疑難排解 Linux 上 Microsoft Defender for Endpoint 的安裝問題Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux

適用於:Applies to:

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

確認安裝是否成功Verify if installation succeeded

「安裝」中的錯誤可能會或不會由封裝管理員產生有意義的錯誤訊息。An error in installation may or may not result in a meaningful error message by the package manager. 若要確認安裝是否成功,請使用下列步驟取得並檢查安裝記錄檔:To verify if the installation succeeded, obtain and check the installation logs using:

 sudo journalctl --no-pager | grep 'microsoft-mdatp' > installation.log
 grep 'postinstall end' installation.log
 microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216

先前命令的輸出和安裝的正確日期和時間會指出成功。An output from the previous command with correct date and time of installation indicates success.

此外,請檢查 用戶端 設定,以確認產品的健康情況,並偵測 eicar.txt 文字檔。Also check the Client configuration to verify the health of the product and detect the EICAR text file.

請確定您有正確的套件Make sure you have the correct package

請注意,您要安裝的套件符合主機發佈和版本。Please mind that the package you are installing is matching the host distribution and version.

package 分佈distribution
mdatp-rhel8.Linux.x86_64 rpmmdatp-rhel8.Linux.x86_64.rpm Oracle、RHEL 和 CentOS ∞Oracle, RHEL and CentOS 8.x
mdatp-sles12.Linux.x86_64 rpmmdatp-sles12.Linux.x86_64.rpm SuSE Linux Enterprise Server 12. xSuSE Linux Enterprise Server 12.x
mdatp-sles15.Linux.x86_64 rpmmdatp-sles15.Linux.x86_64.rpm SuSE Linux Enterprise 伺服器15。SuSE Linux Enterprise Server 15.x
mdatp.Linux.x86_64 rpmmdatp.Linux.x86_64.rpm Oracle、RHEL 和 CentOS 7. xOracle, RHEL and CentOS 7.x
mdatp.Linux.x86_64。 debmdatp.Linux.x86_64.deb Debian 和 Ubuntu 16.04、18.04 及20.04Debian and Ubuntu 16.04, 18.04 and 20.04

若要進行 手動部署,請確定已選取正確的 distro 和版本。For manual deployment, make sure the correct distro and version had been chosen.

安裝失敗Installation failed

檢查 mdatp 服務是否正在執行:Check if the mdatp service is running:

systemctl status mdatp
 ● mdatp.service - Microsoft Defender for Endpoint
   Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
 Main PID: 1966 (wdavdaemon)
    Tasks: 105 (limit: 4915)
   CGroup: /system.slice/mdatp.service
           ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
           ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
           └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon

Mdatp 服務未執行時的疑難排解步驟Steps to troubleshoot if mdatp service isn't running

  1. 檢查是否存在 "mdatp" 使用者:Check if "mdatp" user exists:

    id "mdatp"
    

    如果沒有輸出,請執行If there’s no output, run

    sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
    
  2. 嘗試啟用並重啟服務,請使用:Try enabling and restarting the service using:

    sudo systemctl enable mdatp
    
    sudo systemctl restart mdatp
    
  3. 若執行先前命令時未找到 mdatp,請執行:If mdatp.service isn't found upon running the previous command, run:

    sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
    

    <systemd_path>位於 /lib/systemd/system Ubuntu 和 Debian 發行的位置, /usr/lib/systemd/system 以及 Rhel、CentOS、Oracle 和 SLES 的位置。where <systemd_path> is /lib/systemd/system for Ubuntu and Debian distributions and /usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES. 然後重新執行步驟2。Then rerun step 2.

  4. 如果上述步驟無法運作,請檢查是否已安裝 SELinux,並檢查強制模式。If the above steps don’t work, check if SELinux is installed and in enforcing mode. 如果是的話,請嘗試將其設為「許可」 (首選) 或已停用的模式。If so, try setting it to permissive (preferably) or disabled mode. 您可以在檔案中將參數設 SELINUX 為「容許」或「停用」 /etc/selinux/config ,接著再重新開機。It can be done by setting the parameter SELINUX to "permissive" or "disabled" in /etc/selinux/config file, followed by reboot. 如需詳細資訊,請參閱 selinux 的手冊頁面。Check the man-page of selinux for more details. 現在請嘗試使用步驟2重新開機 mdatp 服務。Now try restarting the mdatp service using step 2. 請立即還原設定變更,但出於安全性原因,請試一試並重啟。Revert the configuration change immediately though for security reasons after trying it and reboot.

  5. 如果 /opt 目錄是符號連結,請建立 bind 裝載 /opt/microsoftIf /opt directory is a symbolic link, create a bind mount for /opt/microsoft.

  6. 確定守護程式具有可執行檔許可權。Ensure that the daemon has executable permission.

    ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
    
    -rwxr-xr-x 2 root root 15502160 Mar  3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
    

    如果此守護程式沒有可執行檔許可權,請使用下列方式進行:If the daemon doesn't have executable permissions, make it executable using:

    sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
    

    並重試執行步驟2。and retry running step 2.

  7. 確定包含 wdavdaemon 的檔案系統未裝載為 "noexec"。Ensure that the file system containing wdavdaemon isn't mounted with "noexec".

如果 mdatp 服務正在執行,但 EICAR.TXT 文字檔偵測無法運作If mdatp service is running, but EICAR text file detection doesn't work

  1. 使用下列專案檢查檔案系統類型:Check the file system type using:

    findmnt -T <path_of_EICAR_file>
    

    目前支援的內部存取使用中的檔案系統如下所列。Currently supported file systems for on-access activity are listed here. 不會掃描這些檔案系統以外的任何檔案。Any files outside these file systems won't be scanned.

命令列工具 "mdatp" 無法運作Command-line tool “mdatp” isn't working

  1. 如果執行命令列工具 mdatp 時發生錯誤 command not found ,請執行下列命令:If running the command-line tool mdatp gives an error command not found, run the following command:

    sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
    

    然後再試一次。and try again.

    如果上述步驟都沒有説明,請收集診斷記錄:If none of the above steps help, collect the diagnostic logs:

    sudo mdatp diagnostic create
    
    Diagnostic file created: <path to file>
    

    包含記錄檔的 zip 檔案路徑會顯示為輸出。Path to a zip file that contains the logs will be displayed as an output. 使用這些記錄與我們的客戶支援部門聯繫。Reach out to our customer support with these logs.