Forum Discussion

roger_jr's avatar
roger_jr
Copper Contributor
May 10, 2021

mdatp_audisp_plugin

I was wondering if anyone knows what /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin  is used for on RHEL.

 

I've noticed it can consume allot of resources in some cases and hoping to find some documentation on this Microsoft Defender RHEL plugin.

  • KingF451's avatar
    KingF451
    Copper Contributor

    Short answer: For RHEL8
    echo "-a never,exclude -F msgtype=SYSCALL" >/etc/audit/rules.d/exclude.rules

    reboot


    Medium answer:
    MDATP uses auditd to analyze ALL SYSCALLS.
    From the man page for audit.rules:
    "only use syscall rules when you have to since these affect performance"

     

    Long answer:
    Not only was this flooding audit logs, and slowing processing... On larger DB servers it intermittently crashed the server and corrupted files. Not surprising when you try to analyze every call for I/O, RAM, inter-process fork/msg/wait/...

     

    NOTE: Advanced auditd users would need a more customized solution.

  • Kamil__M's avatar
    Kamil__M
    Copper Contributor
    Check if you have any additional rules in /etc/audit/rules.d/ dir. We had 30-ospp-v42-*.rules and it generated very high load with mdatp.
    • roger_jr's avatar
      roger_jr
      Copper Contributor
      kalyan190 mdatp_audisp_plugin
      The issue is, mdatp_audisp_plugin has a bug which the plugin might ingest unnecessary logs from audit logs.

      My suggestion is open a ticket with Microsoft TAC and they can provide a work around.



      • kalyan190's avatar
        kalyan190
        Copper Contributor
        Sure, will open a ticket with Microsoft. Thanks Roger

Resources