Help understanding MDE Linux threat policies - MDE doesn't delete/quarantine rookits?

Copper Contributor

Hello. Hoping someone can help me understand how to confirm (and possibly modify) the behavior of MDE for Linux regarding threat policies.

 

Here's a folder containing EICAR:

 

$ ls test_me/
eicar.txt

 

It is properly detected as EICAR:

 

$ mdatp scan custom --path /home/analyst/test_me 
Scan has finished
	1 file(s) scanned
	1 threat(s) detected

Threat(s) found

Id: "20a180da-feef-49a3-bec0-c23c9947d138"
Name: Virus:DOS/EICAR_Test_File
Type: "virus"
Status: "infected"

 

However, the file is not deleted or quarantined, because the status is "allowed":

 

$ sudo mdatp threat get --id "20a180da-feef-49a3-bec0-c23c9947d138"
Id: "20a180da-feef-49a3-bec0-c23c9947d138"
Name: Virus:DOS/EICAR_Test_File
Type: "virus"
Detection time: Fri Apr 26 15:02:09 2024
Status: "allowed"
Path: "/home/analyst/test_me/eicar.txt"
File size: 69
Sha256 hash: 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267

 

How does MDE know to allow this? There are no threat families allowed:

 

$ mdatp threat allowed list
No threat families.

 

There are no policies defined by default (at least it doesn't seem like it...the output is just two rows of equal signs):

 

$ mdatp threat policy list
=====================================
=====================================

 

I looked into how to set threat policies, thinking maybe the default is to allow everything. It appears there are only two types of threat policies: archive bombs and potentially unwanted applications (PUA):

 

$ mdatp threat policy set 
Configure a threat handling policy:
  --type arg            Threat type. Accepted values: archive_bomb, 
                        potentially_unwanted_application
  --action arg          Action to take when a threat is encountered. Accepted 
                        values: off, audit, block

 

Eicar is definitely not an archive bomb. Maybe it is a PUA, so I set the policy to block:

 

$ sudo mdatp threat policy set --type potentially_unwanted_application --action block
Threat policy modified successfully

$ mdatp threat policy list
=====================================
Threat type: potentially_unwanted_application
Action: block
=====================================

 

I scanned the file again and no change in behavior - it is still "allowed."

 

Thinking MDE only allows EICAR because it knows it's just for testing, I went ahead and threw a Stuxnet rootkit driver into the folder and scanned again. It was properly detected as Stuxnet, but still was just "allowed".

 

$ mdatp scan custom --path /home/analyst/test_me 
Scan has finished
	2 file(s) scanned
	2 threat(s) detected

Threat(s) found

Id: "0ac534db-024d-4497-8509-3b2b5e218a6d"
Name: Trojan:WinNT/Stuxnet.B
Type: "trojan"
Status: "infected"

Id: "a633de95-628a-4c89-8b29-693b7be32f1e"
Name: Virus:DOS/EICAR_Test_File
Type: "virus"
Status: "infected"

 

How does one configure MDE to actually delete or quarantine threats? Is this only possible with full system scans and not on-demand/custom scans?

 

 

1 Reply
Update: This appears to be due to passive mode being enabled. By disabling passive mode, the threats are quarantined. Thanks