在 Linux 上設定 Microsoft Defender for Endpoint 的喜好設定Set preferences for Microsoft Defender for Endpoint on Linux

適用於:Applies to:

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

重要

本主題包含如何在企業環境中設定適用于 Linux 之 Defender 的 Defender 偏好設定的指示。This topic contains instructions for how to set preferences for Defender for Endpoint on Linux in enterprise environments. 如果您想要從命令列在裝置上設定產品,請參閱 ResourcesIf you are interested in configuring the product on a device from the command-line, see Resources.

在企業環境中,可以透過設定設定檔來管理 Linux 上的 Defender。In enterprise environments, Defender for Endpoint on Linux can be managed through a configuration profile. 此設定檔是從您選擇的管理工具部署。This profile is deployed from the management tool of your choice. 由企業管理的喜好設定會優先于裝置上的本機設定。Preferences managed by the enterprise take precedence over the ones set locally on the device. 換句話說,您企業中的使用者無法變更透過此設定檔設定的喜好設定。In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.

本文說明此設定檔的結構 (,包括可供您開始使用的建議設定檔) 及如何部署設定檔的指示。This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.

設定設定檔結構Configuration profile structure

設定設定檔是由按鍵 (所識別的專案所組成的一個 json 檔案,該專案會指出喜好設定) 的名稱,後面接著會根據喜好設定的性質而定。The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. 值可以是簡單的,例如數值或複雜,例如首選項的嵌套清單。Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.

一般來說,您會使用設定管理工具將名稱中的檔案推入 mdatp_managed.json 該位置 /etc/opt/microsoft/mdatp/managed/Typically, you would use a configuration management tool to push a file with the name mdatp_managed.json at the location /etc/opt/microsoft/mdatp/managed/.

設定設定檔的最上層包含產品的子領域首選項及專案,在下一節將詳細說明。The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.

防病毒引擎偏好設定Antivirus engine preferences

設定設定檔的 [ antivirusEngine ] 區段是用來管理產品之防病毒元件的喜好設定。The antivirusEngine section of the configuration profile is used to manage the preferences of the antivirus component of the product.

機碼Key antivirusEngineantivirusEngine
資料類型Data type 字典 (嵌套偏好) Dictionary (nested preference)
CommentsComments 請參閱下列各節以取得字典內容的描述。See the following sections for a description of the dictionary contents.

啟用/停用即時保護Enable / disable real-time protection

會決定在啟用或未啟用) 時,是否即時保護 (掃描檔案。Determines whether real-time protection (scan files as they are accessed) is enabled or not.

機碼Key enableRealTimeProtectionenableRealTimeProtection
資料類型Data type 布林值Boolean
可能值Possible values true (預設) true (default)
false

啟用/停用被動模式Enable / disable passive mode

決定防病毒引擎是否以被動模式執行。Determines whether the antivirus engine runs in passive mode or not. 在被動模式:In passive mode:

  • 已關閉即時保護功能。Real-time protection is turned off.
  • 已開啟隨選掃描。On-demand scanning is turned on.
  • 關閉自動威脅修復功能。Automatic threat remediation is turned off.
  • 已開啟安全性智慧更新。Security intelligence updates are turned on.
  • [狀態] 功能表圖示已隱藏。Status menu icon is hidden.
機碼Key passiveModepassiveMode
資料類型Data type 布林值Boolean
可能值Possible values false (預設) false (default)
true
CommentsComments 在100.67.60 或更高版本的 Defender 中提供。Available in Defender for Endpoint version 100.67.60 or higher.

排除合併原則Exclusion merge policy

指定排除專案的合併原則。Specifies the merge policy for exclusions. 它可以是管理員定義和使用者定義排除的組合 (merge) 或只) 系統管理員定義的排除 (admin_onlyIt can be a combination of administrator-defined and user-defined exclusions (merge) or only administrator-defined exclusions (admin_only). 您可以使用此設定來限制本機使用者定義自己的排除專案。This setting can be used to restrict local users from defining their own exclusions.

機碼Key exclusionsMergePolicyexclusionsMergePolicy
資料類型Data type 字串String
可能值Possible values merge (預設值) merge (default)
admin_onlyadmin_only
CommentsComments 在100.83.73 或更高版本的 Defender 中提供。Available in Defender for Endpoint version 100.83.73 or higher.

掃描排除Scan exclusions

已從掃描中排除的實體。Entities that have been excluded from the scan. 您可以使用完整路徑、副檔名或檔案名來指定排除。Exclusions can be specified by full paths, extensions, or file names. (排除專案是以專案陣列的形式指定,管理員可以根據需要依任何順序指定任意數目的元素。 ) (Exclusions are specified as an array of items, administrator can specify as many elements as necessary, in any order.)

機碼Key 排除exclusions
資料類型Data type 字典 (嵌套偏好) Dictionary (nested preference)
CommentsComments 請參閱下列各節以取得字典內容的描述。See the following sections for a description of the dictionary contents.

排除的類型Type of exclusion

指定排除在掃描之外的內容類型。Specifies the type of content excluded from the scan.

機碼Key $type$type
資料類型Data type 字串String
可能值Possible values excludedPathexcludedPath
excludedFileExtensionexcludedFileExtension
excludedFileNameexcludedFileName

排除內容的路徑Path to excluded content

用於從掃描的完整檔案路徑中排除內容。Used to exclude content from the scan by full file path.

機碼Key 路徑path
資料類型Data type 字串String
可能值Possible values 有效路徑valid paths
CommentsComments 僅適用于 excludedPath $typeApplicable only if $type is excludedPath

(檔/目錄的路徑類型)Path type (file / directory)

會指出 path 屬性參照的是檔案或目錄。Indicates if the path property refers to a file or directory.

機碼Key isDirectoryisDirectory
資料類型Data type 布林值Boolean
可能值Possible values false (預設) false (default)
true
CommentsComments 僅適用于 excludedPath $typeApplicable only if $type is excludedPath

從掃描排除的副檔名File extension excluded from the scan

用於從 [掃描者] 副檔名排除內容。Used to exclude content from the scan by file extension.

機碼Key 擴展extension
資料類型Data type 字串String
可能值Possible values 有效的副檔名valid file extensions
CommentsComments 僅適用于 excludedFileExtension $typeApplicable only if $type is excludedFileExtension

從掃描排除的處理常式Process excluded from the scan

指定從掃描排除所有檔案活動的處理常式。Specifies a process for which all file activity is excluded from scanning. 您可以透過名稱來指定程式 (例如, cat) 或完整路徑 (例如 /bin/cat) 。The process can be specified either by its name (for example, cat) or full path (for example, /bin/cat).

機碼Key namename
資料類型Data type 字串String
可能值Possible values 任何字串any string
CommentsComments 僅適用于 excludedFileName $typeApplicable only if $type is excludedFileName

允許的威脅Allowed threats

根據其名稱) 所識別的威脅清單,其 (未被產品封鎖,但改為允許執行。List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.

機碼Key allowedThreatsallowedThreats
資料類型Data type 字串陣列Array of strings

不允許的威脅動作Disallowed threat actions

限制偵測到威脅時,裝置的本機使用者可以採取的動作。Restricts the actions that the local user of a device can take when threats are detected. 在此清單中包含的動作不會顯示在使用者介面中。The actions included in this list are not displayed in the user interface.

機碼Key disallowedThreatActionsdisallowedThreatActions
資料類型Data type 字串陣列Array of strings
可能值Possible values 允許 (限制使用者允許威脅) allow (restricts users from allowing threats)
restore (會限制使用者從隔離區還原威脅) restore (restricts users from restoring threats from the quarantine)
CommentsComments 在100.83.73 或更高版本的 Defender 中提供。Available in Defender for Endpoint version 100.83.73 or higher.

威脅類型設定Threat type settings

防病毒引擎中的 threatTypeSettings 首選項是用來控制產品如何處理特定威脅類型。The threatTypeSettings preference in the antivirus engine is used to control how certain threat types are handled by the product.

機碼Key threatTypeSettingsthreatTypeSettings
資料類型Data type 字典 (嵌套偏好) Dictionary (nested preference)
CommentsComments 請參閱下列各節以取得字典內容的描述。See the following sections for a description of the dictionary contents.

威脅類型Threat type

設定行為的威脅類型。Type of threat for which the behavior is configured.

機碼Key 機碼key
資料類型Data type 字串String
可能值Possible values potentially_unwanted_applicationpotentially_unwanted_application
archive_bombarchive_bomb

要採取的動作Action to take

當您在上述區段中所指定類型的威脅到來時採取的動作。Action to take when coming across a threat of the type specified in the preceding section. 可以是:Can be:

  • Audit:此裝置沒有針對這類威脅進行保護,但是會記錄有關威脅的專案。Audit: The device is not protected against this type of threat, but an entry about the threat is logged.
  • 封鎖:針對這類威脅保護裝置,並在安全性主控台中通知您。Block: The device is protected against this type of threat and you are notified in the security console.
  • Off:裝置不會受到這種威脅類型的保護,而且不會記錄任何內容。Off: The device is not protected against this type of threat and nothing is logged.
機碼Key 數值value
資料類型Data type 字串String
可能值Possible values 審核 (預設) audit (default)
block
遠離off

威脅類型設定合併原則Threat type settings merge policy

指定威脅類型設定的合併原則。Specifies the merge policy for threat type settings. 這可以是管理員定義和使用者定義設定的組合, (merge) 或只 () 的系統管理員定義的設定 admin_onlyThis can be a combination of administrator-defined and user-defined settings (merge) or only administrator-defined settings (admin_only). 此設定可用來限制本機使用者針對不同威脅類型定義自己的設定。This setting can be used to restrict local users from defining their own settings for different threat types.

機碼Key threatTypeSettingsMergePolicythreatTypeSettingsMergePolicy
資料類型Data type 字串String
可能值Possible values merge (預設值) merge (default)
admin_onlyadmin_only
CommentsComments 在100.83.73 或更高版本的 Defender 中提供。Available in Defender for Endpoint version 100.83.73 or higher.

防病毒掃描記錄保留 (天數) Antivirus scan history retention (in days)

指定在裝置上的掃描歷程記錄中保留結果的天數。Specify the number of days that results are retained in the scan history on the device. 舊的掃描結果會從歷史記錄中移除。Old scan results are removed from the history. 也會從磁片中移除的舊隔離檔案。Old quarantined files that are also removed from the disk.

機碼Key scanResultsRetentionDaysscanResultsRetentionDays
資料類型Data type 字串String
可能值Possible values 90 (預設) 。90 (default). 允許的值介於1天到180天。Allowed values are from 1 day to 180 days.
CommentsComments 在101.04.76 或更高版本的 Defender 中提供。Available in Defender for Endpoint version 101.04.76 or higher.

防病毒掃描歷程記錄中的專案數上限Maximum number of items in the antivirus scan history

指定要保留在掃描記錄中的專案數上限。Specify the maximum number of entries to keep in the scan history. 專案包括過去執行的所有按需掃描及所有防病毒偵測。Entries include all on-demand scans performed in the past and all antivirus detections.

機碼Key scanHistoryMaximumItemsscanHistoryMaximumItems
資料類型Data type 字串String
可能值Possible values 10000 (預設) 。10000 (default). 允許的值是從5000專案到15000專案。Allowed values are from 5000 items to 15000 items.
CommentsComments 在101.04.76 或更高版本的 Defender 中提供。Available in Defender for Endpoint version 101.04.76 or higher.

雲端提供的保護偏好設定Cloud-delivered protection preferences

設定設定檔中的 cloudService 專案是用來設定產品的雲端驅動保護功能。The cloudService entry in the configuration profile is used to configure the cloud-driven protection feature of the product.

機碼Key cloudServicecloudService
資料類型Data type 字典 (嵌套偏好) Dictionary (nested preference)
CommentsComments 請參閱下列各節以取得字典內容的描述。See the following sections for a description of the dictionary contents.

啟用/停用雲端已傳送保護Enable / disable cloud delivered protection

決定是否已在裝置上啟用雲端傳送保護。Determines whether cloud-delivered protection is enabled on the device or not. 若要改善服務的安全性,建議您保持此功能開啟。To improve the security of your services, we recommend keeping this feature turned on.

機碼Key 啟用enabled
資料類型Data type 布林值Boolean
可能值Possible values true (預設) true (default)
false

診斷集合層級Diagnostic collection level

診斷資料是用來將 Defender 設定為安全和更新、偵測、診斷和修正問題,也可讓產品改進。Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. 此設定會決定由產品所傳送給 Microsoft 的診斷層級。This setting determines the level of diagnostics sent by the product to Microsoft.

機碼Key diagnosticLeveldiagnosticLevel
資料類型Data type 字串String
可能值Possible values 選用 (預設) optional (default)
必要required

啟用/停用自動範例報送Enable / disable automatic sample submissions

會決定是否有可疑的範例 (可能包含) 傳送給 Microsoft 的威脅。Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. 有三個層級可用於控制範例提交:There are three levels for controlling sample submission:

  • None:沒有可疑的範例提交給 Microsoft。None: no suspicious samples are submitted to Microsoft.
  • 安全:只有不含個人身分識別資訊 (PII) 的可疑範例會自動提交。Safe: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. 此為此設定的預設值。This is the default value for this setting.
  • All:將所有可疑的範例提交給 Microsoft。All: all suspicious samples are submitted to Microsoft.
機碼Key automaticSampleSubmissionConsentautomaticSampleSubmissionConsent
資料類型Data type 字串String
可能值Possible values none
安全 (預設) safe (default)
所有all

啟用/停用自動安全性智慧更新Enable / disable automatic security intelligence updates

決定是否自動安裝安全性智慧更新:Determines whether security intelligence updates are installed automatically:

機碼Key automaticDefinitionUpdateEnabledautomaticDefinitionUpdateEnabled
資料類型Data type 布林值Boolean
可能值Possible values true (預設) true (default)
false

若要開始使用,我們建議您的企業使用下列設定設定檔,以利用所有供 Endpoint 的 Defender 提供的保護功能。To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Defender for Endpoint provides.

下列設定檔將會:The following configuration profile will:

  • 啟用 (RTP) 的即時保護Enable real-time protection (RTP)
  • 指定如何處理下列威脅類型:Specify how the following threat types are handled:
    • 封鎖 (PUA) 可能有害的應用程式Potentially unwanted applications (PUA) are blocked
    • 將 bombs 具有高壓縮率) 的封存檔 (檔案,審核至產品記錄Archive bombs (file with a high compression rate) are audited to the product logs
  • 啟用自動安全性情報更新Enable automatic security intelligence updates
  • 啟動雲端提供的保護Enable cloud-delivered protection
  • 啟用層級的自動範例提交 safeEnable automatic sample submission at safe level

範例設定檔Sample profile

{
   "antivirusEngine":{
      "enableRealTimeProtection":true,
      "threatTypeSettings":[
         {
            "key":"potentially_unwanted_application",
            "value":"block"
         },
         {
            "key":"archive_bomb",
            "value":"audit"
         }
      ]
   },
   "cloudService":{
      "automaticDefinitionUpdateEnabled":true,
      "automaticSampleSubmissionConsent":"safe",
      "enabled":true,
      "proxy":"http://proxy.server:port/"
   }
}

完整設定檔範例Full configuration profile example

下列設定設定檔包含本檔中所述所有設定的專案,而且可用於更高級的案例,您想要更進一步控制產品。The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.

完整設定檔Full profile

{
   "antivirusEngine":{
      "enableRealTimeProtection":true,
      "passiveMode":false,
      "exclusionsMergePolicy":"merge",
      "exclusions":[
         {
            "$type":"excludedPath",
            "isDirectory":false,
            "path":"/var/log/system.log"
         },
         {
            "$type":"excludedPath",
            "isDirectory":true,
            "path":"/run"
         },
         {
            "$type":"excludedPath",
            "isDirectory":true,
            "path":"/home/*/git"
         },
         {
            "$type":"excludedFileExtension",
            "extension":".pdf"
         },
         {
            "$type":"excludedFileName",
            "name":"cat"
         }
      ],
      "allowedThreats":[
         "EICAR-Test-File (not a virus)"
      ],
      "disallowedThreatActions":[
         "allow",
         "restore"
      ],
      "threatTypeSettingsMergePolicy":"merge",
      "threatTypeSettings":[
         {
            "key":"potentially_unwanted_application",
            "value":"block"
         },
         {
            "key":"archive_bomb",
            "value":"audit"
         }
      ]
   },
   "cloudService":{
      "enabled":true,
      "diagnosticLevel":"optional",
      "automaticSampleSubmissionConsent":"safe",
      "automaticDefinitionUpdateEnabled":true,
      "proxy": "http://proxy.server:port/"
   }
}

設定設定檔驗證Configuration profile validation

設定設定檔必須是有效的 JSON 格式檔。The configuration profile must be a valid JSON-formatted file. 有許多工具可以用來確認這一點。There are a number of tools that can be used to verify this. 例如,如果您已 python 在裝置上安裝:For example, if you have python installed on your device:

python -m json.tool mdatp_managed.json

如果 JSON 格式正確,上述命令會將其輸出到終端,並傳回的退出程式碼 0If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of 0. 否則,會顯示描述問題的錯誤,且命令會傳回的退出程式碼 1Otherwise, an error that describes the issue is displayed and the command returns an exit code of 1.

驗證檔案上的 mdatp_managed.js是否如預期般運作Verifying that the mdatp_managed.json file is working as expected

若要確認您的/etc/opt/microsoft/mdatp/managed/mdatp_managed.js開啟中是否正常運作,您應該會在下列設定旁看到「[managed]」:To verify that your /etc/opt/microsoft/mdatp/managed/mdatp_managed.json is working properly, you should see "[managed]" next to these settings:

  • cloud_enabledcloud_enabled
  • cloud_automatic_sample_submission_consentcloud_automatic_sample_submission_consent
  • passice_mode_enabledpassice_mode_enabled
  • real_time_protection_enabledreal_time_protection_enabled
  • automatic_definition_update_enabledautomatic_definition_update_enabled

注意

為使 mdatp_managed.js生效,不需要重新開機 wdavdaemon。For the mdatp_managed.json to take effect, no restart of the wdavdaemon is required.

設定設定檔部署Configuration profile deployment

在您為企業建立設定檔之後,您可以透過企業使用的管理工具加以部署。Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Linux 上的 Defender for the /etc/opt/microsoft/mdatp/managed/mdatp_managed.json file 中讀取 managed configuration。Defender for Endpoint on Linux reads the managed configuration from the /etc/opt/microsoft/mdatp/managed/mdatp_managed.json file.