Forum Discussion
roger_jr
May 10, 2021Copper Contributor
mdatp_audisp_plugin
I was wondering if anyone knows what /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin is used for on RHEL.
I've noticed it can consume allot of resources in some cases and hoping to find some documentation on this Microsoft Defender RHEL plugin.
- KingF451Copper Contributor
Short answer: For RHEL8
echo "-a never,exclude -F msgtype=SYSCALL" >/etc/audit/rules.d/exclude.rulesreboot
Medium answer:
MDATP uses auditd to analyze ALL SYSCALLS.
From the man page for audit.rules:
"only use syscall rules when you have to since these affect performance"Long answer:
Not only was this flooding audit logs, and slowing processing... On larger DB servers it intermittently crashed the server and corrupted files. Not surprising when you try to analyze every call for I/O, RAM, inter-process fork/msg/wait/...NOTE: Advanced auditd users would need a more customized solution.
- Kamil__MCopper ContributorCheck if you have any additional rules in /etc/audit/rules.d/ dir. We had 30-ospp-v42-*.rules and it generated very high load with mdatp.
- kalyan190Copper ContributorSure, will open a ticket with Microsoft. Thanks Roger