在 Linux 上设置适用于终结点的 Microsoft Defender 的首选项Set preferences for Microsoft Defender for Endpoint on Linux

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

重要

本主题包含有关如何在企业环境中为 Linux 上的 Defender for Endpoint 设置首选项的说明。This topic contains instructions for how to set preferences for Defender for Endpoint on Linux in enterprise environments. 如果你有兴趣从命令行在设备上配置产品,请参阅 资源If you are interested in configuring the product on a device from the command-line, see Resources.

在企业环境中,Linux 上的 Defender for Endpoint 可通过配置文件进行管理。In enterprise environments, Defender for Endpoint on Linux can be managed through a configuration profile. 此配置文件从你选择的管理工具部署。This profile is deployed from the management tool of your choice. 企业管理的首选项优先于在设备上本地设置的首选项。Preferences managed by the enterprise take precedence over the ones set locally on the device. 换句话说,企业中的用户不能更改通过此配置文件设置的首选项。In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.

本文介绍此配置文件 (包括可用于开始使用配置文件的建议) 以及如何部署配置文件的说明。This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.

配置文件结构Configuration profile structure

配置文件是一个 .json 文件,它由键 (标识的条目表示首选项) 的名称,后跟一个值,具体取决于首选项的性质。The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. 值可以很简单,如数字值,也可以复杂,如嵌套的首选项列表。Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.

通常,你将使用配置管理工具在 位置推送名称 mdatp_managed.json 为 的文件 /etc/opt/microsoft/mdatp/managed/Typically, you would use a configuration management tool to push a file with the name mdatp_managed.json at the location /etc/opt/microsoft/mdatp/managed/.

配置文件的顶层包括产品范围的首选项和产品子区域条目,下一节将详细介绍这些首选项和条目。The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.

防病毒引擎首选项Antivirus engine preferences

配置文件 的 antivirusEngine 部分用于管理产品的防病毒组件的首选项。The antivirusEngine section of the configuration profile is used to manage the preferences of the antivirus component of the product.

KeyKey antivirusEngineantivirusEngine
数据类型Data type 字典 (嵌套首选项) Dictionary (nested preference)
备注Comments 有关字典内容的说明,请参阅以下部分。See the following sections for a description of the dictionary contents.

启用/禁用实时保护Enable / disable real-time protection

确定是否在启用实时 (时扫描) 文件。Determines whether real-time protection (scan files as they are accessed) is enabled or not.

KeyKey enableRealTimeProtectionenableRealTimeProtection
数据类型Data type BooleanBoolean
可能的值Possible values true (默认值) true (default)
falsefalse

启用/禁用被动模式Enable / disable passive mode

确定防病毒引擎是否在被动模式下运行。Determines whether the antivirus engine runs in passive mode or not. 在被动模式下:In passive mode:

  • 实时保护已关闭。Real-time protection is turned off.
  • 按需扫描已打开。On-demand scanning is turned on.
  • 自动威胁修正已关闭。Automatic threat remediation is turned off.
  • 安全智能更新已打开。Security intelligence updates are turned on.
  • 状态菜单图标处于隐藏状态。Status menu icon is hidden.
KeyKey passiveModepassiveMode
数据类型Data type BooleanBoolean
可能的值Possible values false(默认值)false (default)
truetrue
备注Comments 适用于终结点版本 100.67.60 或更高版本的 Defender 中可用。Available in Defender for Endpoint version 100.67.60 or higher.

排除合并策略Exclusion merge policy

指定排除项的合并策略。Specifies the merge policy for exclusions. 它可以是管理员定义的排除项和用户定义的排除项 () 管理员定义的排除项 merge admin_only () 。It can be a combination of administrator-defined and user-defined exclusions (merge) or only administrator-defined exclusions (admin_only). 此设置可用于限制本地用户定义自己的排除项。This setting can be used to restrict local users from defining their own exclusions.

KeyKey exclusionsMergePolicyexclusionsMergePolicy
数据类型Data type StringString
可能的值Possible values 合并 (默认) merge (default)
admin_onlyadmin_only
备注Comments 适用于终结点版本 100.83.73 或更高版本的 Defender 中可用。Available in Defender for Endpoint version 100.83.73 or higher.

扫描排除项Scan exclusions

从扫描中排除的实体。Entities that have been excluded from the scan. 排除项可以通过完整路径、扩展名或文件名指定。Exclusions can be specified by full paths, extensions, or file names.

KeyKey 排除项exclusions
数据类型Data type 字典 (嵌套首选项) Dictionary (nested preference)
备注Comments 有关字典内容的说明,请参阅以下部分。See the following sections for a description of the dictionary contents.

排除类型Type of exclusion

指定从扫描中排除的内容的类型。Specifies the type of content excluded from the scan.

KeyKey $type$type
数据类型Data type StringString
可能的值Possible values excludedPathexcludedPath
excludedFileExtensionexcludedFileExtension
excludedFileNameexcludedFileName

排除内容的路径Path to excluded content

用于按完整文件路径从扫描中排除内容。Used to exclude content from the scan by full file path.

KeyKey pathpath
数据类型Data type StringString
可能的值Possible values 有效路径valid paths
备注Comments 仅在 排除$type**时适用Applicable only if $type is excludedPath

文件 (目录的路径)Path type (file / directory)

指示 path 属性 是否引用文件或目录。Indicates if the path property refers to a file or directory.

KeyKey isDirectoryisDirectory
数据类型Data type BooleanBoolean
可能的值Possible values false(默认值)false (default)
truetrue
备注Comments 仅在 排除$type**时适用Applicable only if $type is excludedPath

从扫描中排除的文件扩展名File extension excluded from the scan

用于按文件扩展名从扫描中排除内容。Used to exclude content from the scan by file extension.

KeyKey extensionextension
数据类型Data type StringString
可能的值Possible values 有效的文件扩展名valid file extensions
备注Comments 仅在 排除**$type FileExtension 时适用Applicable only if $type is excludedFileExtension

从扫描中排除的进程Process excluded from the scan

指定从扫描中排除所有文件活动的进程。Specifies a process for which all file activity is excluded from scanning. 可以通过进程的名称或名称来指定 (例如,) 或完整 (cat 例如 /bin/cat ,) 。The process can be specified either by its name (for example, cat) or full path (for example, /bin/cat).

KeyKey namename
数据类型Data type StringString
可能的值Possible values 任何字符串any string
备注Comments 仅在 排除**$type FileName 时适用Applicable only if $type is excludedFileName

允许的威胁Allowed threats

威胁列表 (名称) 产品未阻止但允许运行的威胁列表。List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.

KeyKey allowedThreatsallowedThreats
数据类型Data type 字符串数组Array of strings

不允许威胁操作Disallowed threat actions

限制设备的本地用户在检测到威胁时可采取的操作。Restricts the actions that the local user of a device can take when threats are detected. 此列表中包含的操作不会显示在用户界面中。The actions included in this list are not displayed in the user interface.

KeyKey disallowedThreatActionsdisallowedThreatActions
数据类型Data type 字符串数组Array of strings
可能的值Possible values 允许 (限制用户允许威胁) allow (restricts users from allowing threats)
restore (限制用户从隔离网站还原) restore (restricts users from restoring threats from the quarantine)
备注Comments 适用于终结点版本 100.83.73 或更高版本的 Defender 中可用。Available in Defender for Endpoint version 100.83.73 or higher.

威胁类型设置Threat type settings

防病毒 引擎中的 threatTypeSettings 首选项用于控制产品如何处理某些威胁类型。The threatTypeSettings preference in the antivirus engine is used to control how certain threat types are handled by the product.

KeyKey threatTypeSettingsthreatTypeSettings
数据类型Data type 字典 (嵌套首选项) Dictionary (nested preference)
备注Comments 有关字典内容的说明,请参阅以下部分。See the following sections for a description of the dictionary contents.

威胁类型Threat type

配置其行为的威胁类型。Type of threat for which the behavior is configured.

KeyKey 注册表项key
数据类型Data type StringString
可能的值Possible values potentially_unwanted_applicationpotentially_unwanted_application
archive_bombarchive_bomb

要采取的措施Action to take

遇到上一节中指定的类型的威胁时要采取的操作。Action to take when coming across a threat of the type specified in the preceding section. 可以是:Can be:

  • 审核:设备不受此类型威胁的保护,但会记录关于威胁的条目。Audit: The device is not protected against this type of threat, but an entry about the threat is logged.
  • 阻止:设备受到此类型威胁的保护,并且你将在安全控制台中收到通知。Block: The device is protected against this type of threat and you are notified in the security console.
  • 关闭:设备不受此类型威胁的保护,并且不会记录任何内容。Off: The device is not protected against this type of threat and nothing is logged.
KeyKey value
数据类型Data type StringString
可能的值Possible values 审核 (默认) audit (default)
blockblock
offoff

威胁类型设置合并策略Threat type settings merge policy

指定威胁类型设置的合并策略。Specifies the merge policy for threat type settings. 这可以是管理员定义的设置和用户定义的设置的组合, () 管理员 merge 定义的设置 admin_only () 。This can be a combination of administrator-defined and user-defined settings (merge) or only administrator-defined settings (admin_only). 此设置可用于限制本地用户为不同的威胁类型定义自己的设置。This setting can be used to restrict local users from defining their own settings for different threat types.

KeyKey threatTypeSettingsMergePolicythreatTypeSettingsMergePolicy
数据类型Data type StringString
可能的值Possible values 合并 (默认) merge (default)
admin_onlyadmin_only
备注Comments 适用于终结点版本 100.83.73 或更高版本的 Defender 中可用。Available in Defender for Endpoint version 100.83.73 or higher.

防病毒扫描历史记录保留 (天数) Antivirus scan history retention (in days)

指定结果在设备的扫描历史记录中保留的天数。Specify the number of days that results are retained in the scan history on the device. 旧扫描结果将从历史记录中删除。Old scan results are removed from the history. 也从磁盘中删除的旧隔离文件。Old quarantined files that are also removed from the disk.

KeyKey scanResultsRetentionDaysscanResultsRetentionDays
数据类型Data type StringString
可能的值Possible values 90 (默认值) 。90 (default). 允许的值从 1 天到 180 天。Allowed values are from 1 day to 180 days.
备注Comments 适用于终结点版本 101.04.76 或更高版本的 Defender 中可用。Available in Defender for Endpoint version 101.04.76 or higher.

防病毒扫描历史记录中的最大项目数Maximum number of items in the antivirus scan history

指定在扫描历史记录中保留的最大条目数。Specify the maximum number of entries to keep in the scan history. 条目包括过去执行的所有按需扫描以及所有防病毒检测。Entries include all on-demand scans performed in the past and all antivirus detections.

KeyKey scanHistoryMaximumItemsscanHistoryMaximumItems
数据类型Data type StringString
可能的值Possible values 10000 (默认值) 。10000 (default). 允许的值从 5000 个项目到 15000 个项目。Allowed values are from 5000 items to 15000 items.
备注Comments 适用于终结点版本 101.04.76 或更高版本的 Defender 中可用。Available in Defender for Endpoint version 101.04.76 or higher.

云提供的保护首选项Cloud-delivered protection preferences

配置文件 中的 cloudService 条目用于配置产品的云驱动保护功能。The cloudService entry in the configuration profile is used to configure the cloud-driven protection feature of the product.

KeyKey cloudServicecloudService
数据类型Data type 字典 (嵌套首选项) Dictionary (nested preference)
备注Comments 有关字典内容的说明,请参阅以下部分。See the following sections for a description of the dictionary contents.

启用/禁用云提供的保护Enable / disable cloud delivered protection

确定是否在设备上启用云保护。Determines whether cloud-delivered protection is enabled on the device or not. 若要提高服务的安全性,我们建议保持启用此功能。To improve the security of your services, we recommend keeping this feature turned on.

KeyKey enabledenabled
数据类型Data type BooleanBoolean
可能的值Possible values true (默认值) true (default)
falsefalse

诊断集合级别Diagnostic collection level

诊断数据用于使 Defender for Endpoint 保持安全和最新,检测、诊断和修复问题,并改进产品。Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. 此设置确定产品发送给 Microsoft 的诊断级别。This setting determines the level of diagnostics sent by the product to Microsoft.

KeyKey diagnosticLeveldiagnosticLevel
数据类型Data type StringString
可能的值Possible values 可选 (默认) optional (default)
必需required

启用/禁用自动示例提交Enable / disable automatic sample submissions

确定是否将 (可能包含威胁的可疑) 发送到 Microsoft。Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. 有三个级别用于控制示例提交:There are three levels for controlling sample submission:

  • :不会向 Microsoft 提交任何可疑样本。None: no suspicious samples are submitted to Microsoft.
  • 安全:仅自动提交不包含个人身份信息 (PII) 的可疑示例。Safe: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. 这是此设置的默认值。This is the default value for this setting.
  • 全部:所有可疑示例都提交到 Microsoft。All: all suspicious samples are submitted to Microsoft.
KeyKey automaticSampleSubmissionConsentautomaticSampleSubmissionConsent
数据类型Data type StringString
可能的值Possible values none
安全 (默认) safe (default)
allall

启用/禁用自动安全智能更新Enable / disable automatic security intelligence updates

确定是否自动安装安全智能更新:Determines whether security intelligence updates are installed automatically:

KeyKey automaticDefinitionUpdateEnabledautomaticDefinitionUpdateEnabled
数据类型Data type BooleanBoolean
可能的值Possible values true (默认值) true (default)
falsefalse

若要开始,我们建议你的企业采用以下配置文件,以利用 Defender for Endpoint 提供的所有保护功能。To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Defender for Endpoint provides.

以下配置文件将:The following configuration profile will:

  • 启用实时保护 (RTP) Enable real-time protection (RTP)
  • 指定如何处理以下威胁类型:Specify how the following threat types are handled:
    • 阻止 PUA (可能不需要) 的应用程序Potentially unwanted applications (PUA) are blocked
    • 存档 ( 高压缩率的文件) 审核到产品日志Archive bombs (file with a high compression rate) are audited to the product logs
  • 启用自动安全智能更新Enable automatic security intelligence updates
  • 启用云保护Enable cloud-delivered protection
  • 启用级别的自动示例 safe 提交Enable automatic sample submission at safe level

示例配置文件Sample profile

{
   "antivirusEngine":{
      "enableRealTimeProtection":true,
      "threatTypeSettings":[
         {
            "key":"potentially_unwanted_application",
            "value":"block"
         },
         {
            "key":"archive_bomb",
            "value":"audit"
         }
      ]
   },
   "cloudService":{
      "automaticDefinitionUpdateEnabled":true,
      "automaticSampleSubmissionConsent":"safe",
      "enabled":true,
      "proxy":"http://proxy.server:port/"
   }
}

完整配置文件示例Full configuration profile example

以下配置文件包含本文档中所述的所有设置的条目,可用于更高级的方案,您希望对产品进行更多控制。The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.

完整个人资料Full profile

{
   "antivirusEngine":{
      "enableRealTimeProtection":true,
      "passiveMode":false,
      "exclusionsMergePolicy":"merge",
      "exclusions":[
         {
            "$type":"excludedPath",
            "isDirectory":false,
            "path":"/var/log/system.log"
         },
         {
            "$type":"excludedPath",
            "isDirectory":true,
            "path":"/home"
         },
         {
            "$type":"excludedFileExtension",
            "extension":"pdf"
         },
         {
            "$type":"excludedFileName",
            "name":"cat"
         }
      ],
      "allowedThreats":[
         "EICAR-Test-File (not a virus)"
      ],
      "disallowedThreatActions":[
         "allow",
         "restore"
      ],
      "threatTypeSettingsMergePolicy":"merge",
      "threatTypeSettings":[
         {
            "key":"potentially_unwanted_application",
            "value":"block"
         },
         {
            "key":"archive_bomb",
            "value":"audit"
         }
      ]
   },
   "cloudService":{
      "enabled":true,
      "diagnosticLevel":"optional",
      "automaticSampleSubmissionConsent":"safe",
      "automaticDefinitionUpdateEnabled":true,
      "proxy": "http://proxy.server:port/"
   }
}

配置文件验证Configuration profile validation

配置文件必须是有效的 JSON 格式文件。The configuration profile must be a valid JSON-formatted file. 有许多工具可用于验证这一点。There are a number of tools that can be used to verify this. 例如,如果你已安装 python 在设备上:For example, if you have python installed on your device:

python -m json.tool mdatp_managed.json

如果 JSON 格式良好,则上述命令会输出回终端,并返回 的退出代码 0If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of 0. 否则,将显示描述该问题的错误,并且该命令将返回 的退出代码 1Otherwise, an error that describes the issue is displayed and the command returns an exit code of 1.

验证文件mdatp_managed.js是否正常工作Verifying that the mdatp_managed.json file is working as expected

若要验证 /etc/opt/microsoft/mdatp/managed/mdatp_managed.json 是否正常工作,应在这些设置旁边看到"[托管]":To verify that your /etc/opt/microsoft/mdatp/managed/mdatp_managed.json is working properly, you should see "[managed]" next to these settings:

  • cloud_enabledcloud_enabled
  • cloud_automatic_sample_submission_consentcloud_automatic_sample_submission_consent
  • passice_mode_enabledpassice_mode_enabled
  • real_time_protection_enabledreal_time_protection_enabled
  • automatic_definition_update_enabledautomatic_definition_update_enabled

备注

若要mdatp_managed.js,无需重新启动 wdavdaemon。For the mdatp_managed.json to take effect, no restart of the wdavdaemon is required.

配置文件部署Configuration profile deployment

为企业生成配置文件后,可以通过企业使用的管理工具进行部署。Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Linux 上的 Defender for Endpoint 从 /etc/opt/microsoft/mdatp/managed/mdatp_managed.json 文件中读取托管 配置。Defender for Endpoint on Linux reads the managed configuration from the /etc/opt/microsoft/mdatp/managed/mdatp_managed.json file.