Moon Base Defender Mac OS
Disclaimer: The views expressed in my posts on this site are mine & mine alone & don’t necessarily reflect the views of Microsoft. All posts are provided “AS IS” with no warranties & confers no rights. If I post any code, scripts or demos, they are provided for the purpose of illustration & are not intended to be used in a production environment. They are provided ‘as is’ without warranty of any kind, expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. I grant you a nonexclusive, royalty-free right to use & modify my sample code & to reproduce & distribute the object code form of the sample code, provided that you agree: (i) to not use my name, my companies name, logo, or trademarks to market your software product in which the sample code is embedded; (ii) to include a valid copyright notice on your software product in which the sample code is embedded; and (iii) to indemnify, hold harmless, and defend me, Microsoft & our suppliers from & against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the sample code.
Apple has posted a new article on the Knowledge Base that acknowledges the recent upsurge of Mac Defender malware attacks. Apple has posted a new article on the Knowledge Base that acknowledges the recent upsurge of Mac Defender malware attacks.
Updated: N/A
Published: Oct 10th, 2020
Applies to:
Microsoft Defender Endpoint* for Mac (MDE for macOS)
*formerly Microsoft Defender Advanced Threat Protection. (MDATP for macOS)
Audience:
- Security architect
- Security administrator
- Security analyst
- IT architect
- IT administrator
- IT help desk
- IT field support
Hi all,
Just like MDE for Linux (MDATP for Linux), just in case if you run into a high cpu utilization with WDAVDaemon, you could go thru the following steps:
You deploy MDE for Mac and a few of your Mac might exhibit higher cpu utilization by wdavdaemon (the MDATP daemon, and for those coming from the Windows world, a service).
It’s a balancing act of providing the protection and performance.
Even though we test different set of enterprise macOS application for compatibility reasons, the industry that you are in, might have a macOS application that we have not tested.
Security Administrators, Security Architects, and IT Administrators will need to tune these macOS systems to meet their specific needs.
Use the different diagnostic procedures below to identify the component that is causing the high cpu utilization.
The ISV (including in-house built apps) should be following the guide below of working with your Independent Software Vendor (ISV):
Partnering with the industry to minimize false positives
https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/#:~:text=Partnering%20with%20the%20industry%20to%20minimize%20false%20positives,Defender%20ATP%29%20protect%20millions%20of%20customers%20from%20threats.
And submitting it to the Microsoft Defender Security Intelligence portal https://www.microsoft.com/en-us/wdsi/filesubmission
Select “Software developer”.
Note: If for whatever reason, the ISV is not doing the submission, you should select “Enterprise customer”.
Check on your ISV’s website for a Knowledge base (KB) article for antimalware (and/or antivirus) exclusions.
If they have one and it states to exclude everything, then you should look at the “Work-around Alternate 2” below. Since you don’t want to punch a whole thru your defense.
If they don’t have a list, please open a support ticket with them. Meanwhile, to alleviate the problem you should look at “Work-around Alternate 2” below.
[Work-around Alternate 2]
Remove “Real-Time Protection” protection out of the way.
Troubleshoot performance issues for Microsoft Defender ATP for Mac
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf
Note: After going thru the steps above, don’t forget to re-enable Real-time protection in order for the data to collection to work.
Terminal (sudo/root)
mdatp config real-time-protection –value enabled
[Pre-requisite]
To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for macOS.
Enable Real-time Protection Statistics:
Terminal (sudo/root)
mdatp config real-time-protection-statistics –value enabled
Note: In Production channel
Note 2: Not needed in Dogfood and InsidersFast channels since its enabled by default.
Note 3: The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for macOS, locate the one with the highest number under the Total files scanned row and add an exclusion for it.
<reproduce the issue>
mdatp diagnostic real-time-protection-statistics –output json > real_time_protection_logs
Defender Mac Os
Note: It’s going to be important to add the –output json in order to have it in json format, which the parser will be parsing.
mdatp config real-time-protection-statistics –value disabled
On your Windows system:
Create a folder in C:tempHigh_CPU_util_parser_for_macOS
Moon Base Defender Mac Os 11
From your macOS system, copy the outputreal_time_protection_logs to C:tempHigh_CPU_util_parser_for_macOS
Note: This parses json output format. If the output format is different, then you’ll need a different parser.
Note 2: This sample Powershell (PoSh) script is now available at https://github.com/MDATP/Scripts/blob/master/MDE_macOS_High_CPU_json_parser.ps1
#Clear the screen
clear
# Set the directory path where the output is located
$Directory = “C:tempHigh_CPU_util_parser_for_macOS”
# Set the path to where the input file (in Json format) is located
$InputFilename = “.real_time_protection_logs”
# Set the path to where the file (in csv format)is located
$OutputFilename = “.real_time_protection_logs_converted.csv”
# Change directory
cd $Directory
# Convert from json
$json = Get-Content $InputFilename convertFrom-Json select -expand value
# Convert to CSV and sort by the totalFilesScanned column
## –NoTypeInformation switched parameter. This will keep the Type information from being written to the first line of the file. If the Type information is written, it will mess up the column display in Excel.
### Optional, you could try using -Unique to remove the 0 files that are not part of the performance impact.
$json Sort-Object -Property totalFilesScanned –Descending ConvertTo-Csv -NoTypeInformation Out-File $OutputFilename -Encoding ascii
#Open up in Microsoft Excel
Invoke-Item $OutputFilename
Save the file as MDE_macOS_High_CPU_json_parser.ps1 to C:tempHigh_CPU_util_parser_for_macOS
Note: You may want to first save it in Notepad or your preferred text editor, change UTF-8 to ANSI. Replace the double quotes (“) and the elongated dashes (-) before you try running the Powershell script.
Powershell (Run as admin)
MDE_macOS_High_CPU_parser.ps1
Microsoft Excel should open up.
Add the path and/or pathprocess to the exclusion list.
[To add the process and paths to the allow exception list]
These these:
Scan exclusions
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#scan-exclusions
Type of exclusion
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#type-of-exclusion
Base Defense
Path to excluded content
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#path-to-excluded-content
Path type (file / directory)
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#path-type-file–directory
File extension excluded from the scan
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#file-extension-excluded-from-the-scan
Process excluded from the scan
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#process-excluded-from-the-scan
To your MDM management product:
Intune profile
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1
Property list for JAMF configuration profile
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#property-list-for-jamf-configuration-profile-1
If you are setting it locally during a POC:
Configuration
Add/remove an antivirus exclusion for a file extensionmdatp exclusion extension [add remove] --name [extension]
Configuration
Add/remove an antivirus exclusion for a filemdatp exclusion file [add remove] --path [path-to-file]
Configuration
Add/remove an antivirus exclusion for a directorymdatp exclusion folder [add remove] --path [path-to-directory]
Configuration
Add/remove an antivirus exclusion for a processmdatp exclusion process [add remove] --path [path-to-process]
mdatp exclusion process [add remove] --name [process-name]
Configuration
List all antivirus exclusionsmdatp exclusion list
Reference:
Configuring from the command line
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-resources#configuring-from-the-command-line
Thanks,
Yong
Twitter: @YongRheeMSFT
Before you can use N-able N-central to monitor and manage computers at a customer's site, you need to install the agent. The Mac agent monitors local services and reports any issues.
There are customer-specific and generic system installers.
The customer-specific installers are pre-configured with activation keys, registration token, customer names, and IP address of your N-able N-central server. As the customer-specific installers are very easy to use, we recommend that you make them your first choice when downloading the agent or probe software.
Generic system installers require you to specify either the activation key, or the IP address of your N-able N-central server and a customer name or customer ID. These installers are useful when you want to keep a copy of a certain version of the agent or probe offline.
You need a universal administrative account on every OS X device to facilitate agent installation. It is recommended that you create at minimum one account for your workstations and a separate account for servers.
To install the agent silently on a Mac OS device, see Perform a Mac agent silent install.
For troubleshooting installation issues, see the N-able MSP Success Center Knowledge Base.
The MacOS agent supports the following operating systems:
Mac Agents
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
- 10.12 (Sierra)
You need a device's agent activation key to install the agent software. Activation keys are located on the All Devices view. To copy the agent activation key, hover your mouse over the key icon and copy.
- Click Actions > Download Agent/Probe.
- From the Select Customer/Site drop-down menu, select a customer or site.
- Click Get Registration Token.
When selecting a customer-specific agent to download, the registration token is included in the download. You do not need to generate a key. For more information on registration tokens, see Registration tokens for agent installation.
- In the System Agent/Probe area, click the MacOS Agent link and select a location to download the DMG file.
- Once the install file has downloaded, navigate to the downloaded file location.
- Double-click the DMG file and follow the instructions on the Installer screen.
If you are installing the agent from the customer/site level, the installation proceeds. At the System level, you must enter either the activation key or customer name and ID, also known as an Access Code, which can be found by clicking Administration > Customer/Sites.
Install the MAC agent with the dmg-install.sh script
- From N-central download the 'DMG Installation Script' and the 'macOS Agent (dmg)'.
- Make sure to extract the script into the same folder location as the dmg.
- Use one of the methods below to install:
- With an activation key, retrieved from the central server:
sudo dmg-install.sh -k <activation key>
- Prior to N-central 2020.1, with a Customer Name and Customer ID (Customer name may need to be quoted if it contains spaces or shell meta-characters):
sudo sh dmg-install.sh -s <server endpoint ip/fqdn without the https://> -c <customer name> -i <customer id>
- On 2020.1 or later with a Customer Name and Customer ID (Customer name may need to be quoted if it contains spaces or shell meta-characters):
sudo sh dmg-install.sh -s <server endpoint ip/fqdn without the https://> -c <customer name> -i <customer id> -t <registration token>
- With an activation key, retrieved from the central server:
- Additional Flags:
- -p Specify the protocol for the agent to use.
- -a Specify the port for the agent to use.
- -x Specify an http proxy for the agent to use.
- Once the script has run navigate to All Devices and click the Network Devices tab.
- Click Add.
- Click Discovered Assets.
- Select your device and import it.
Your device should now be added in N-central.
You can confirm this from the Customer level, by navigating to All Devices, and click the Network Devices tab.
Install the MAC agent on Catalina
With Catalina, the Apple gatekeeper requires notarization during installation. The Mac agent installer is signed, but not notarized. When installing the Customer or System DMG installer it can fail to register. To complete the agent installation, you will need to open the System Preferences and select the Security and Privacy option to allow the agent to install.
Keep the System Preferences open for the duration of the install procedure.
- Click Actions > Download Agent/Probe.
- From the Select Customer/Site drop-down menu, select a customer or site.
In the System Agent/Probe area, click the MacOS Agent link.
- Navigate to the downloaded file location and double-click the DMG file.
- Double-click Register the N-central Agent and click OK.
- Open the Security and Privacy system settings options and unlock the settings with the admin password.
- In the Register the N-central Agent dialog, click Open.
- Click Register and enter the user password and click OK.
- Click Cancel for the message saying the .Mac_Agent cannot be opened.
- In the Security and Privacy dialog, in the Allow apps downloaded from area, select App Store and identified developers and click Open Anyway.
- In the subsequent dialog, click Open.
- Enter the user password in the security prompt and click OK.
- This will result in the completion of the install.