Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux
Want to experience Defender for Endpoint? Sign up for a free trial.
Verify if installation succeeded
An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
sudo journalctl | grep 'microsoft-mdatp' > installation.log
grep 'postinstall end' installation.log
microsoft-mdatp-installer: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
An output from the previous command with correct date and time of installation indicates success.
Also check the Client configuration to verify the health of the product and detect the EICAR text file.
Make sure you have the correct package
Please mind that the package you are installing is matching the host distribution and version.
|mdatp-rhel8.Linux.x86_64.rpm||Oracle, RHEL and CentOS 8.x|
|mdatp-sles12.Linux.x86_64.rpm||SuSE Linux Enterprise Server 12.x|
|mdatp-sles15.Linux.x86_64.rpm||SuSE Linux Enterprise Server 15.x|
|mdatp.Linux.x86_64.rpm||Oracle, RHEL and CentOS 7.x|
|mdatp.Linux.x86_64.deb||Debian and Ubuntu 16.04, 18.04 and 20.04|
For manual deployment, make sure the correct distro and version had been chosen.
Check if the mdatp service is running:
systemctl status mdatp
● mdatp.service - Microsoft Defender for Endpoint Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago Main PID: 1966 (wdavdaemon) Tasks: 105 (limit: 4915) CGroup: /system.slice/mdatp.service ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon
Steps to troubleshoot if mdatp service isn't running
Check if "mdatp" user exists:
If there’s no output, run
sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
Try enabling and restarting the service using:
sudo systemctl enable mdatp
sudo systemctl restart mdatp
If mdatp.service isn't found upon running the previous command, run:
sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
/lib/systemd/systemfor Ubuntu and Debian distributions and
/usr/lib/systemd/systemfor Rhel, CentOS, Oracle and SLES. Then rerun step 2.
If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter
SELINUXto "permissive" or "disabled" in
/etc/selinux/configfile, followed by reboot. Check the man-page of selinux for more details. Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
/optdirectory is a symbolic link, create a bind mount for
Ensure that the daemon has executable permission.
ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
If the daemon doesn't have executable permissions, make it executable using:
sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
and retry running step 2.
Ensure that the file system containing wdavdaemon isn't mounted with "noexec".
If mdatp service is running, but EICAR text file detection doesn't work
Check the file system type using:
findmnt -T <path_of_EICAR_file>
Currently supported file systems for on-access activity are listed here. Any files outside these file systems won't be scanned.
Command-line tool “mdatp” isn't working
If running the command-line tool
mdatpgives an error
command not found, run the following command:
sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
and try again.
If none of the above steps help, collect the diagnostic logs:
sudo mdatp diagnostic create
Diagnostic file created: <path to file>
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.