Troubleshoot issues for Microsoft Defender for Endpoint on Linux RHEL6

Applies to:

Important

Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Defender for Endpoint? Sign up for a free trial.

This article provides guidance on how to troubleshoot issues you might encounter with Microsoft Defender for Linux on Red Hat Linux 6 (RHEL 6) or higher.

After the package (mdatp_XXX.XX.XX.XX.x86_64.rpm) is installed, take actions provided to verify that the installation was successful.

Check the service health

Use the following command to check the service health:

mdatp health 

Verify that the service is running

Use the following command to verify that the service is running:

service mdatp status 

Expected output: mdatp start/running, process 4517

Verify the distribution and kernel version

The distribution and kernel versions should be on the supported list.

Use the following command to get the distribution version:

cat /etc/redhat-release (or /etc/system-release) 

Use the following command to get the kernel version:

uname -r

Check if mdatp audisp process is running

The expected output is that the process is running.

Use the following command to check:

pidof mdatp_audisp_plugin 

Check TALPA modules

There should be nine modules loaded.

Use the following command to check:

lsmod | grep talpa

Expected output: Enabled

talpa_pedconnector       878  0 

talpa_pedevice          5189  2 talpa_pedconnector 

talpa_vfshook          32300  1 

talpa_vcdevice          4947  1 

talpa_syscall           9127  0 

talpa_core             90699  4 talpa_vfshook,talpa_vcdevice,talpa_syscall 

talpa_linux            29424  5 talpa_vfshook,talpa_vcdevice,talpa_syscall,talpa_core 

talpa_syscallhookprobe      882  0 

talpa_syscallhook      14987  2 talpa_vfshook,talpa_syscallhookprobe 
lsmod | grep talpa | wc -l 

Expected output: 9

Check TALPA status

cat /proc/sys/talpa/interceptors/VFSHookInterceptor/status 

Debug log files (apart from the 'mdatp diagnostic create' bundle)

/var/log/audit/audit.log 

/var/log/messages 

semanage fcontext -l > selinux.log 

Performance and Memory

top -p <wdavdaemon pid>      

pmap -x <wdavdaemon pid> 

Where <wdavdaemon pid> can be found using pidof wdavdaemon.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.