Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Verify if installation succeeded

An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:

sudo journalctl | grep 'microsoft-mdatp'  > installation.log
 grep 'postinstall end' installation.log
 microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216

An output from the previous command with correct date and time of installation indicates success.

Also check the Client configuration to verify the health of the product and detect the EICAR text file.

Make sure you have the correct package

Please mind that the package you are installing is matching the host distribution and version.

package distribution
mdatp-rhel8.Linux.x86_64.rpm Oracle, RHEL and CentOS 8.x
mdatp-sles12.Linux.x86_64.rpm SuSE Linux Enterprise Server 12.x
mdatp-sles15.Linux.x86_64.rpm SuSE Linux Enterprise Server 15.x
mdatp.Linux.x86_64.rpm Oracle, RHEL and CentOS 7.x
mdatp.Linux.x86_64.deb Debian and Ubuntu 16.04, 18.04 and 20.04

For manual deployment, make sure the correct distro and version had been chosen.

Installation failed

Check if the mdatp service is running:

systemctl status mdatp
 ● mdatp.service - Microsoft Defender for Endpoint
   Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
 Main PID: 1966 (wdavdaemon)
    Tasks: 105 (limit: 4915)
   CGroup: /system.slice/mdatp.service
           ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
           ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
           └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon

Steps to troubleshoot if mdatp service isn't running

  1. Check if "mdatp" user exists:

    id "mdatp"
    

    If there’s no output, run

    sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
    
  2. Try enabling and restarting the service using:

    sudo systemctl enable mdatp
    
    sudo systemctl restart mdatp
    
  3. If mdatp.service isn't found upon running the previous command, run:

    sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
    

    where <systemd_path> is /lib/systemd/system for Ubuntu and Debian distributions and /usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES. Then rerun step 2.

  4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter SELINUX to "permissive" or "disabled" in /etc/selinux/config file, followed by reboot. Check the man-page of selinux for more details. Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.

  5. If /opt directory is a symbolic link, create a bind mount for /opt/microsoft.

  6. Ensure that the daemon has executable permission.

    ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
    
    -rwxr-xr-x 2 root root 15502160 Mar  3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
    

    If the daemon doesn't have executable permissions, make it executable using:

    sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
    

    and retry running step 2.

  7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec".

If mdatp service is running, but EICAR text file detection doesn't work

  1. Check the file system type using:

    findmnt -T <path_of_EICAR_file>
    

    Currently supported file systems for on-access activity are listed here. Any files outside these file systems won't be scanned.

Command-line tool “mdatp” isn't working

  1. If running the command-line tool mdatp gives an error command not found, run the following command:

    sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
    

    and try again.

    If none of the above steps help, collect the diagnostic logs:

    sudo mdatp diagnostic create
    
    Diagnostic file created: <path to file>
    

    Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.