Forum Discussion
Microsoft Defender ON Linux VM - Exit Codes
Hello
We have installed Azure Defender on a Linux VM and need to run a custom virus scan from a bash script. Our goal is to scan a file and identify any threats.
We have successfully implemented a working script with Microsoft Defender operating in passive mode. However, we intend to switch to active mode for virus scanning. Our current goal is to develop a Bash script that uploads files to Azure Blob Storage after the Microsoft Defender scan is performed and confirms that no threats are identified.
The files are received on a Linux VM from a third-party application (LiquidFiles), and we assume that the scan will run as soon as a file lands on the Linux VM, with any identified threats resulting in the file being deleted.
We have a couple of questions regarding this process:
Threat Identification: How can we identify if there was a threat identified in a specific file and decide whether to continue with further steps?
File Access During Scan: If we attempt to access the incoming file through a Bash script that runs immediately, will Microsoft Defender lock the file until the scan is complete and it is deemed safe for further processing?
Any thoughts, advice, or insights on the above would be greatly appreciated.
Best regards,
Marc
- AdelAlDabbasMicrosoft
Hello marc190511 ,
When MDATP is active, and real time protection is enabled, there will be no need for the custom scan as files will be scanned as soon as the files land.
For Threat Identification, Defender for Endpoint notifies you of possible malicious events, attributes, and contextual information through alerts in the security portal (security.microsoft.com).
If you want something local on the device, you can use "mdatp threat list". For configuration/quarantine management, please refer to the supported commands: Microsoft Defender for Endpoint on Linux resources - Microsoft Defender for Endpoint | Microsoft Learn
If the bash script runs immediately, you might run into file access issues as it will be locked. Best approach is to test this first - you might have to slightly delay the bash script.
Best regards,
Adel