast and insiderSlow, are unaffected by this change.
+
+- Stability and performance improvements.
+
+- Critical bugs fixes around definition update flow.
+
 ### Jan-2025 Build: 101.24102.0000 | Release version: 30.124102.0000.0
 
 | Build:             | **101.24102.0000**    |

defender-endpoint/microsoft-defender-antivirus-on-windows-server.md

@@ -107,7 +107,7 @@ sc query state= all
 
 To get your regular security intelligence updates, the Windows Update service must be running. If you use an update management service, like Windows Server Update Services (WSUS), make sure Microsoft Defender Antivirus Security intelligence updates are approved for the computers you manage.
 
-By default, Windows Update doesn't download and install updates automatically on Windows Server 2019 or Windows Server 2022, or Windows Server 2016. You can change this configuration by using one of the following methods:
+By default, Windows Update doesn't download and install updates automatically on Windows Server 2016, Windows Server 2019 or Windows Server 2022. You can change this configuration by using one of the following methods:
 
 | Method | Description |
 |---|---|
@@ -155,7 +155,7 @@ To enable automatic sample submission, start a Windows PowerShell console as an
 
 ## Configure automatic exclusions
 
-To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or 2019, or Windows Server 2022.
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Microsoft Defender Antivirus on Windows Server 2016 or Windows Server 2019, or Windows Server 2022.
 
 See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).