Linux 上的 Microsoft Defender for Endpoint 的隱私權Privacy for Microsoft Defender for Endpoint on Linux

適用於:Applies to:

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

Microsoft 致力於為您提供您所需的資訊和控制,讓您選擇如何在 Linux 上使用 Defender for Endpoint 時收集和使用資料。Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Defender for Endpoint on Linux.

本主題說明產品內可用的隱私權控制,如何使用原則設定管理這些控制項,以及收集的資料事件的詳細資料。This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.

在 Linux 上的 Microsoft Defender for Endpoint 中取得隱私權控制的概覽Overview of privacy controls in Microsoft Defender for Endpoint on Linux

本節說明在 Linux 上的 Defender for Endpoint 所收集的不同資料類型的隱私權控制。This section describes the privacy controls for the different types of data collected by Defender for Endpoint on Linux.

診斷資料Diagnostic data

診斷資料是用來將 Defender 設定為安全和更新、偵測、診斷和修正問題,也可讓產品改進。Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.

某些診斷資料為必要,而某些診斷資料為選用。Some diagnostic data is required, while some diagnostic data is optional. 我們可讓您選擇要透過隱私權控制 (如組織的原則設定) 向我們傳送必要或選用的診斷資料。We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.

您可以選擇下列兩個適用于 Defender 的 Defender 用戶端軟體層級診斷資料。There are two levels of diagnostic data for Defender for Endpoint client software that you can choose from:

  • 必要:必要的資料,以協助讓 Defender 保持在最新狀態,並且在安裝此裝置的裝置上如期執行。Required: The minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and performing as expected on the device it’s installed on.

  • 選用:其他資料,可協助 Microsoft 進行產品改進,並提供增強的資訊,以協助偵測、診斷和修正問題。Optional: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.

根據預設,只會將所需的診斷資料傳送給 Microsoft。By default, only required diagnostic data is sent to Microsoft.

雲端已傳送保護資料Cloud delivered protection data

雲端提供的保護功能可讓您在存取雲端中的最新保護資料時,提供更快且更快速的保護。Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.

啟用雲端傳送保護服務是選用的選項,但是強烈建議您這麼做,因為它會針對您的端點和網路上的惡意程式碼提供重要防護。Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.

資料範例Sample data

範例資料是用來改善產品的保護功能,方法是傳送 Microsoft 可疑的範例,使其能夠進行分析。Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. 啟用自動範例提交是選用的。Enabling automatic sample submission is optional.

有三個層級可用於控制範例提交:There are three levels for controlling sample submission:

  • None:沒有可疑的範例提交給 Microsoft。None: no suspicious samples are submitted to Microsoft.
  • 安全:只有不含個人身分識別資訊 (PII) 的可疑範例會自動提交。Safe: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. 此為此設定的預設值。This is the default value for this setting.
  • All:將所有可疑的範例提交給 Microsoft。All: all suspicious samples are submitted to Microsoft.

使用原則設定管理隱私權控制項Manage privacy controls with policy settings

如果您是 IT 管理員,您可能會想要在企業層級設定這些控制項。If you're an IT administrator, you might want to configure these controls at the enterprise level.

在 [Linux 上的 Defender For Endpoint 的 設定偏好設定] 中,詳細說明上述各節所述各類資料的隱私權。The privacy controls for the various types of data described in the preceding section are described in detail in Set preferences for Defender for Endpoint on Linux.

就像任何新的原則設定一樣,您應該在有限的受控環境中仔細測試這些設定,以確保您設定的設定在您的組織中更廣泛地實施原則設定之前具有適當的效果。As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.

診斷資料事件Diagnostic data events

本節說明什麼是被視為必要的診斷資料,以及哪些專案會被視為選用的診斷資料,以及所收集的事件及欄位的描述。This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.

所有事件通用的資料欄位Data fields that are common for all events

有一些事件的相關資訊是所有事件通用,而不論類別或資料子類型為何。There is some information about events that is common to all events, regardless of category or data subtype.

下欄欄位對於所有事件都是常見的:The following fields are considered common for all events:

欄位Field 描述Description
平台platform 應用程式執行所在平臺的廣泛分類。The broad classification of the platform on which the app is running. 可讓 Microsoft 識別可能發生問題的平臺,使其可正確地設定優先順序。Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized.
machine_guidmachine_guid 與裝置相關聯的唯一識別碼。Unique identifier associated with the device. 可讓 Microsoft 識別問題是否會影響一組選取的安裝,以及受到影響的使用者人數。Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.
sense_guidsense_guid 與裝置相關聯的唯一識別碼。Unique identifier associated with the device. 可讓 Microsoft 識別問題是否會影響一組選取的安裝,以及受到影響的使用者人數。Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.
org_idorg_id 與裝置所屬之企業相關聯的唯一識別碼。Unique identifier associated with the enterprise that the device belongs to. 可讓 Microsoft 識別問題是否會影響一組選擇的企業,以及受影響的企業數目。Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted.
主機 名hostname 本機裝置名稱 (,但沒有 DNS 尾碼) 。Local device name (without DNS suffix). 可讓 Microsoft 識別問題是否會影響一組選取的安裝,以及受到影響的使用者人數。Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.
product_guidproduct_guid 產品的唯一識別碼。Unique identifier of the product. 可讓 Microsoft 區分影響不同產品風格的問題。Allows Microsoft to differentiate issues impacting different flavors of the product.
app_versionapp_version Linux 應用程式的 Defender for Endpoint 版本。Version of the Defender for Endpoint on Linux application. 可讓 Microsoft 找出顯示問題的產品版本,使其可正確地設定優先順序。Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.
sig_versionsig_version 安全性情報資料庫的版本。Version of security intelligence database. 可讓 Microsoft 找出顯示問題的安全性情報版本,使其可正確地設定優先順序。Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized.
supported_compressionssupported_compressions 例如,應用程式支援的壓縮演算法清單 ['gzip']List of compression algorithms supported by the application, for example ['gzip']. 可讓 Microsoft 瞭解哪些類型的 compressions 可以在與應用程式通訊時使用。Allows Microsoft to understand what types of compressions can be used when it communicates with the application.
release_ringrelease_ring 裝置與 (相關聯的環,例如,內幕人士快、內幕人士緩慢、實際執行) 。Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). 可讓 Microsoft 識別可能發生問題的發行環,使其可正確地設定優先順序。Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized.

必要診斷資料Required diagnostic data

必要的 診斷資料 是必要的最少資料,以協助讓 Defender 保持在最新狀態,並且在安裝此裝置的裝置上如期執行。Required diagnostic data is the minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and perform as expected on the device it’s installed on.

必要的診斷資料可協助識別可能與裝置或軟體設定有關的 Microsoft Defender 端點相關問題。Required diagnostic data helps to identify problems with Microsoft Defender for Endpoint that may be related to a device or software configuration. 例如,它可協助判斷在特定作業系統版本、新引進的功能,或停用特定的 Defender 功能時,是否要讓 Defender for Endpoint 功能的情況更頻繁地崩潰。For example, it can help determine if a Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Defender for Endpoint features are disabled. 必要的診斷資料可協助 Microsoft 偵測、診斷及修正這些問題,以加快對使用者或組織的影響。Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.

軟體安裝和庫存資料事件Software setup and inventory data events

Microsoft Defender for Endpoint 安裝/卸載Microsoft Defender for Endpoint installation / uninstallation

下列是收集的欄位:The following fields are collected:

欄位Field 描述Description
correlation_idcorrelation_id 與安裝相關聯的唯一識別碼。Unique identifier associated with the installation.
版本version 套件的版本。Version of the package.
嚴重性severity 郵件的嚴重性 (例如,) 的資訊。Severity of the message (for example Informational).
codecode 描述工序的程式碼。Code that describes the operation.
文字text 產品安裝相關的其他資訊。Additional information associated with the product installation.

適用於端點的 Microsoft Defender 設定Microsoft Defender for Endpoint configuration

下列是收集的欄位:The following fields are collected:

欄位Field 描述Description
antivirus_engine antivirus_engine.enable_real_time_protectionantivirus_engine.enable_real_time_protection 是否已在裝置上啟用即時保護功能。Whether real-time protection is enabled on the device or not.
antivirus_engine antivirus_engine.passive_modeantivirus_engine.passive_mode 是否已在裝置上啟用被動式模式。Whether passive mode is enabled on the device or not.
cloud_service。 enabledcloud_service.enabled 是否已在裝置上啟用雲端已傳送保護功能。Whether cloud delivered protection is enabled on the device or not.
cloud_service。超時cloud_service.timeout 當應用程式與 Endpoint cloud 的 Defender 進行通訊時超時。Time out when the application communicates with the Defender for Endpoint cloud.
cloud_service cloud_service.heartbeat_intervalcloud_service.heartbeat_interval 產品傳送至雲端的連續心跳之間的間隔。Interval between consecutive heartbeats sent by the product to the cloud.
cloud_service cloud_service.service_uricloud_service.service_uri 用於與雲端通訊的 URI。URI used to communicate with the cloud.
cloud_service cloud_service.diagnostic_levelcloud_service.diagnostic_level 裝置的診斷層級 (必要,選用) 。Diagnostic level of the device (required, optional).
cloud_service cloud_service.automatic_sample_submissioncloud_service.automatic_sample_submission 裝置的自動範例提交層級 (無,安全,所有) 。Automatic sample submission level of the device (none, safe, all).
cloud_service cloud_service.automatic_definition_update_enabledcloud_service.automatic_definition_update_enabled 是否已開啟自動定義更新。Whether automatic definition update is turned on or not.
edr.early_previewedr.early_preview 裝置是否應該執行 EDR 早期預覽功能。Whether the device should run EDR early preview features.
edr.group_idedr.group_id 偵測及回應元件所使用的群組識別碼。Group identifier used by the detection and response component.
edr 標記edr.tags 使用者定義的標記。User-defined tags.
功能。 [選用功能名稱]features.[optional feature name] 預覽功能的清單,及其是否已啟用。List of preview features, along with whether they are enabled or not.

產品和服務使用資料事件Product and service usage data events

安全性智慧更新報告Security intelligence update report

下列是收集的欄位:The following fields are collected:

欄位Field 描述Description
from_versionfrom_version 原始安全性智慧版本。Original security intelligence version.
to_versionto_version 新的安全性智慧版本。New security intelligence version.
地位status 表明成功或失敗之更新的狀態。Status of the update indicating success or failure.
using_proxyusing_proxy 是否已透過 proxy 進行更新。Whether the update was done over a proxy.
錯誤error 如果更新失敗,則為錯誤碼。Error code if the update failed.
reasonreason 更新失敗時的錯誤訊息。Error message if the update failed.

產品和服務效能資料事件Product and service performance data events

內核擴充統計資料Kernel extension statistics

下列是收集的欄位:The following fields are collected:

欄位Field 描述Description
版本version Linux 上端點的版本。Version of Defender for Endpoint on Linux.
instance_idinstance_id 在內核擴充啟動時產生的唯一識別碼。Unique identifier generated on kernel extension startup.
trace_leveltrace_level 內核擴充的追蹤層級。Trace level of the kernel extension.
子系統subsystem 用於即時保護的底層子系統。The underlying subsystem used for real-time protection.
ipc。連接ipc.connects 內核擴充所接收的連線要求數目。Number of connection requests received by the kernel extension.
ipc。拒絕ipc.rejects 內核擴充所拒絕的連線要求數目。Number of connection requests rejected by the kernel extension.
ipc。已連線ipc.connected 是否有任何作用中連接至內核分機。Whether there is any active connection to the kernel extension.

支援資料Support data

診斷記錄Diagnostic logs

僅當使用者同意提交功能時,才會收集診斷記錄。Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. 下列檔案會收集為支援記錄檔的一部分:The following files are collected as part of the support logs:

  • /Var/log/microsoft/mdatp 下的所有檔案All files under /var/log/microsoft/mdatp
  • 由 Linux 上的 Defender for Endpoint 所建立及使用之 /etc/opt/microsoft/mdatp 底下的檔案子集Subset of files under /etc/opt/microsoft/mdatp that are created and used by Defender for Endpoint on Linux
  • /Var/log/microsoft_mdatp_ * .log 中的 產品安裝和卸載記錄Product installation and uninstallation logs under /var/log/microsoft_mdatp_*.log

選擇性診斷資料Optional diagnostic data

選用診斷資料 是額外的資料,可協助 Microsoft 進行產品改進,並提供增強的資訊,以協助偵測、診斷及修正問題。Optional diagnostic data is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.

如果您選擇將選用的診斷資料傳送給我們,則也會包含必要的診斷資料。If you choose to send us optional diagnostic data, required diagnostic data is also included.

選用診斷資料的範例包括 Microsoft 收集有關產品設定 (的資料,例如,) 裝置上的排除專案數目,以及產品) 的元件效能 (匯總度量。Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).

軟體安裝和庫存資料事件Software setup and inventory data events

適用於端點的 Microsoft Defender 設定Microsoft Defender for Endpoint configuration

下列是收集的欄位:The following fields are collected:

欄位Field 描述Description
connection_retry_timeoutconnection_retry_timeout 與雲端通訊時,連線重試超時。Connection retry time-out when communication with the cloud.
file_hash_cache_maximumfile_hash_cache_maximum 產品快取的大小。Size of the product cache.
crash_upload_daily_limitcrash_upload_daily_limit 每天上傳的崩潰記錄檔限制。Limit of crash logs uploaded daily.
antivirus_engine。排除 [] .is_directoryantivirus_engine.exclusions[].is_directory 掃描的排除是否為目錄。Whether the exclusion from scanning is a directory or not.
antivirus_engine。排除 [] 路徑antivirus_engine.exclusions[].path 排除在掃描之外的路徑。Path that was excluded from scanning.
antivirus_engine。排除 [] 副檔名antivirus_engine.exclusions[].extension 排除來自掃描的分機號碼。Extension excluded from scanning.
antivirus_engine。排除 []。名稱antivirus_engine.exclusions[].name 排除在掃描之外的檔案名。Name of the file excluded from scanning.
antivirus_engine antivirus_engine.scan_cache_maximumantivirus_engine.scan_cache_maximum 產品快取的大小。Size of the product cache.
antivirus_engine antivirus_engine.maximum_scan_threadsantivirus_engine.maximum_scan_threads 掃描時所用的執行緒數目上限。Maximum number of threads used for scanning.
antivirus_engine antivirus_engine.threat_restoration_exclusion_timeantivirus_engine.threat_restoration_exclusion_time 在從隔離區還原的檔案之前,可再次偵測到超時。Time out before a file restored from the quarantine can be detected again.
antivirus_engine antivirus_engine.threat_type_settingsantivirus_engine.threat_type_settings 產品如何處理不同威脅類型的設定。Configuration for how different threat types are handled by the product.
filesystem_scanner filesystem_scanner.full_scan_directoryfilesystem_scanner.full_scan_directory 完整掃描目錄。Full scan directory.
filesystem_scanner filesystem_scanner.quick_scan_directoriesfilesystem_scanner.quick_scan_directories 快速掃描中所用的目錄清單。List of directories used in quick scan.
edr.latency_modeedr.latency_mode 偵測及回應元件所使用的延遲模式。Latency mode used by the detection and response component.
edr.proxy_addressedr.proxy_address 偵測及回應元件所使用的 Proxy 位址。Proxy address used by the detection and response component.

Microsoft 自動更新設定Microsoft Auto-Update configuration

下列是收集的欄位:The following fields are collected:

欄位Field 描述Description
how_to_checkhow_to_check 會決定如何檢查產品更新 (例如,自動或手動) 。Determines how product updates are checked (for example automatic or manual).
channel_namechannel_name 更新與裝置相關聯的通道。Update channel associated with the device.
manifest_servermanifest_server 用於下載更新的伺服器。Server used for downloading updates.
update_cacheupdate_cache 用來儲存更新的快取位置。Location of the cache used to store updates.

產品和服務使用Product and service usage

已開始診斷記錄上載報告Diagnostic log upload started report

下列是收集的欄位:The following fields are collected:

欄位Field 描述Description
sha256sha256 支援記錄檔的 SHA256 識別碼。SHA256 identifier of the support log.
Sizesize 支援記錄檔的大小。Size of the support log.
original_pathoriginal_path 支援記錄檔的路徑 (always 低於 /var/opt/microsoft/mdatp/wdavdiag/) 。Path to the support log (always under /var/opt/microsoft/mdatp/wdavdiag/).
formatformat 支援記錄檔的格式。Format of the support log.

診斷記錄上載已完成報告Diagnostic log upload completed report

下列是收集的欄位:The following fields are collected:

欄位Field 描述Description
request_idrequest_id 支援記錄檔上載要求的相互關聯識別碼。Correlation ID for the support log upload request.
sha256sha256 支援記錄檔的 SHA256 識別碼。SHA256 identifier of the support log.
blob_sas_uriblob_sas_uri 應用程式用來上傳支援記錄的 URI。URI used by the application to upload the support log.

產品和服務效能資料事件Product and service performance data events

非預期的應用程式結束 (當機)Unexpected application exit (crash)

非預期的應用程式結束,以及在該情況下應用程式的狀態。Unexpected application exits and the state of the application when that happens.

內核擴充統計資料Kernel extension statistics

下列是收集的欄位:The following fields are collected:

欄位Field 描述Description
pkt_ack_timeoutpkt_ack_timeout 下列屬性是匯總數值,代表自內核延伸啟動之後發生的事件計數。The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup.
pkt_ack_conn_timeoutpkt_ack_conn_timeout
ipc.ack_pktsipc.ack_pkts
ipc.nack_pktsipc.nack_pkts
ipc.send.ack_no_connipc.send.ack_no_conn
ipc.send.nack_no_connipc.send.nack_no_conn
ipc.send.ack_no_qsqipc.send.ack_no_qsq
ipc.send.nack_no_qsqipc.send.nack_no_qsq
ipc.ack.no_spaceipc.ack.no_space
ipc ack。超時ipc.ack.timeout
ipc.ack.ackd_fastipc.ack.ackd_fast
ackdipc.ack.ackd
ipc.recv.bad_pkt_lenipc.recv.bad_pkt_len
ipc.recv.bad_reply_lenipc.recv.bad_reply_len
ipc.recv.no_waiteripc.recv.no_waiter
ipc.recv.copy_failedipc.recv.copy_failed
kauth vnodeipc.kauth.vnode.mask
vnode 讀取的 kauthipc.kauth.vnode.read
kauth vnodeipc.kauth.vnode.write
ipc.kauth.vnode.execipc.kauth.vnode.exec
vnode kauthipc.kauth.vnode.del
ipc.kauth.vnode.read_attripc.kauth.vnode.read_attr
ipc.kauth.vnode.write_attripc.kauth.vnode.write_attr
ipc.kauth.vnode.read_ex_attripc.kauth.vnode.read_ex_attr
ipc.kauth.vnode.write_ex_attripc.kauth.vnode.write_ex_attr
ipc.kauth.vnode.read_secipc.kauth.vnode.read_sec
ipc.kauth.vnode.write_secipc.kauth.vnode.write_sec
ipc.kauth.vnode.take_ownipc.kauth.vnode.take_own
ipc.kauth.vnode.linkipc.kauth.vnode.link
vnode 建立 kauthipc.kauth.vnode.create
vnode 移動的 kauthipc.kauth.vnode.move
vnode 裝載 kauthipc.kauth.vnode.mount
kauth 拒絕的 vnodeipc.kauth.vnode.denied
ipc.kauth.vnode.ackd_before_deadlineipc.kauth.vnode.ackd_before_deadline
ipc.kauth.vnode.missed_deadlineipc.kauth.vnode.missed_deadline
ipc.kauth.file_op 遮罩ipc.kauth.file_op.mask
ipc.kauth_file_op。開啟ipc.kauth_file_op.open
ipc.kauth.file_op。關閉ipc.kauth.file_op.close
ipc.kauth.file_op ipc.kauth.file_op.close_modifiedipc.kauth.file_op.close_modified
ipc.kauth.file_op。移動ipc.kauth.file_op.move
ipc.kauth.file_op。連結ipc.kauth.file_op.link
ipc.kauth.file_op.execipc.kauth.file_op.exec
ipc.kauth.file_op。移除ipc.kauth.file_op.remove
ipc.kauth.file_op。卸載ipc.kauth.file_op.unmount
ipc.kauth.file_op 的派生ipc.kauth.file_op.fork
ipc.kauth.file_op。建立ipc.kauth.file_op.create

資源Resources