Merge branch 'public' into patch-1

CloudAppSecurityDocs/get-started.md

@@ -20,13 +20,15 @@ To set up Defender for Cloud Apps, you must at least be a Security Administrator
 
 Users with admin roles have the same admin permissions across any cloud apps your organization is subscribed to, regardless of where you've assigned the role. For more information, see [Assign admin roles](/microsoft-365/admin/add-users/assign-admin-roles) and [Assigning administrator roles in Microsoft Entra ID](/azure/active-directory/roles/permissions-reference).
 
+
 Microsoft Defender for Cloud Apps is a security tool and therefore doesn't require Microsoft 365 productivity suite licenses. For Microsoft 365 Cloud App Security (Microsoft Defender for Cloud Apps only for Microsoft 365), see [What are the differences between Microsoft Defender for Cloud Apps and Microsoft 365 Cloud App Security?](editions-cloud-app-security-o365.md).
 
 Microsoft Defender for Cloud Apps depends on the following Microsoft Entra ID applications to function properly. Do not disable these applications in Microsoft Entra ID:
 
 - Microsoft Defender for Cloud Apps - APIs
 - Microsoft Defender for Cloud Apps - Customer Experience
 - Microsoft Defender for Cloud Apps - Information Protection
+- Microsoft Defender for Cloud Apps - MIP Server
 
 ## Access Defender for Cloud Apps
 

defender-endpoint/linux-install-manually.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/28/2024
+ms.date: 12/02/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux manually
@@ -495,9 +495,16 @@ Download the onboarding package from Microsoft Defender portal.
 
 The following external package dependencies exist for the mdatp package:
 
-- The mdatp RPM package requires `glibc >= 2.17`, `audit`, `policycoreutils`, `semanage` `selinux-policy-targeted`, `mde-netfilter`
-- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `auditd`, `mde-netfilter`
-- For Mariner the mdatp package requires `attr`, `audit`, `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`, `mde-netfilter`
+- The mdatp RPM package requires `glibc >= 2.17`, `policycoreutils`, `selinux-policy-targeted`, `mde-netfilter`
+- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `mde-netfilter`
+- For Mariner the mdatp package requires `attr`,  `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`, `mde-netfilter`
+
+> [!NOTE]
+> Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
+> If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or lower, the following additional dependency on the auditd package exists for mdatp:
+> - The mdatp RPM package requires `audit`, `semanage`.
+> - For DEBIAN the mdatp package requires `auditd`.
+> - For Mariner the mdatp package requires `audit`.
 
 The mde-netfilter package also has the following package dependencies:
 

defender-endpoint/linux-support-ebpf.md

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 12/02/2024
 ---
 
 # Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux
@@ -116,7 +116,9 @@ Post reboot, run the following command to check if audit rules were cleared:
 The output of previous command should show no rules or any user added rules. In case where the rules weren't removed, do the following steps to clear the audit rules file:
 
 1. Switch to ebpf mode.
+
 2. Remove the file `/etc/audit/rules.d/mdatp.rules`.
+
 3. Reboot the machine.
 
 ### Troubleshooting and Diagnostics
@@ -131,23 +133,29 @@ uname -a
 
 1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
-    - Use a distro version higher than RHEL 8.1.
-    - Switch to AuditD mode if you need to use RHEL 8.1 version.
+   - Use a distro version higher than RHEL 8.1.
+   - Switch to AuditD mode if you need to use RHEL 8.1 version.
 
 2. Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
-    - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
-    - Switch to AuditD mode if you need to use the same kernel version
+   - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
+   - Switch to AuditD mode if you need to use the same kernel version
 
-```bash
-sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
-```
+      ```bash
+      sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
+      ```
+
+   - The following two sets of data help analyze potential issues and determine the most effective resolution options.
+
+      1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
 
-The following two sets of data help analyze potential issues and determine the most effective resolution options.
+      2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
 
-1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
+3. System hangs on Oracle Linux 7.9 running Defender for Linux when ksplice is used for live kernel patching. 
 
-2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
+    - Auto-install patching of ksplice simply adds a cron job to the endpoint.
+    - To mitigate the hang issue, you can create a cron job which will first stop the mdatp service, apply ksplice based patching, then start the service.  
+    - As kernel patching is few seconds activity so this will not have major exposure in terms of security.  
 
 #### Troubleshooting performance issues
 

defender-endpoint/linux-support-offline-security-intelligence-update.md

@@ -15,7 +15,7 @@ ms.collection:
 - mde-linux
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 12/02/2024
 ---
 
 # Configure Offline Security Intelligence Update for Microsoft Defender for Endpoint on Linux 
@@ -165,7 +165,9 @@ Once hosted, copy the absolute path of the hosted server (up to and not includin
 
 For example, if the script is executed with `downloadFolder=/tmp/wdav-update`, and the HTTP server (`www.example.server.com:8000`) is hosting the `/tmp/wdav-update` path, the corresponding URI is: `www.example.server.com:8000/linux/production/`
 
-Once the Mirror Server is set up, we need to propagate this URL to the Linux endpoints using the Managed Configuration as described in the next section.
+We can also use the absolute path of directory (local / remote mount point) like `/tmp/wdav-update/linux/production`.
+
+Once the Mirror Server is set up, we need to propagate this URL to the Linux endpoints as the `offlineDefinitionUpdateUrl` in the Managed Configuration as described in the next section.
 
 ## Configure the Endpoints
 
@@ -182,17 +184,17 @@ Once the Mirror Server is set up, we need to propagate this URL to the Linux end
         "offlineDefintionUpdateFallbackToCloud":false,
         "offlineDefinitionUpdate": "enabled"
       },
-    "features": {
-    "offlineDefinitionUpdateVerifySig": "enabled"
-    }
+      "features": {
+        "offlineDefinitionUpdateVerifySig": "enabled"
+      }
     }
     ```
 
 | Field Name                                | Values               | Comments                                            |
 |-------------------------------------------|----------------------|-----------------------------------------------------|
 | `automaticDefinitionUpdateEnabled`        | `True` / `False`         | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively. |
 | `definitionUpdatesInterval`               | Numeric              | Time of interval between each automatic update of signatures (in seconds). |
-| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. |
+| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. This can be either in terms of the remote server URL, or a directory (local / remote mount point). |
 | `offlineDefinitionUpdate`                 | `enabled` / `disabled`   | When set to `enabled`, the offline security intelligence update feature is enabled, and vice versa. |
 | `offlineDefinitionUpdateFallbackToCloud`  | `True` / `False`         | Determine Defender for Endpoint security intelligence update approach when offline Mirror Server fails to serve the update request. If set to true, the update is retried via the Microsoft cloud when offline security intelligence update failed, else vice versa. |
 | `offlineDefinitionUpdateVerifySig`        | `enabled` / `disabled`     | When set to `enabled`, downloaded definitions are verified on the endpoints, else vice versa. |
@@ -287,16 +289,6 @@ offline_definition_update_fallback_to_cloud : false[managed]
   mdatp definitions update
   ```
 
-### Known Issues:
-
-Offline signature update might fail in the following scenario:  
-
-   You enabled the feature, applied the signature updates, then disabled the feature to apply further signature updates from cloud, and subsequently re-enabled the feature for additional signature updates.
-
-Mitigation steps:  
-
-A fix for this issue is planned to release soon. 
-
 ## Useful Links
 
 ### Downloader script

defender-xdr/virus-initiative-criteria.md

@@ -13,37 +13,38 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 09/12/2024
+ms.date: 12/2/2024
 ---
 
 # Microsoft Virus Initiative
 
 The Microsoft Virus Initiative (MVI) helps organizations improve the security solutions our customers rely on to keep them safe. We provide tools, resources, and knowledge to support better-together experiences with great performance, reliability, and compatibility.
 
-Microsoft collaborates with MVI partners to define and follow Safe Deployment Practices (SDP) to support the safety and resiliency of our mutual customers. In addition, Microsoft engages MVI partners in the development of new platform capabilities to create highly available security solutions building on the foundational security features in Windows 11.
+Microsoft collaborates with MVI partners to define and follow Safe Deployment Practices (SDP) to support the safety and resiliency of our mutual customers. Microsoft also engages MVI partners in the development of new platform capabilities to create highly available security solutions building on the foundational security features in Windows 11.
 
 ## Become a member
 
 You can request membership if you're a representative of an organization that develops antimalware technology. Not all applicants are accepted into the program.
+
 To be considered for the MVI program, your organization must meet all the following requirements:
 
 1. Your commercially available security solution must provide real-time protection that detects, prevents, and remediates malicious software.
 2. Your organization is responsible for both developing and distributing updates to end-customers that address compatibility with Windows.
-3. Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences, membership in industry organizations, or being reviewed in industry-standard reports such as AV-Comparatives, OPSWAT, or Gartner.
-4. Your organization must sign a non-disclosure agreement (NDA) with Microsoft.
+3. Your organization must be active in the antimalware industry with a positive reputation, shown by participation in industry conferences, membership in industry organizations, or reviews in reports like AV-Comparatives, OPSWAT, or Gartner.
+4. Your organization must sign a non-disclosure agreement with Microsoft.
 5. Your organization must sign a program license agreement. 
 6. Your organization must be active in the program and meet all program requirements.
 7. Your security solution must meet all program requirements, which requires use of [Trusted Signing](/azure/trusted-signing).
-8. Your security solution must have been certified within the last 12 months through independent testing by at least one of the organizations listed below. Yearly certification must be maintained.
-
-|Test Provider|Lab Test Type|Minimum Level / Score|
-|---|---|---|
-|[AV-Comparatives](https://www.av-comparatives.org/testmethod/real-world-protection-tests)|Real-World Protection Test.|Approved rating|
-|[AV-Test](https://www.av-test.org/en/about-the-institute/certification)|Must pass tests for Windows. Certifications for Mac and Linux aren't accepted.|- AV-TEST Certified (home)<br/>- AV-TEST Approved (corporate)|
-|[SKD Labs](http://www.skdlabs.com)|Certification Requirements Product: Anti-virus or Antimalware.|Score >= 98.5% with On Demand, On Access and Total Detection tests|
-|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1)|VB100 Certification Test V1.1|VB100 Certification|
-|[West Coast Labs](https://www.westcoastlabs.com/wclvalid)|West Coast Labs Verified|Product rating of A or higher with both Malware Detection and Malware Remediation|
-|[SE Labs](https://selabs.uk/en/reports/)|Protection, Small Business, or Enterprise EP Protection Test.|- Protection A rating <br/>- Small Business EP A rating<br/>- Enterprise EP Protection A rating |
+8. Your security solution must be certified within the last 12 months by at least one of the organizations listed below through independent testing. Yearly certification must be maintained.
+
+|Test Provider|Lab Test Type|Minimum Level/Score|
+| -------- | -------- | -------- |
+|[AV-Comparatives](https://www.av-comparatives.org/testmethod/real-world-protection-tests)|Real-World Protection Test or Malware Protection Test|Certified/Approved/Standard|
+|[AV-Test](https://www.av-test.org/en/about-the-institute/certification)|Real-World Protection Test for MVI, AV-Test |97% (Real-World Protection test for MVI)/Certified (AV-Test Home)/ Approved (AV-Test Enterprise)|
+|[SE Labs](https://selabs.uk/en/reports/)|Endpoint Security (EPS) or Enterprise Advanced Security (EAS)|AAA|
+|[SKD Labs](https://www.skdlabs.com/html/english/)|Starcheck Anti-malware Real-time protection and cleaning|Starcheck Certified|
+|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1)|VB100|Detection rate of 95% with Grade C or higher|
+|[West Coast Labs](https://www.westcoastlabs.com/wclvalid)|WCL Validated for Malware Detection and Malware Remediation technologies|Product Rating A|
 
 ## Apply now