Merge branch 'public' into patch-1

defender-endpoint/linux-preferences.md

@@ -6,7 +6,7 @@ ms.service: defender-endpoint
 ms.author: deniseb
 author: denisebmsft
 ms.localizationpriority: medium
-ms.date: 10/14/2024
+ms.date: 01/13/2025
 manager: deniseb
 audience: ITPro
 ms.collection: 
@@ -79,7 +79,10 @@ Specifies the enforcement preference of antivirus engine. There are three values
 > Available in Defender for Endpoint version `101.10.72` or later. Default is changed from `real_time` to `passive` in Defender for Endpoint version `101.23062.0001` or later.
 > It is recommended to also use [scheduled scans](/defender-endpoint/linux-schedule-scan-mde) as per requirement.
 
-#### Enable/disable behavior monitoring 
+#### Enable/disable behavior monitoring [only if RTP is enabled]
+
+> [!IMPORTANT]
+> This feature only works when the enforcement level is set to `real-time`.
 
 Determines whether behavior monitoring and blocking capability is enabled on the device or not. 
 
@@ -91,10 +94,13 @@ Determines whether behavior monitoring and blocking capability is enabled on the
 
 > [!NOTE]
 > Available in Defender for Endpoint version `101.45.00` or later.
-> This feature is applicable only when real-time protection is enabled.
+
 
 #### Run a scan after definitions are updated
 
+> [!IMPORTANT]
+> This feature only works when the enforcement level is set to `real-time`.
+
 Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting triggers an antivirus scan on the running processes of the device.
 
 |Description|JSON Value|Defender Portal Value|
@@ -105,7 +111,6 @@ Specifies whether to start a process scan after new security intelligence update
 
 > [!NOTE]
 > Available in Defender for Endpoint version `101.45.00` or later.
-> This feature only works when the enforcement level is set to `real-time`.
 
 #### Scan archives (on-demand antivirus scans only)
 
@@ -266,7 +271,7 @@ To remove both NFS and Fuse from unmonitored list of filesystems, do the followi
 > [!NOTE]
 > Here's the default list of monitored filesystems for RTP: `btrfs`, `ecryptfs`, `ext2`, `ext3`, `ext4`, `fuseblk`, `jfs`, `overlay`, `ramfs`, `reiserfs`, `tmpfs`, `vfat`, `xfs`.
 >
-> If any monitored filesystem needs to be added to the list of unmonitored filesystems,then it needs to be evaluated and enabled by Microsoft via cloud config. Following which customers can update managed_mdatp.json to unmonitor that filesystem.
+> If any monitored filesystem needs to be added to the list of unmonitored filesystems, then it needs to be evaluated and enabled by Microsoft via cloud config. Following which customers can update managed_mdatp.json to unmonitor that filesystem.
 
 
 
@@ -380,7 +385,7 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu
 
 ### Exclusion setting preferences
 
-**Exlusion setting preferences are currently in preview**.
+**Exclusion setting preferences are currently in preview**.
 
 > [!NOTE] 
 > Global exclusions are currently in public preview, and are available in Defender for Endpoint beginning with version `101.23092.0012` or later in the Insiders Slow and Production rings.
@@ -429,7 +434,7 @@ Specifies the type of content excluded from the scan.
 
 ##### Scopes of exclusion (optional)
 
-Specifies the set of exlusion scopes of content excluded. Currently supported scopes are `epp` and `global`.
+Specifies the set of exclusion scopes of content excluded. Currently supported scopes are `epp` and `global`.
 
 If nothing is specified in for an exclusion under *exclusionSettings* in managed configuration, then `global` is considered as scope.
 
@@ -496,8 +501,8 @@ Specifies a process for which all file activity is excluded from scanning. The p
 
 The following settings can be configured to enable certain advanced scanning features. 
 
-> [!NOTE]
-> Enabling these features might impact device performance. As such, it is recommended to keep the defaults.
+> [!IMPORTANT]
+> Enabling these features might impact device performance. As such, it is recommended to keep the defaults unless recommended otherwise by Microsoft Support.
 
 ##### Configure scanning of file modify permissions events
 
@@ -632,8 +637,8 @@ Depending on the enforcement level, the automatic security intelligence updates
 
 The following settings can be configured to enable certain advanced features.
 
->[!NOTE]
->Enabling these features might impact device performance. It is recommended to keep the defaults.
+>[!IMPORTANT]
+>Enabling these features might impact device performance. It is recommended to keep the defaults unless recommended otherwise by Microsoft Support.
 
 |Description|JSON Value|Defender Portal Value|
 |---|---|---|
@@ -681,7 +686,7 @@ Determines whether file modify permissions events (`chmod`) are monitored.
 
 ##### Configure monitoring of file modify ownership events
 
-Determines whether file modify ownership events (chown) are monitored.
+Determines whether file modify ownership events (`chown`) are monitored.
 
 > [!NOTE]
 > When this feature is enabled, Defender for Endpoint will monitor changes to the ownership of files, but not scan these events. For more information, see [Advanced scanning features](linux-preferences.md#configure-scanning-of-file-modify-ownership-events) section for more details.
@@ -764,6 +769,42 @@ Determines whether module load events are monitored using eBPF and scanned.
 |**Possible values**|disabled (default) <p> enabled|*n/a*|
 |**Comments**|Available in Defender for Endpoint version `101.68.80` or later.|
 
+##### Configure monitoring of open events from specific filesystems using eBPF
+
+Determines whether open events from procfs are monitored by eBPF.
+
+> [!NOTE]
+> This feature is applicable only when Behavior Monitoring is enabled.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableOtherFsOpenEvents|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default) <p> enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
+##### Configure source enrichment of events using eBPF
+
+Determines whether events are enriched with metadata at source in eBPF.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableEbpfSourceEnrichment|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default) <p> enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
+#### Enable Antivirus Engine Cache
+
+Determines whether metadata of events being scanned by the antivirus engine are cached or not.
+
+|Description|JSON Value|Defender Portal Value|
+|---|---|---|
+|**Key**|enableAntivirusEngineCache|*Not available*|
+|**Data type**|String|*n/a*|
+|**Possible values**|disabled (default) <p> enabled|*n/a*|
+|**Comments**|Available in Defender for Endpoint version `101.24072.0001` or later.|
+
 #### Report AV Suspicious Events to EDR
 
 Determines whether suspicious events from Antivirus are reported to EDR.
@@ -777,11 +818,12 @@ Determines whether suspicious events from Antivirus are reported to EDR.
 
 ### Network protection configurations
 
-The following settings can be used to configure advanced Network Protection inspection features to control what traffic gets inspected by Network Protection.
-
 > [!NOTE]
+> This is a preview feature.
 > For these to be effective, Network Protection has to be turned on. For more information, see [Turn on network protection for Linux](network-protection-linux.md).
 
+The following settings can be used to configure advanced Network Protection inspection features to control what traffic gets inspected by Network Protection.
+
 |Description|JSON Value|Defender Portal Value|
 |---|---|---|
 |**Key**|networkProtection|Network protection|
@@ -1023,7 +1065,7 @@ If the JSON is well-formed, the above command outputs it back to the Terminal an
 
 ## Verifying that the mdatp_managed.json file is working as expected
 
-To verify that your /etc/opt/microsoft/mdatp/managed/mdatp_managed.json is working properly, you should see "[managed]" next to these settings:
+To verify that your `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json` is working properly, you should see "[managed]" next to these settings:
 
 - `cloud_enabled`
 - `cloud_automatic_sample_submission_consent`

defender-endpoint/linux-whatsnew.md

@@ -6,7 +6,7 @@ ms.author: deniseb
 author: denisebmsft
 ms.reviewer: kumasumit, gopkr
 ms.localizationpriority: medium
-ms.date: 01/09/2025
+ms.date: 01/13/2025
 manager: deniseb
 audience: ITPro
 ms.collection:
@@ -43,6 +43,35 @@ This article is updated frequently to let you know what's new in the latest rele
 
 ## Releases for Defender for Endpoint on Linux
 
+### Jan-2025 Build: 101.24112.0001 | Release version: 30.124112.0001.0
+
+| Build:             | **101.24112.0001**    |
+|--------------------|-----------------------|
+| Released:          | **January 13, 2025** |
+| Published:         | **January 13, 2025** |
+| Release version:   | **30.124112.0001.0** |
+| Engine version:    | **1.1.24090.13**       |
+| Signature version: | **1.421.226.0**      |
+
+#### What's new
+
+- Upgraded the Bond version to 13.0.1 to address security vulnerabilities in versions 12 or lower.
+
+- Mdatp package no longer has a dependency on SELinux packages.
+
+- User can now query the status of supplementary event provider eBPF using the threat hunting query in DeviceTvmInfoGathering. To learn more about this query check: [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-ebpf). The result of this query can return the following two values as eBPF status:
+  - Enabled: When eBPF is enabled as working as expected.
+  - Disabled: When eBPF is disabled due to one of the following reasons:
+    - When MDE is using auditD as a supplementary sensor
+    - When eBPF is not present and we fallback to Netlink as supplementary event provider
+    - There is no supplementary sensor present.
+
+- Starting from 2411, the MDATP package release to Production on packages.microsoft.com will follow a gradual rollout mechanism which spans over a week. The other release rings, insiderFast and insiderSlow, are unaffected by this change.
+
+- Stability and performance improvements.
+
+- Critical bugs fixes around definition update flow.
+
 ### Jan-2025 Build: 101.24102.0000 | Release version: 30.124102.0000.0
 
 | Build:             | **101.24102.0000**    |

defender-endpoint/troubleshoot-av-performance-issues-with-wprui.md

@@ -21,6 +21,12 @@ ms.custom:
 
 # Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI
 
+> [!TIP]
+> First, review common reasons for performance issues such as high CPU usage in [Troubleshoot performance issues related to Microsoft Defender Antivirus real-time protection (RTP) or scans (scheduled or on-demand](/defender-endpoint/troubleshoot-performance-issues)).
+> Then, run the [Microsoft Defender Antivirus Performance Analyzer](/defender-endpoint/tune-performance-defender-antivirus) to analyze the cause of high CPU usage in Microsoft Defender Antivirus (Antimalware Service Executable, Microsoft Defender Antivirus service, or MsMpEng.exe).
+> If the Microsoft Defender Antivirus Performance Analyzer doesn't identify the root cause of high CPU utilization, run [Processor Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon) to narrow down or determine the root cause of the high CPU utilization in Microsoft Defender Antivirus.
+> The final tool in your toolkit is to run the Windows Performance Recorder UI (WPRUI) or the Windows Performance Recorder (WPR command-line) as discussed in this article.
+
 ## Capture performance logs using Windows Performance Recorder
 
 Windows Performance Recorder (WPR) is a powerful recording tool that creates Event Tracing for Windows recordings and allows you to include additional information in your submission to Microsoft support.
@@ -29,62 +35,88 @@ WPR is part of the Windows Assessment and Deployment Kit (Windows ADK) and can b
 
 Alternatively, follow the steps in [Capture performance logs using the WPR UI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C), or use the command-line tool *wpr.exe* [Capture performance logs using the WPR CLI](/editor/MicrosoftDocs/defender-docs-pr/defender-endpoint%2Ftroubleshoot-performance-issues.md/main/ae28f1cf-14bc-fb9c-5f0c-873a683e907c/?branch=main&branchFallbackFrom=main%2C). Both are available in Windows 8 and later versions.
 
+There are two ways to capture the Windows Performance Recorder (WPRUI) trace:
+
+1. Using the MDE Client Analyzer
+
+1. Manually
+
+## Using the MDE Client Analyzer
+
+1. Download the [MDE Client Analyzer](/defender-endpoint/download-client-analyzer).
+
+1. Run the MDE Client Analyzer using [Live Response or locally](/defender-endpoint/run-analyzer-windows).
+
+   > [!TIP]
+   > Before starting the trace, make sure the issue is reproducible. Additionally, close any applications that don't contribute to the reproduction of the issue.
+
+
+1. Run the MDE Client Analyzer with the `-a` and `-v` switches.
+
+   PowerShellCopy
+
+   ```
+   C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
+   ```
+
+## Manually
+
 ### Capture performance logs using the WPR UI
 
 > [!TIP]
-> If multiple devices are experiencing this issue, try using the one with the most RAM.
+> If multiple devices are experiencing this issue, use the one with the most RAM.
 
 1. Download and install WPR.
 
 1. Under *Windows Kits*, right-click **Windows Performance Recorder**.
 
    ![Screenshot showing the Start menu](media/wpr-01.png)
-
+   
 1. Select **More**. Select **Run as administrator**.
 
 1. Right-click **Yes** when the User Account Control dialog box appears.
 
    ![Screenshot showing the UAC page.](media/wpt-yes.png)
-
+   
 1. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `MDAV.wprp` to a folder such as `C:\temp`.
 
 1. In the WPR dialog box, select **More options**.
 
    ![Screenshot showing the page where you can select more options](media/wpr-03.png)
-
+   
 1. Select **Add Profiles...** and browse to the path of the `MDAV.wprp` file.
 
 1. A new profile named Microsoft Defender for Endpoint analysis should appear under Custom measurements.
 
    ![Screenshot showing the in-file.](media/wpr-infile.png)
-
+   
    > [!WARNING]
-   > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability. Explore **Resource Analysis** to choose profiles to add.
+   > If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system might consume a high amount of nonpaged pool memory or buffers, leading to system instability. To address this, explore **Resource Analysis** to choose profiles to add.
    > This custom profile provides the necessary context for in-depth performance analysis.
 
 1. To use the custom measurement Microsoft Defender for Endpoint verbose analysis profile in the WPR UI:
 
    1. Ensure no profiles are selected under the *First-level triage*, *Resource Analysis* and *Scenario Analysis* groups.
 
-   2. Select **Custom measurements**.
+   1. Select **Custom measurements**.
 
-   3. Select **Microsoft Defender for Endpoint analysis**.
+   1. Select **Microsoft Defender for Endpoint analysis**.
 
-   4. Select **Verbose** under *Detail* level.
+   1. Select **Verbose** under *Detail* level.
 
-   5. Select **File** or **Memory** under Logging mode.
+   1. Select **File** or **Memory** under Logging mode.
 
    > [!IMPORTANT]
-   > Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you cannot directly reproduce the issue, select Memory to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
+   > Select **File** to use the file logging mode if you can directly reproduce the performance issue. Most issues fall under this category. However, if you can't directly reproduce the issue, select **Memory** to use the memory logging mode. This prevents the trace log from inflating excessively due to long run times.
 
-1. Now you're ready to collect data. Close all unnecessary applications. Click **Hide options** to keep the space occupied by the WPR window small.
+1. Now you're ready to collect data. Close all unnecessary applications. Select **Hide options** to keep the space occupied by the WPR window small.
 
    ![Screenshot showing the Hide options.](media/wpr-08.png)
-
+   
 1. Select **Start**.
 
    ![Screenshot showing the Record system information page.](media/wpr-09.png)
-
+   
 1. Reproduce the issue.
 
    > [!TIP]
@@ -93,25 +125,25 @@ Alternatively, follow the steps in [Capture performance logs using the WPR UI](/
 1. Select **Save**.
 
    ![Screenshot showing the Save option.](media/wpr-10.png)
-
+   
 1. Fill in **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
 
    ![Screenshot showing the pane in which you fill.](media/wpr-12.png)
-
+   
 1. Select **File Name:** to determine where your trace file is saved. By default, it's saved to `%user%\Documents\WPR Files\`.
 
-   1. Select **Save**.
+1. Select **Save**.
 
    ![Screenshot showing the WPR gathering general trace.](media/wpr-13.png)
-
+   
 1. After the trace has been merged and saved, right-click **Open folder**.
 
    ![Screenshot that displays the notification that WPR trace has been saved.](media/wpr-14.png)
-
-   Include both the file and the folder in your submission to Microsoft Support.
+   
+1. Include both the file and the folder in your submission to Microsoft Support.
 
    ![Screenshot showing the details of the file and the folder.](media/wpr-15.png)
-
+   
 ### Capture performance logs using the WPR CLI
 
 To collect a WPR trace using the command-line tool wpr.exe:
@@ -131,7 +163,7 @@ To collect a WPR trace using the command-line tool wpr.exe:
    ```
 
    > [!WARNING]
-   > If your Windows Server has 64 GB of RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system consumes a high amount of non-paged pool memory or buffers, leading to system instability.
+   > If your Windows Server has 64 GB of RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system consumes a high amount of nonpaged pool memory or buffers, leading to system instability.
 
 1. Reproduce the issue.
 
@@ -150,8 +182,20 @@ To collect a WPR trace using the command-line tool wpr.exe:
 
 ## See also
 
+- [Run the client analyzer on Windows](/defender-endpoint/run-analyzer-windows)
+
 - [Collect Microsoft Defender Antivirus diagnostic data](collect-diagnostic-data.md)
+
+- [Troubleshoot Microsoft Defender Antivirus settings](/defender-endpoint/troubleshoot-settings)
+
 - [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
+
+- [Troubleshoot performance issues related to Microsoft Defender Antivirus](/defender-endpoint/troubleshoot-performance-issues)
+
 - [Performance analyzer for Microsoft Defender Antivirus](tune-performance-defender-antivirus.md)
 
-[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
+- [Troubleshoot Microsoft Defender Antivirus performance issues with Process Monitor](/defender-endpoint/troubleshoot-av-performance-issues-with-procmon)
+
+- [Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI](/defender-endpoint/troubleshoot-av-performance-issues-with-wprui)
+
+[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]