From af037f65d7d72410153367652a776ef31e1a967d Mon Sep 17 00:00:00 2001
From: salmankhan-msft <123584351+salmankhan-msft@users.noreply.github.com>
Date: Mon, 18 Nov 2024 16:04:18 -0500
Subject: [PATCH 01/19] Learn Editor: Update virus-initiative-criteria.md

---
 defender-xdr/virus-initiative-criteria.md | 32 +++++++++++------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/defender-xdr/virus-initiative-criteria.md b/defender-xdr/virus-initiative-criteria.md
index ac8fe743bc..b8636f604f 100644
--- a/defender-xdr/virus-initiative-criteria.md
+++ b/defender-xdr/virus-initiative-criteria.md
@@ -28,22 +28,22 @@ You can request membership if you're a representative of an organization that de
 To be considered for the MVI program, your organization must meet all the following requirements:
 
 1. Your commercially available security solution must provide real-time protection that detects, prevents, and remediates malicious software.
-2. Your organization is responsible for both developing and distributing updates to end-customers that address compatibility with Windows.
-3. Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences, membership in industry organizations, or being reviewed in industry-standard reports such as AV-Comparatives, OPSWAT, or Gartner.
-4. Your organization must sign a non-disclosure agreement (NDA) with Microsoft.
-5. Your organization must sign a program license agreement. 
-6. Your organization must be active in the program and meet all program requirements.
-7. Your security solution must meet all program requirements, which requires use of [Trusted Signing](/azure/trusted-signing).
-8. Your security solution must have been certified within the last 12 months through independent testing by at least one of the organizations listed below. Yearly certification must be maintained.
-
-|Test Provider|Lab Test Type|Minimum Level / Score|
-|---|---|---|
-|[AV-Comparatives](https://www.av-comparatives.org/testmethod/real-world-protection-tests)|Real-World Protection Test.|Approved rating|
-|[AV-Test](https://www.av-test.org/en/about-the-institute/certification)|Must pass tests for Windows. Certifications for Mac and Linux aren't accepted.|- AV-TEST Certified (home)<br/>- AV-TEST Approved (corporate)|
-|[SKD Labs](http://www.skdlabs.com)|Certification Requirements Product: Anti-virus or Antimalware.|Score >= 98.5% with On Demand, On Access and Total Detection tests|
-|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1)|VB100 Certification Test V1.1|VB100 Certification|
-|[West Coast Labs](https://www.westcoastlabs.com/wclvalid)|West Coast Labs Verified|Product rating of A or higher with both Malware Detection and Malware Remediation|
-|[SE Labs](https://selabs.uk/en/reports/)|Protection, Small Business, or Enterprise EP Protection Test.|- Protection A rating <br/>- Small Business EP A rating<br/>- Enterprise EP Protection A rating |
+1. Your organization is responsible for both developing and distributing updates to end-customers that address compatibility with Windows.
+1. Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences, membership in industry organizations, or being reviewed in industry-standard reports such as AV-Comparatives, OPSWAT, or Gartner.
+1. Your organization must sign a non-disclosure agreement (NDA) with Microsoft.
+1. Your organization must sign a program license agreement. 
+1. Your organization must be active in the program and meet all program requirements.
+1. Your security solution must meet all program requirements, which requires use of [Trusted Signing](/azure/trusted-signing).
+1. Your security solution must have been certified within the last 12 months through independent testing by at least one of the organizations listed below. Yearly certification must be maintained.
+
+|Test Provider|Lab Test Type|Minimum Level/Score|
+| -------- | -------- | -------- |
+|[AV-Comparatives](https://www.av-comparatives.org/testmethod/real-world-protection-tests)|Real-World Protection Test or Malware Protection Test|Certified/Approved/Standard|
+|[AV-Test](https://www.av-test.org/en/about-the-institute/certification)|Real-World Protection Test for MVI, AV-Test |97% (Real-World Protection test for MVI)/Certified (AV-Test Home)/ Approved (AV-Test Enterprise)|
+|[SE Labs](https://selabs.uk/en/reports/)|Endpoint Security (EPS) or Enterprise Advanced Security (EAS)|AAA|
+|[SKD Labs](https://www.skdlabs.com/html/english/)|Starcheck Anti-malware Real-time protection and cleaning|Starcheck Certified|
+|<u>[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1)</u>|VB100|Detection rate of 95% with Grade C or above|
+|[West Coast Labs](https://www.westcoastlabs.com/wclvalid)|WCL Validated for Malware Detection and Malware Remediation technologies|Product Rating A|
 
 ## Apply now
 

From 1364b17f6f0834cecc9c9d1c1d6e97442b7fe1c8 Mon Sep 17 00:00:00 2001
From: salmankhan-msft <123584351+salmankhan-msft@users.noreply.github.com>
Date: Mon, 18 Nov 2024 18:07:45 -0500
Subject: [PATCH 02/19] Learn Editor: Update virus-initiative-criteria.md

---
 defender-xdr/virus-initiative-criteria.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-xdr/virus-initiative-criteria.md b/defender-xdr/virus-initiative-criteria.md
index b8636f604f..497f523294 100644
--- a/defender-xdr/virus-initiative-criteria.md
+++ b/defender-xdr/virus-initiative-criteria.md
@@ -42,7 +42,7 @@ To be considered for the MVI program, your organization must meet all the follow
 |[AV-Test](https://www.av-test.org/en/about-the-institute/certification)|Real-World Protection Test for MVI, AV-Test |97% (Real-World Protection test for MVI)/Certified (AV-Test Home)/ Approved (AV-Test Enterprise)|
 |[SE Labs](https://selabs.uk/en/reports/)|Endpoint Security (EPS) or Enterprise Advanced Security (EAS)|AAA|
 |[SKD Labs](https://www.skdlabs.com/html/english/)|Starcheck Anti-malware Real-time protection and cleaning|Starcheck Certified|
-|<u>[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1)</u>|VB100|Detection rate of 95% with Grade C or above|
+|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1)|VB100|Detection rate of 95% with Grade C or above|
 |[West Coast Labs](https://www.westcoastlabs.com/wclvalid)|WCL Validated for Malware Detection and Malware Remediation technologies|Product Rating A|
 
 ## Apply now

From c01cdaef114a08a9685fe957d33cc84019606215 Mon Sep 17 00:00:00 2001
From: salmankhan-msft <123584351+salmankhan-msft@users.noreply.github.com>
Date: Wed, 20 Nov 2024 10:55:37 -0500
Subject: [PATCH 03/19] Learn Editor: Update virus-initiative-criteria.md


From 3543c8b9619bc639da4f8af95efdef7d2024b459 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Tue, 26 Nov 2024 16:41:42 +0530
Subject: [PATCH 04/19] Learn Editor: Update linux-install-manually.md

---
 defender-endpoint/linux-install-manually.md | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md
index fd405b36ca..a814bdcc84 100644
--- a/defender-endpoint/linux-install-manually.md
+++ b/defender-endpoint/linux-install-manually.md
@@ -495,14 +495,25 @@ Download the onboarding package from Microsoft Defender portal.
 
 The following external package dependencies exist for the mdatp package:
 
-- The mdatp RPM package requires `glibc >= 2.17`, `audit`, `policycoreutils`, `semanage` `selinux-policy-targeted`, `mde-netfilter`
-- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `auditd`, `mde-netfilter`
-- For Mariner the mdatp package requires `attr`, `audit`, `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`, `mde-netfilter`
+- The mdatp RPM package requires `glibc >= 2.17`, `policycoreutils`, `semanage` `selinux-policy-targeted`, `mde-netfilter`
+
+- For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `mde-netfilter`
+
+- For Mariner the mdatp package requires `attr`,  `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`, `mde-netfilter`
+
+> [!NOTE]
+> > If you are using Defender for Endpoint on Linux version `101.24072.000` or lower, and using the `Auditd` event provider,
+> The following external package dependencies exist for the mdatp package:
+> - The mdatp RPM package requires `audit`
+> - For DEBIAN the mdatp package requires `auditd`
+> - For Mariner the mdatp package requires `audit`
 
 The mde-netfilter package also has the following package dependencies:
 
 - For DEBIAN, the mde-netfilter package requires `libnetfilter-queue1`, `libglib2.0-0`
+
 - For RPM, the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, `glib2`
+
 - For Mariner, the mde-netfilter package requires `libnfnetlink`, `libnetfilter_queue`
 
 If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies.

From fc001a34141f6c25dfcc4626bfa996c88b5833da Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Tue, 26 Nov 2024 19:07:00 +0530
Subject: [PATCH 05/19] Learn Editor: Update linux-install-manually.md

---
 defender-endpoint/linux-install-manually.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md
index a814bdcc84..56ad31d7ce 100644
--- a/defender-endpoint/linux-install-manually.md
+++ b/defender-endpoint/linux-install-manually.md
@@ -502,8 +502,8 @@ The following external package dependencies exist for the mdatp package:
 - For Mariner the mdatp package requires `attr`,  `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`, `mde-netfilter`
 
 > [!NOTE]
-> > If you are using Defender for Endpoint on Linux version `101.24072.000` or lower, and using the `Auditd` event provider,
-> The following external package dependencies exist for the mdatp package:
+> Starting with version `101.2408.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
+> If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.000` or lower, the following additional dependency on the auditd package exists for mdatp:
 > - The mdatp RPM package requires `audit`
 > - For DEBIAN the mdatp package requires `auditd`
 > - For Mariner the mdatp package requires `audit`

From c21ee5f0f96f6491c8640095c60bd0a1a9aaaaa2 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Wed, 27 Nov 2024 10:17:45 +0530
Subject: [PATCH 06/19] Update linux-install-manually.md

---
 defender-endpoint/linux-install-manually.md | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md
index 56ad31d7ce..f74ab08daf 100644
--- a/defender-endpoint/linux-install-manually.md
+++ b/defender-endpoint/linux-install-manually.md
@@ -496,14 +496,12 @@ Download the onboarding package from Microsoft Defender portal.
 The following external package dependencies exist for the mdatp package:
 
 - The mdatp RPM package requires `glibc >= 2.17`, `policycoreutils`, `semanage` `selinux-policy-targeted`, `mde-netfilter`
-
 - For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `mde-netfilter`
-
 - For Mariner the mdatp package requires `attr`,  `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`, `mde-netfilter`
 
 > [!NOTE]
-> Starting with version `101.2408.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
-> If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.000` or lower, the following additional dependency on the auditd package exists for mdatp:
+> Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
+> If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or lower, the following additional dependency on the auditd package exists for mdatp:
 > - The mdatp RPM package requires `audit`
 > - For DEBIAN the mdatp package requires `auditd`
 > - For Mariner the mdatp package requires `audit`
@@ -511,9 +509,7 @@ The following external package dependencies exist for the mdatp package:
 The mde-netfilter package also has the following package dependencies:
 
 - For DEBIAN, the mde-netfilter package requires `libnetfilter-queue1`, `libglib2.0-0`
-
 - For RPM, the mde-netfilter package requires `libmnl`, `libnfnetlink`, `libnetfilter_queue`, `glib2`
-
 - For Mariner, the mde-netfilter package requires `libnfnetlink`, `libnetfilter_queue`
 
 If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies.

From a3fac00962c0b93307cdf069aafd811eeb5bd4e2 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Wed, 27 Nov 2024 10:20:20 +0530
Subject: [PATCH 07/19] Update linux-whatsnew.md

---
 defender-endpoint/linux-whatsnew.md | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
index 946b064c39..536230df39 100644
--- a/defender-endpoint/linux-whatsnew.md
+++ b/defender-endpoint/linux-whatsnew.md
@@ -29,11 +29,11 @@ This article is updated frequently to let you know what's new in the latest rele
 - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md)
 
 > [!IMPORTANT]
-> Starting with version `101.2408.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology. This change allows for better performance, reduced resource consumption, and overall improved stability. eBPF support has been available since August 2023, and is fully integrated into all updates of Defender for Endpoint on Linux (version `101.23082.0006` and later). We strongly encourage you to adopt the eBPF build, as it provides significant enhancements over Auditd. If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, you have the following options:
+> Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology. This change allows for better performance, reduced resource consumption, and overall improved stability. eBPF support has been available since August 2023, and is fully integrated into all updates of Defender for Endpoint on Linux (version `101.23082.0006` and later). We strongly encourage you to adopt the eBPF build, as it provides significant enhancements over Auditd. If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, you have the following options:
 > 
-> 1. Continue to use Defender for Endpoint on Linux build `101.24072.0000` with Auditd. This build will continue to be supported for several months, so you have time to plan and execute your migration to eBPF.
+> 1. Continue to use Defender for Endpoint on Linux build `101.24072.0001` with Auditd. This build will continue to be supported for several months, so you have time to plan and execute your migration to eBPF.
 >
-> 2. If you are on versions later than `101.24072.0000`, Defender for Endpoint on Linux relies on `netlink` as a backup supplementary event provider. In the event of a fallback, all process operations continue to flow seamlessly. 
+> 2. If you are on versions later than `101.24072.0001`, Defender for Endpoint on Linux relies on `netlink` as a backup supplementary event provider. In the event of a fallback, all process operations continue to flow seamlessly. 
 >
 > Review your current Defender for Endpoint on Linux deployment, and begin planning your migration to the eBPF-supported build. For more information on eBPF and how it works, see [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-ebpf).
 >
@@ -41,9 +41,14 @@ This article is updated frequently to let you know what's new in the latest rele
 
 <details> <summary> Nov-2024 (Build: 101.24092.0002 | Release version: 30.124092.0002.0)</summary>
 
-Nov-2024 Build: 101.24092.0002 | Release version: 30.124092.0002.0
+## Nov-2024 Build: 101.24092.0002 | Release version: 30.124092.0002.0
 
- Released: **November 14, 2024**  Published: **November 14, 2024**  Build: **101.24092.0002**  Release version: **30.124092.0002**  Engine version: 1.1.24080.9  Signature version: 1.417.659.0
+&ensp;Released: **November 14, 2024**<br/>
+&ensp;Published: **November 14, 2024**<br/>
+&ensp;Build: **101.24092.0002**<br/>
+&ensp;Release version: **30.124092.0002**<br/>
+&ensp;Engine version: **1.1.24080.9**<br/>
+&ensp;Signature version: **1.417.659.0**<br/>
 
 **What's new**
 

From f7be006de57979a513b507bdd461c777647b4e03 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Wed, 27 Nov 2024 11:54:22 +0530
Subject: [PATCH 08/19] revert other file changes

---
 defender-endpoint/linux-whatsnew.md | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
index 536230df39..d6b698d6b7 100644
--- a/defender-endpoint/linux-whatsnew.md
+++ b/defender-endpoint/linux-whatsnew.md
@@ -29,26 +29,20 @@ This article is updated frequently to let you know what's new in the latest rele
 - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md)
 
 > [!IMPORTANT]
-> Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology. This change allows for better performance, reduced resource consumption, and overall improved stability. eBPF support has been available since August 2023, and is fully integrated into all updates of Defender for Endpoint on Linux (version `101.23082.0006` and later). We strongly encourage you to adopt the eBPF build, as it provides significant enhancements over Auditd. If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, you have the following options:
+> Starting with version `101.2408.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology. This change allows for better performance, reduced resource consumption, and overall improved stability. eBPF support has been available since August 2023, and is fully integrated into all updates of Defender for Endpoint on Linux (version `101.23082.0006` and later). We strongly encourage you to adopt the eBPF build, as it provides significant enhancements over Auditd. If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, you have the following options:
 > 
-> 1. Continue to use Defender for Endpoint on Linux build `101.24072.0001` with Auditd. This build will continue to be supported for several months, so you have time to plan and execute your migration to eBPF.
+> 1. Continue to use Defender for Endpoint on Linux build `101.24072.0000` with Auditd. This build will continue to be supported for several months, so you have time to plan and execute your migration to eBPF.
 >
-> 2. If you are on versions later than `101.24072.0001`, Defender for Endpoint on Linux relies on `netlink` as a backup supplementary event provider. In the event of a fallback, all process operations continue to flow seamlessly. 
+> 2. If you are on versions later than `101.24072.0000`, Defender for Endpoint on Linux relies on `netlink` as a backup supplementary event provider. In the event of a fallback, all process operations continue to flow seamlessly. 
 >
 > Review your current Defender for Endpoint on Linux deployment, and begin planning your migration to the eBPF-supported build. For more information on eBPF and how it works, see [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-ebpf).
 >
 > If you have any concerns or need assistance during this transition, contact support.
-
 <details> <summary> Nov-2024 (Build: 101.24092.0002 | Release version: 30.124092.0002.0)</summary>
 
-## Nov-2024 Build: 101.24092.0002 | Release version: 30.124092.0002.0
+Nov-2024 Build: 101.24092.0002 | Release version: 30.124092.0002.0
 
-&ensp;Released: **November 14, 2024**<br/>
-&ensp;Published: **November 14, 2024**<br/>
-&ensp;Build: **101.24092.0002**<br/>
-&ensp;Release version: **30.124092.0002**<br/>
-&ensp;Engine version: **1.1.24080.9**<br/>
-&ensp;Signature version: **1.417.659.0**<br/>
+ Released: **November 14, 2024**  Published: **November 14, 2024**  Build: **101.24092.0002**  Release version: **30.124092.0002**  Engine version: 1.1.24080.9  Signature version: 1.417.659.0
 
 **What's new**
 

From 0184da3c55edb85c13ca113e289cddec494723d5 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Wed, 27 Nov 2024 11:54:50 +0530
Subject: [PATCH 09/19] revert other file changes

---
 defender-endpoint/linux-whatsnew.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/defender-endpoint/linux-whatsnew.md b/defender-endpoint/linux-whatsnew.md
index d6b698d6b7..946b064c39 100644
--- a/defender-endpoint/linux-whatsnew.md
+++ b/defender-endpoint/linux-whatsnew.md
@@ -38,6 +38,7 @@ This article is updated frequently to let you know what's new in the latest rele
 > Review your current Defender for Endpoint on Linux deployment, and begin planning your migration to the eBPF-supported build. For more information on eBPF and how it works, see [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/defender-endpoint/linux-support-ebpf).
 >
 > If you have any concerns or need assistance during this transition, contact support.
+
 <details> <summary> Nov-2024 (Build: 101.24092.0002 | Release version: 30.124092.0002.0)</summary>
 
 Nov-2024 Build: 101.24092.0002 | Release version: 30.124092.0002.0

From 874404a6f70b7b3f5b07db11177232112f75427b Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Wed, 27 Nov 2024 14:16:42 +0530
Subject: [PATCH 10/19] Learn Editor: Update linux-support-ebpf.md

---
 defender-endpoint/linux-support-ebpf.md | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/defender-endpoint/linux-support-ebpf.md b/defender-endpoint/linux-support-ebpf.md
index 51fb1fc31f..5776f437c9 100644
--- a/defender-endpoint/linux-support-ebpf.md
+++ b/defender-endpoint/linux-support-ebpf.md
@@ -139,15 +139,21 @@ uname -a
     - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
     - Switch to AuditD mode if you need to use the same kernel version
 
-```bash
-sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
-```
+        ```bash
+        sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
+        ```
+
+    - The following two sets of data help analyze potential issues and determine the most effective resolution options.
+
+          1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
 
-The following two sets of data help analyze potential issues and determine the most effective resolution options.
+          2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
 
-1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
+3. System hangs on Oracle Linux 7.9 running Defender for Linux when ksplice is used for live kernel patching. 
 
-2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
+    - Auto-install patching of ksplice simply adds a cron job to the endpoint.
+    - To mitigate the hang issue, you can create a cron job which will first stop the mdatp service, apply ksplice based patching, then start the service.  
+    - As kernel patching is few seconds activity so this will not have major exposure in terms of security.  
 
 #### Troubleshooting performance issues
 

From f720504f9df154040651da44657020cea23d57c1 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Mon, 2 Dec 2024 13:49:33 +0530
Subject: [PATCH 11/19] Update linux-install-manually.md

---
 defender-endpoint/linux-install-manually.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md
index f74ab08daf..d2366120a1 100644
--- a/defender-endpoint/linux-install-manually.md
+++ b/defender-endpoint/linux-install-manually.md
@@ -495,16 +495,16 @@ Download the onboarding package from Microsoft Defender portal.
 
 The following external package dependencies exist for the mdatp package:
 
-- The mdatp RPM package requires `glibc >= 2.17`, `policycoreutils`, `semanage` `selinux-policy-targeted`, `mde-netfilter`
+- The mdatp RPM package requires `glibc >= 2.17`, `policycoreutils`, `selinux-policy-targeted`, `mde-netfilter`
 - For DEBIAN the mdatp package requires `libc6 >= 2.23`, `uuid-runtime`, `mde-netfilter`
 - For Mariner the mdatp package requires `attr`,  `diffutils`, `libacl`, `libattr`, `libselinux-utils`, `selinux-policy`, `policycoreutils`, `mde-netfilter`
 
 > [!NOTE]
 > Starting with version `101.24082.0004`, Defender for Endpoint on Linux no longer supports the `Auditd` event provider. We're transitioning completely to the more efficient eBPF technology.
 > If eBPF is not supported on your machines, or if there are specific requirements to remain on Auditd, and your machines are using Defender for Endpoint on Linux version `101.24072.0001` or lower, the following additional dependency on the auditd package exists for mdatp:
-> - The mdatp RPM package requires `audit`
-> - For DEBIAN the mdatp package requires `auditd`
-> - For Mariner the mdatp package requires `audit`
+> - The mdatp RPM package requires `audit`, `semanage`.
+> - For DEBIAN the mdatp package requires `auditd`.
+> - For Mariner the mdatp package requires `audit`.
 
 The mde-netfilter package also has the following package dependencies:
 

From b2df9f840d19e6af35b121f01f3182a5aab26bb0 Mon Sep 17 00:00:00 2001
From: Leor Hurwitz <141719002+LeorHurwitz@users.noreply.github.com>
Date: Mon, 2 Dec 2024 11:44:39 +0200
Subject: [PATCH 12/19] Update get-started.md

---
 CloudAppSecurityDocs/get-started.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CloudAppSecurityDocs/get-started.md b/CloudAppSecurityDocs/get-started.md
index 4745e281e1..1e14bf76db 100644
--- a/CloudAppSecurityDocs/get-started.md
+++ b/CloudAppSecurityDocs/get-started.md
@@ -20,6 +20,7 @@ To set up Defender for Cloud Apps, you must at least be a Security Administrator
 
 Users with admin roles have the same admin permissions across any cloud apps your organization is subscribed to, regardless of where you've assigned the role. For more information, see [Assign admin roles](/microsoft-365/admin/add-users/assign-admin-roles) and [Assigning administrator roles in Microsoft Entra ID](/azure/active-directory/roles/permissions-reference).
 
+
 Microsoft Defender for Cloud Apps is a security tool and therefore doesn't require Microsoft 365 productivity suite licenses. For Microsoft 365 Cloud App Security (Microsoft Defender for Cloud Apps only for Microsoft 365), see [What are the differences between Microsoft Defender for Cloud Apps and Microsoft 365 Cloud App Security?](editions-cloud-app-security-o365.md).
 
 Microsoft Defender for Cloud Apps depends on the following Microsoft Entra ID applications to function properly. Do not disable these applications in Microsoft Entra ID:
@@ -27,6 +28,7 @@ Microsoft Defender for Cloud Apps depends on the following Microsoft Entra ID ap
 - Microsoft Defender for Cloud Apps - APIs
 - Microsoft Defender for Cloud Apps - Customer Experience
 - Microsoft Defender for Cloud Apps - Information Protection
+- Microsoft Defender for Cloud Apps - MIP Server
 
 ## Access Defender for Cloud Apps
 

From e74875424c4b9866ddbf6dd1ba794ee38aa7efa7 Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Mon, 2 Dec 2024 19:10:17 +0530
Subject: [PATCH 13/19] Learn Editor: Update
 linux-support-offline-security-intelligence-update.md

---
 ...rt-offline-security-intelligence-update.md | 22 ++++++-------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/defender-endpoint/linux-support-offline-security-intelligence-update.md b/defender-endpoint/linux-support-offline-security-intelligence-update.md
index ca69cf17dd..f6359ea185 100644
--- a/defender-endpoint/linux-support-offline-security-intelligence-update.md
+++ b/defender-endpoint/linux-support-offline-security-intelligence-update.md
@@ -165,7 +165,9 @@ Once hosted, copy the absolute path of the hosted server (up to and not includin
 
 For example, if the script is executed with `downloadFolder=/tmp/wdav-update`, and the HTTP server (`www.example.server.com:8000`) is hosting the `/tmp/wdav-update` path, the corresponding URI is: `www.example.server.com:8000/linux/production/`
 
-Once the Mirror Server is set up, we need to propagate this URL to the Linux endpoints using the Managed Configuration as described in the next section.
+We can also use the absolute path of a remote mount point, like `/tmp/wdav-update/linux/production`.
+
+Once the Mirror Server is set up, we need to propagate this URL to the Linux endpoints as the `offlineDefinitionUpdateUrl` in the Managed Configuration as described in the next section.
 
 ## Configure the Endpoints
 
@@ -182,9 +184,9 @@ Once the Mirror Server is set up, we need to propagate this URL to the Linux end
         "offlineDefintionUpdateFallbackToCloud":false,
         "offlineDefinitionUpdate": "enabled"
       },
-    "features": {
-    "offlineDefinitionUpdateVerifySig": "enabled"
-    }
+      "features": {
+        "offlineDefinitionUpdateVerifySig": "enabled"
+      }
     }
     ```
 
@@ -192,7 +194,7 @@ Once the Mirror Server is set up, we need to propagate this URL to the Linux end
 |-------------------------------------------|----------------------|-----------------------------------------------------|
 | `automaticDefinitionUpdateEnabled`        | `True` / `False`         | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively. |
 | `definitionUpdatesInterval`               | Numeric              | Time of interval between each automatic update of signatures (in seconds). |
-| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. |
+| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. This can be either in terms of the remote server URL, or a remote mount point. |
 | `offlineDefinitionUpdate`                 | `enabled` / `disabled`   | When set to `enabled`, the offline security intelligence update feature is enabled, and vice versa. |
 | `offlineDefinitionUpdateFallbackToCloud`  | `True` / `False`         | Determine Defender for Endpoint security intelligence update approach when offline Mirror Server fails to serve the update request. If set to true, the update is retried via the Microsoft cloud when offline security intelligence update failed, else vice versa. |
 | `offlineDefinitionUpdateVerifySig`        | `enabled` / `disabled`     | When set to `enabled`, downloaded definitions are verified on the endpoints, else vice versa. |
@@ -287,16 +289,6 @@ offline_definition_update_fallback_to_cloud : false[managed]
   mdatp definitions update
   ```
 
-### Known Issues:
-
-Offline signature update might fail in the following scenario:  
-
-   You enabled the feature, applied the signature updates, then disabled the feature to apply further signature updates from cloud, and subsequently re-enabled the feature for additional signature updates.
-
-Mitigation steps:  
-
-A fix for this issue is planned to release soon. 
-
 ## Useful Links
 
 ### Downloader script

From e18296b3ac24f079e777ca38e4e5c68a03bfdf5a Mon Sep 17 00:00:00 2001
From: lakshmyav <108449150+lakshmyav@users.noreply.github.com>
Date: Mon, 2 Dec 2024 20:09:13 +0530
Subject: [PATCH 14/19] Update
 linux-support-offline-security-intelligence-update.md

---
 .../linux-support-offline-security-intelligence-update.md     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/defender-endpoint/linux-support-offline-security-intelligence-update.md b/defender-endpoint/linux-support-offline-security-intelligence-update.md
index f6359ea185..6d4d9a7f2b 100644
--- a/defender-endpoint/linux-support-offline-security-intelligence-update.md
+++ b/defender-endpoint/linux-support-offline-security-intelligence-update.md
@@ -165,7 +165,7 @@ Once hosted, copy the absolute path of the hosted server (up to and not includin
 
 For example, if the script is executed with `downloadFolder=/tmp/wdav-update`, and the HTTP server (`www.example.server.com:8000`) is hosting the `/tmp/wdav-update` path, the corresponding URI is: `www.example.server.com:8000/linux/production/`
 
-We can also use the absolute path of a remote mount point, like `/tmp/wdav-update/linux/production`.
+We can also use the absolute path of directory (local / remote mount point) like `/tmp/wdav-update/linux/production`.
 
 Once the Mirror Server is set up, we need to propagate this URL to the Linux endpoints as the `offlineDefinitionUpdateUrl` in the Managed Configuration as described in the next section.
 
@@ -194,7 +194,7 @@ Once the Mirror Server is set up, we need to propagate this URL to the Linux end
 |-------------------------------------------|----------------------|-----------------------------------------------------|
 | `automaticDefinitionUpdateEnabled`        | `True` / `False`         | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively. |
 | `definitionUpdatesInterval`               | Numeric              | Time of interval between each automatic update of signatures (in seconds). |
-| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. This can be either in terms of the remote server URL, or a remote mount point. |
+| `offlineDefinitionUpdateUrl`              | String               | URL value generated as part of the Mirror Server set up. This can be either in terms of the remote server URL, or a directory (local / remote mount point). |
 | `offlineDefinitionUpdate`                 | `enabled` / `disabled`   | When set to `enabled`, the offline security intelligence update feature is enabled, and vice versa. |
 | `offlineDefinitionUpdateFallbackToCloud`  | `True` / `False`         | Determine Defender for Endpoint security intelligence update approach when offline Mirror Server fails to serve the update request. If set to true, the update is retried via the Microsoft cloud when offline security intelligence update failed, else vice versa. |
 | `offlineDefinitionUpdateVerifySig`        | `enabled` / `disabled`     | When set to `enabled`, downloaded definitions are verified on the endpoints, else vice versa. |

From 6071b97ddd548d80d2ef552018c1415957e897f9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 2 Dec 2024 06:43:54 -0800
Subject: [PATCH 15/19] Update
 linux-support-offline-security-intelligence-update.md

---
 .../linux-support-offline-security-intelligence-update.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/linux-support-offline-security-intelligence-update.md b/defender-endpoint/linux-support-offline-security-intelligence-update.md
index 6d4d9a7f2b..ace972404b 100644
--- a/defender-endpoint/linux-support-offline-security-intelligence-update.md
+++ b/defender-endpoint/linux-support-offline-security-intelligence-update.md
@@ -15,7 +15,7 @@ ms.collection:
 - mde-linux
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 12/02/2024
 ---
 
 # Configure Offline Security Intelligence Update for Microsoft Defender for Endpoint on Linux 

From 9892b0cf8a276f4a477536f71b1ff242cf579210 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 2 Dec 2024 06:54:26 -0800
Subject: [PATCH 16/19] Update linux-install-manually.md

---
 defender-endpoint/linux-install-manually.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/linux-install-manually.md b/defender-endpoint/linux-install-manually.md
index d2366120a1..137c372b87 100644
--- a/defender-endpoint/linux-install-manually.md
+++ b/defender-endpoint/linux-install-manually.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/28/2024
+ms.date: 12/02/2024
 ---
 
 # Deploy Microsoft Defender for Endpoint on Linux manually

From c5ec9420803621eeb509892a9694c4f95b7727b4 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 2 Dec 2024 06:55:00 -0800
Subject: [PATCH 17/19] Update linux-support-ebpf.md

---
 defender-endpoint/linux-support-ebpf.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/defender-endpoint/linux-support-ebpf.md b/defender-endpoint/linux-support-ebpf.md
index 5776f437c9..c979ae8e72 100644
--- a/defender-endpoint/linux-support-ebpf.md
+++ b/defender-endpoint/linux-support-ebpf.md
@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: linux
 search.appverid: met150
-ms.date: 10/11/2024
+ms.date: 12/02/2024
 ---
 
 # Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux

From 42e1244753cdfeb0a6c608680bc95cbaacc959f2 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Mon, 2 Dec 2024 06:56:53 -0800
Subject: [PATCH 18/19] Update linux-support-ebpf.md

---
 defender-endpoint/linux-support-ebpf.md | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/defender-endpoint/linux-support-ebpf.md b/defender-endpoint/linux-support-ebpf.md
index c979ae8e72..320d8c0e7b 100644
--- a/defender-endpoint/linux-support-ebpf.md
+++ b/defender-endpoint/linux-support-ebpf.md
@@ -116,7 +116,9 @@ Post reboot, run the following command to check if audit rules were cleared:
 The output of previous command should show no rules or any user added rules. In case where the rules weren't removed, do the following steps to clear the audit rules file:
 
 1. Switch to ebpf mode.
+
 2. Remove the file `/etc/audit/rules.d/mdatp.rules`.
+
 3. Reboot the machine.
 
 ### Troubleshooting and Diagnostics
@@ -131,23 +133,23 @@ uname -a
 
 1. Enabling eBPF on RHEL 8.1 version with SAP might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
-    - Use a distro version higher than RHEL 8.1.
-    - Switch to AuditD mode if you need to use RHEL 8.1 version.
+   - Use a distro version higher than RHEL 8.1.
+   - Switch to AuditD mode if you need to use RHEL 8.1 version.
 
 2. Using Oracle Linux 8.8 with kernel version **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** might result in kernel panic. To mitigate this issue, you can take one of the following steps:
 
-    - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
-    - Switch to AuditD mode if you need to use the same kernel version
+   - Use a kernel version higher or lower than **5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64** on Oracle Linux 8.8 if you want to use eBPF as supplementary subsystem provider. The minimum kernel version for Oracle Linux is RHCK 3.10.0 and Oracle Linux UEK is 5.4.
+   - Switch to AuditD mode if you need to use the same kernel version
 
-        ```bash
-        sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
-        ```
+      ```bash
+      sudo mdatp config  ebpf-supplementary-event-provider  --value disabled
+      ```
 
-    - The following two sets of data help analyze potential issues and determine the most effective resolution options.
+   - The following two sets of data help analyze potential issues and determine the most effective resolution options.
 
-          1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
+      1. Collect a diagnostic package from the client analyzer tool by using the following instructions: [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).
 
-          2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
+      2. Collect a debug diagnostic package when Defender for Endpoint is utilizing high resources by using the following instructions: [Microsoft Defender for Endpoint on Linux resources](linux-resources.md#collect-diagnostic-information).
 
 3. System hangs on Oracle Linux 7.9 running Defender for Linux when ksplice is used for live kernel patching. 
 

From d0548daa241e95f36a8ac5189585985c9a0a9074 Mon Sep 17 00:00:00 2001
From: diannegali <122793942+diannegali@users.noreply.github.com>
Date: Mon, 2 Dec 2024 17:15:15 +0000
Subject: [PATCH 19/19] Update virus-initiative-criteria.md

resolved acrolinx check, updated metadata
---
 defender-xdr/virus-initiative-criteria.md | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/defender-xdr/virus-initiative-criteria.md b/defender-xdr/virus-initiative-criteria.md
index 497f523294..36842cf9d4 100644
--- a/defender-xdr/virus-initiative-criteria.md
+++ b/defender-xdr/virus-initiative-criteria.md
@@ -13,28 +13,29 @@ ms.collection:
 - tier2
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 09/12/2024
+ms.date: 12/2/2024
 ---
 
 # Microsoft Virus Initiative
 
 The Microsoft Virus Initiative (MVI) helps organizations improve the security solutions our customers rely on to keep them safe. We provide tools, resources, and knowledge to support better-together experiences with great performance, reliability, and compatibility.
 
-Microsoft collaborates with MVI partners to define and follow Safe Deployment Practices (SDP) to support the safety and resiliency of our mutual customers. In addition, Microsoft engages MVI partners in the development of new platform capabilities to create highly available security solutions building on the foundational security features in Windows 11.
+Microsoft collaborates with MVI partners to define and follow Safe Deployment Practices (SDP) to support the safety and resiliency of our mutual customers. Microsoft also engages MVI partners in the development of new platform capabilities to create highly available security solutions building on the foundational security features in Windows 11.
 
 ## Become a member
 
 You can request membership if you're a representative of an organization that develops antimalware technology. Not all applicants are accepted into the program.
+
 To be considered for the MVI program, your organization must meet all the following requirements:
 
 1. Your commercially available security solution must provide real-time protection that detects, prevents, and remediates malicious software.
-1. Your organization is responsible for both developing and distributing updates to end-customers that address compatibility with Windows.
-1. Your organization must be active in the antimalware industry and have a positive reputation, as evidenced by participation in industry conferences, membership in industry organizations, or being reviewed in industry-standard reports such as AV-Comparatives, OPSWAT, or Gartner.
-1. Your organization must sign a non-disclosure agreement (NDA) with Microsoft.
-1. Your organization must sign a program license agreement. 
-1. Your organization must be active in the program and meet all program requirements.
-1. Your security solution must meet all program requirements, which requires use of [Trusted Signing](/azure/trusted-signing).
-1. Your security solution must have been certified within the last 12 months through independent testing by at least one of the organizations listed below. Yearly certification must be maintained.
+2. Your organization is responsible for both developing and distributing updates to end-customers that address compatibility with Windows.
+3. Your organization must be active in the antimalware industry with a positive reputation, shown by participation in industry conferences, membership in industry organizations, or reviews in reports like AV-Comparatives, OPSWAT, or Gartner.
+4. Your organization must sign a non-disclosure agreement with Microsoft.
+5. Your organization must sign a program license agreement. 
+6. Your organization must be active in the program and meet all program requirements.
+7. Your security solution must meet all program requirements, which requires use of [Trusted Signing](/azure/trusted-signing).
+8. Your security solution must be certified within the last 12 months by at least one of the organizations listed below through independent testing. Yearly certification must be maintained.
 
 |Test Provider|Lab Test Type|Minimum Level/Score|
 | -------- | -------- | -------- |
@@ -42,7 +43,7 @@ To be considered for the MVI program, your organization must meet all the follow
 |[AV-Test](https://www.av-test.org/en/about-the-institute/certification)|Real-World Protection Test for MVI, AV-Test |97% (Real-World Protection test for MVI)/Certified (AV-Test Home)/ Approved (AV-Test Enterprise)|
 |[SE Labs](https://selabs.uk/en/reports/)|Endpoint Security (EPS) or Enterprise Advanced Security (EAS)|AAA|
 |[SKD Labs](https://www.skdlabs.com/html/english/)|Starcheck Anti-malware Real-time protection and cleaning|Starcheck Certified|
-|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1)|VB100|Detection rate of 95% with Grade C or above|
+|[VB 100](https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1)|VB100|Detection rate of 95% with Grade C or higher|
 |[West Coast Labs](https://www.westcoastlabs.com/wclvalid)|WCL Validated for Malware Detection and Malware Remediation technologies|Product Rating A|
 
 ## Apply now