适用于 Linux 的 Microsoft Defender 终结点的隐私Privacy for Microsoft Defender for Endpoint for Linux

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

Microsoft 致力于提供你在使用适用于 Linux 的 Defender for Endpoint 时选择收集和使用数据方式时需要的信息和控件。Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Defender for Endpoint for Linux.

本主题介绍产品内可用的隐私控件、如何使用策略设置管理这些控件,以及所收集的数据事件的更多详细信息。This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.

Microsoft Defender for Endpoint for Linux 中的隐私控件概述Overview of privacy controls in Microsoft Defender for Endpoint for Linux

本部分介绍 Defender for Endpoint for Linux 收集的不同类型的数据的隐私控制。This section describes the privacy controls for the different types of data collected by Defender for Endpoint for Linux.

诊断数据Diagnostic data

诊断数据用于使 Defender for Endpoint 保持安全和最新,检测、诊断和修复问题,并改进产品。Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.

某些诊断数据是必需的,而某些诊断数据是可选的。Some diagnostic data is required, while some diagnostic data is optional. 我们允许你选择是否通过使用隐私控件(如组织的策略设置)向我们发送必需或可选的诊断数据。We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.

对于 Defender for Endpoint 客户端软件,有两个级别的诊断数据可供选择:There are two levels of diagnostic data for Defender for Endpoint client software that you can choose from:

  • 必需:帮助使 Defender for Endpoint 保持安全、最新以及按预期在安装了终结点的设备上按预期运行所需的最低数据。Required: The minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and performing as expected on the device it’s installed on.

  • 可选:帮助 Microsoft 改进产品并提供增强信息以帮助检测、诊断和修正问题的其他数据。Optional: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.

默认情况下,仅向 Microsoft 发送必需的诊断数据。By default, only required diagnostic data is sent to Microsoft.

云提供的保护数据Cloud delivered protection data

云提供的保护用于通过访问云中的最新保护数据来提供更高和更快的保护。Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.

启用云保护服务是可选的,但强烈建议这样做,因为它可提供针对终结点和整个网络的恶意软件的重要保护。Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.

示例数据Sample data

示例数据用于通过发送 Microsoft 可疑示例来改进产品的保护功能,以便可以分析它们。Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. 启用自动示例提交是可选的。Enabling automatic sample submission is optional.

有三个级别用于控制示例提交:There are three levels for controlling sample submission:

  • :不会向 Microsoft 提交任何可疑样本。None: no suspicious samples are submitted to Microsoft.
  • 安全:仅自动提交不包含个人身份信息 (PII) 的可疑示例。Safe: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. 这是此设置的默认值。This is the default value for this setting.
  • 全部:所有可疑示例都提交到 Microsoft。All: all suspicious samples are submitted to Microsoft.

通过策略设置管理隐私控件Manage privacy controls with policy settings

如果您是 IT 管理员,您可能希望在企业级别配置这些控件。If you're an IT administrator, you might want to configure these controls at the enterprise level.

The privacy controls for the various types of data described in the preceding section are described in Set preferences for Defender for Endpoint for Linux .The privacy controls for the various types of data described in the preceding section are described in detail in Set preferences for Defender for Endpoint for Linux.

与任何新策略设置一样,应在受限的受控环境中仔细测试它们,以确保在组织中更广泛地实现策略设置之前,所配置的设置具有所需的效果。As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.

诊断数据事件Diagnostic data events

本节介绍哪些内容被视为必需诊断数据以及哪些内容被视为可选诊断数据,以及所收集的事件和字段的说明。This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.

所有事件常用的数据字段Data fields that are common for all events

无论类别或数据子类型如何,所有事件都有一些共同的与事件相关的信息。There is some information about events that is common to all events, regardless of category or data subtype.

以下字段被视为通用于所有事件:The following fields are considered common for all events:

字段Field 说明Description
平台platform 应用运行平台的广泛分类。The broad classification of the platform on which the app is running. 允许 Microsoft 确定在哪些平台上可能会发生问题,以便可以正确地确定问题的优先级。Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized.
machine_guidmachine_guid 与设备关联的唯一标识符。Unique identifier associated with the device. 允许 Microsoft 确定问题是否影响一组选定安装以及有多少用户受到影响。Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.
sense_guidsense_guid 与设备关联的唯一标识符。Unique identifier associated with the device. 允许 Microsoft 确定问题是否影响一组选定安装以及有多少用户受到影响。Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.
org_idorg_id 与设备所属的企业关联的唯一标识符。Unique identifier associated with the enterprise that the device belongs to. 允许 Microsoft 确定问题是否影响一组选定企业以及有多少企业受到影响。Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted.
hostnamehostname 本地设备名称 (DNS 后缀) 。Local device name (without DNS suffix). 允许 Microsoft 确定问题是否影响一组选定安装以及有多少用户受到影响。Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.
product_guidproduct_guid 产品的唯一标识符。Unique identifier of the product. 允许 Microsoft 区分影响不同产品风格的问题。Allows Microsoft to differentiate issues impacting different flavors of the product.
app_versionapp_version 适用于 Linux 应用程序的 Defender for Endpoint 的版本。Version of the Defender for Endpoint for Linux application. 允许 Microsoft 确定哪些版本的产品显示问题,以便可以正确地确定问题的优先级。Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.
sig_versionsig_version 安全智能数据库的版本。Version of security intelligence database. 允许 Microsoft 标识显示问题的安全智能版本,以便可以正确地确定问题的优先级。Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized.
supported_compressionssupported_compressions 应用程序支持的压缩算法列表,例如 ['gzip']List of compression algorithms supported by the application, for example ['gzip']. 允许 Microsoft 了解在与应用程序通信时可以使用的压缩类型。Allows Microsoft to understand what types of compressions can be used when it communicates with the application.
release_ringrelease_ring 设备与设备关联的圈, (Insider Fast、Insider Slow、Production) 。Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). 允许 Microsoft 识别可能在哪个发布环上发生问题,以便可以正确地确定问题的优先级。Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized.

必需诊断数据Required diagnostic data

必需诊断 数据是帮助使 Defender for Endpoint 保持安全、最新,并按预期在安装它的设备上执行所需的最少数据。Required diagnostic data is the minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and perform as expected on the device it’s installed on.

必需的诊断数据有助于识别与设备或软件配置相关的 Microsoft Defender for Endpoint 问题。Required diagnostic data helps to identify problems with Microsoft Defender for Endpoint that may be related to a device or software configuration. 例如,它可以帮助确定 Defender for Endpoint 功能在特定操作系统版本、新引入的功能上崩溃的频率是否更频繁,或者何时禁用某些 Defender for Endpoint 功能。For example, it can help determine if a Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Defender for Endpoint features are disabled. 必需的诊断数据可帮助 Microsoft 更快速地检测、诊断和修复这些问题,以便降低对用户或组织的影响。Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.

软件安装和清单数据事件Software setup and inventory data events

Microsoft Defender for Endpoint 安装/卸载Microsoft Defender for Endpoint installation / uninstallation

将会收集以下字段:The following fields are collected:

字段Field 说明Description
correlation_idcorrelation_id 与安装关联的唯一标识符。Unique identifier associated with the installation.
versionversion 程序包的版本。Version of the package.
severityseverity 邮件严重性,例如 (信息) 。Severity of the message (for example Informational).
codecode 描述操作的代码。Code that describes the operation.
texttext 与产品安装相关的其他信息。Additional information associated with the product installation.

Microsoft Defender for Endpoint 配置Microsoft Defender for Endpoint configuration

将会收集以下字段:The following fields are collected:

字段Field 说明Description
antivirus_engine.enable_real_time_protectionantivirus_engine.enable_real_time_protection 是否在设备上启用实时保护。Whether real-time protection is enabled on the device or not.
antivirus_engine.passive_modeantivirus_engine.passive_mode 是否在设备上启用被动模式。Whether passive mode is enabled on the device or not.
cloud_service.enabledcloud_service.enabled 是否在设备上启用云保护。Whether cloud delivered protection is enabled on the device or not.
cloud_service.timeoutcloud_service.timeout 当应用程序与 Defender for Endpoint 云通信时,将退出。Time out when the application communicates with the Defender for Endpoint cloud.
cloud_service.heartbeat_intervalcloud_service.heartbeat_interval 产品发送到云的连续检测信号之间的间隔。Interval between consecutive heartbeats sent by the product to the cloud.
cloud_service.service_uricloud_service.service_uri 用于与云通信的 URI。URI used to communicate with the cloud.
cloud_service.diagnostic_levelcloud_service.diagnostic_level 设备诊断级别 (可选) 。Diagnostic level of the device (required, optional).
cloud_service.automatic_sample_submissioncloud_service.automatic_sample_submission 设备的自动示例提交级别 (无、安全、) 。Automatic sample submission level of the device (none, safe, all).
edr.early_previewedr.early_preview 设备是否应该运行 EDR 早期预览功能。Whether the device should run EDR early preview features.
edr.group_idedr.group_id 检测和响应组件使用的组标识符。Group identifier used by the detection and response component.
edr.tagsedr.tags 用户定义的标记。User-defined tags.
功能。 [可选功能名称]features.[optional feature name] 预览功能列表,以及是否已启用。List of preview features, along with whether they are enabled or not.

产品和服务使用情况数据事件Product and service usage data events

安全智能更新报告Security intelligence update report

将会收集以下字段:The following fields are collected:

字段Field 说明Description
from_versionfrom_version 原始安全智能版本。Original security intelligence version.
to_versionto_version 新的安全智能版本。New security intelligence version.
状态status 指示成功或失败的更新的状态。Status of the update indicating success or failure.
using_proxyusing_proxy 更新是否通过代理完成。Whether the update was done over a proxy.
errorerror 更新失败时的错误代码。Error code if the update failed.
reasonreason 更新失败时出现错误消息。Error message if the update failed.

产品和服务性能事件Product and service performance data events

内核扩展统计信息Kernel extension statistics

将会收集以下字段:The following fields are collected:

字段Field 说明Description
versionversion 适用于 Linux 的终结点的 Defender 版本。Version of Defender for Endpoint for Linux.
instance_idinstance_id 内核扩展启动时生成的唯一标识符。Unique identifier generated on kernel extension startup.
trace_leveltrace_level 内核扩展的跟踪级别。Trace level of the kernel extension.
subsystemsubsystem 用于实时保护的基础子系统。The underlying subsystem used for real-time protection.
ipc.connectsipc.connects 内核扩展接收的连接请求数。Number of connection requests received by the kernel extension.
ipc.rejectsipc.rejects 内核扩展拒绝的连接请求数。Number of connection requests rejected by the kernel extension.
ipc.connectedipc.connected 是否有到内核扩展的活动连接。Whether there is any active connection to the kernel extension.

支持数据Support data

诊断日志Diagnostic logs

仅在用户同意的情况下收集诊断日志作为反馈提交功能一部分。Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. 将收集以下文件作为支持日志的一部分:The following files are collected as part of the support logs:

  • /var/log/microsoft/mdatp 下的所有文件All files under /var/log/microsoft/mdatp
  • /etc/opt/microsoft/mdatp 下由 Defender for Endpoint for Linux 创建和使用的文件的子集Subset of files under /etc/opt/microsoft/mdatp that are created and used by Defender for Endpoint for Linux
  • /var/log/microsoft_mdatp_ * .log 下的产品安装和卸载日志Product installation and uninstallation logs under /var/log/microsoft_mdatp_*.log

可选诊断数据Optional diagnostic data

可选诊断 数据是可帮助 Microsoft 改进产品并提供增强信息以帮助检测、诊断和修复问题的其他数据。Optional diagnostic data is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.

如果你选择向我们发送可选诊断数据,则还需要包括必需的诊断数据。If you choose to send us optional diagnostic data, required diagnostic data is also included.

可选诊断数据的示例包括 Microsoft 收集有关产品配置 (例如设备) 上设置的排除数的数据 (以及有关产品) 组件性能的聚合度量。Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).

软件安装和清单数据事件Software setup and inventory data events

Microsoft Defender for Endpoint 配置Microsoft Defender for Endpoint configuration

将会收集以下字段:The following fields are collected:

字段Field 说明Description
connection_retry_timeoutconnection_retry_timeout 与云通信时的连接重试时间。Connection retry time-out when communication with the cloud.
file_hash_cache_maximumfile_hash_cache_maximum 产品缓存的大小。Size of the product cache.
crash_upload_daily_limitcrash_upload_daily_limit 每日上载的崩溃日志的限制。Limit of crash logs uploaded daily.
antivirus_engine.exclusions[].is_directoryantivirus_engine.exclusions[].is_directory 扫描排除项是否是目录。Whether the exclusion from scanning is a directory or not.
antivirus_engine.exclusions[].pathantivirus_engine.exclusions[].path 从扫描中排除的路径。Path that was excluded from scanning.
antivirus_engine.exclusions[].extensionantivirus_engine.exclusions[].extension 从扫描中排除的扩展。Extension excluded from scanning.
antivirus_engine.exclusions[].nameantivirus_engine.exclusions[].name 从扫描中排除的文件的名称。Name of the file excluded from scanning.
antivirus_engine.scan_cache_maximumantivirus_engine.scan_cache_maximum 产品缓存的大小。Size of the product cache.
antivirus_engine.maximum_scan_threadsantivirus_engine.maximum_scan_threads 用于扫描的最大线程数。Maximum number of threads used for scanning.
antivirus_engine.threat_restoration_exclusion_timeantivirus_engine.threat_restoration_exclusion_time 从隔离区还原的文件可以再次检测到之前,该时间已过。Time out before a file restored from the quarantine can be detected again.
filesystem_scanner.full_scan_directoryfilesystem_scanner.full_scan_directory 完全扫描目录。Full scan directory.
filesystem_scanner.quick_scan_directoriesfilesystem_scanner.quick_scan_directories 快速扫描中使用的目录列表。List of directories used in quick scan.
edr.latency_modeedr.latency_mode 检测和响应组件使用的延迟模式。Latency mode used by the detection and response component.
edr.proxy_addressedr.proxy_address 检测和响应组件使用的代理地址。Proxy address used by the detection and response component.

Microsoft 自动更新配置Microsoft Auto-Update configuration

将会收集以下字段:The following fields are collected:

字段Field 说明Description
how_to_checkhow_to_check 确定如何检查产品更新 (例如自动或手动) 。Determines how product updates are checked (for example automatic or manual).
channel_namechannel_name 更新与设备关联的通道。Update channel associated with the device.
manifest_servermanifest_server 用于下载更新的服务器。Server used for downloading updates.
update_cacheupdate_cache 用于存储更新的缓存的位置。Location of the cache used to store updates.

产品和服务使用情况Product and service usage

诊断日志上载开始报告Diagnostic log upload started report

将会收集以下字段:The following fields are collected:

字段Field 说明Description
sha256sha256 支持日志的 SHA256 标识符。SHA256 identifier of the support log.
sizesize 支持日志的大小。Size of the support log.
original_pathoriginal_path 始终在 /var/opt/microsoft/mdatp/wdavdiag/ (下 的支持日志) 。Path to the support log (always under /var/opt/microsoft/mdatp/wdavdiag/).
formatformat 支持日志的格式。Format of the support log.

诊断日志上载已完成报告Diagnostic log upload completed report

将会收集以下字段:The following fields are collected:

字段Field 说明Description
request_idrequest_id 支持日志上载请求的相关 ID。Correlation ID for the support log upload request.
sha256sha256 支持日志的 SHA256 标识符。SHA256 identifier of the support log.
blob_sas_uriblob_sas_uri 应用程序用于上载支持日志的 URI。URI used by the application to upload the support log.

产品和服务性能事件Product and service performance data events

应用程序意外退出(崩溃)Unexpected application exit (crash)

应用程序意外退出以及发生这种情况时的应用程序状态。Unexpected application exits and the state of the application when that happens.

内核扩展统计信息Kernel extension statistics

将会收集以下字段:The following fields are collected:

字段Field 说明Description
pkt_ack_timeoutpkt_ack_timeout 以下属性是聚合的数值,表示自内核扩展启动后发生的事件数。The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup.
pkt_ack_conn_timeoutpkt_ack_conn_timeout
ipc.ack_pktsipc.ack_pkts
ipc.nack_pktsipc.nack_pkts
ipc.send.ack_no_connipc.send.ack_no_conn
ipc.send.nack_no_connipc.send.nack_no_conn
ipc.send.ack_no_qsqipc.send.ack_no_qsq
ipc.send.nack_no_qsqipc.send.nack_no_qsq
ipc.ack.no_spaceipc.ack.no_space
ipc.ack.timeoutipc.ack.timeout
ipc.ack.ackd_fastipc.ack.ackd_fast
ipc.ack.ackdipc.ack.ackd
ipc.recv.bad_pkt_lenipc.recv.bad_pkt_len
ipc.recv.bad_reply_lenipc.recv.bad_reply_len
ipc.recv.no_waiteripc.recv.no_waiter
ipc.recv.copy_failedipc.recv.copy_failed
ipc.kauth.vnode.maskipc.kauth.vnode.mask
ipc.kauth.vnode.readipc.kauth.vnode.read
ipc.kauth.vnode.writeipc.kauth.vnode.write
ipc.kauth.vnode.execipc.kauth.vnode.exec
ipc.kauth.vnode.delipc.kauth.vnode.del
ipc.kauth.vnode.read_attripc.kauth.vnode.read_attr
ipc.kauth.vnode.write_attripc.kauth.vnode.write_attr
ipc.kauth.vnode.read_ex_attripc.kauth.vnode.read_ex_attr
ipc.kauth.vnode.write_ex_attripc.kauth.vnode.write_ex_attr
ipc.kauth.vnode.read_secipc.kauth.vnode.read_sec
ipc.kauth.vnode.write_secipc.kauth.vnode.write_sec
ipc.kauth.vnode.take_ownipc.kauth.vnode.take_own
ipc.kauth.vnode.linkipc.kauth.vnode.link
ipc.kauth.vnode.createipc.kauth.vnode.create
ipc.kauth.vnode.moveipc.kauth.vnode.move
ipc.kauth.vnode.mountipc.kauth.vnode.mount
ipc.kauth.vnode.deniedipc.kauth.vnode.denied
ipc.kauth.vnode.ackd_before_deadlineipc.kauth.vnode.ackd_before_deadline
ipc.kauth.vnode.missed_deadlineipc.kauth.vnode.missed_deadline
ipc.kauth.file_op.maskipc.kauth.file_op.mask
ipc.kauth_file_op.openipc.kauth_file_op.open
ipc.kauth.file_op.closeipc.kauth.file_op.close
ipc.kauth.file_op.close_modifiedipc.kauth.file_op.close_modified
ipc.kauth.file_op.moveipc.kauth.file_op.move
ipc.kauth.file_op.linkipc.kauth.file_op.link
ipc.kauth.file_op.execipc.kauth.file_op.exec
ipc.kauth.file_op.removeipc.kauth.file_op.remove
ipc.kauth.file_op.unmountipc.kauth.file_op.unmount
ipc.kauth.file_op.forkipc.kauth.file_op.fork
ipc.kauth.file_op.createipc.kauth.file_op.create

资源Resources