It has become the norm for organizations of all sizes to operate environments with multiplatform endpoints. That’s why Microsoft Defender for Endpoint provides comprehensive endpoint security and detection and response capabilities across operating systems including Windows, macOS, Linux, iOS, and Android. Our team is focused on delivering critical capabilities across ecosystems, while also tailoring detections and more to the respective OS and its unique requirements.

Today we are excited to announce a new set of investigation and response capabilities across macOS and Linux operating systems. These include file and investigation package collection for macOS and Linux and troubleshooting mode for macOS.

File and investigation package collection for macOS and Linux

When conducting a comprehensive investigation, security analysts must gain visibility and context from compromised devices to better understand malicious behaviors that may have occurred during an attack. This often requires the analyst to gather malicious files and device telemetry to aid in identifying the root cause of the attack, addressing concerns about compromising other devices and adhering to data compliance policies.  

To assist security teams in obtaining the necessary information for immediate response or enhancing organizational protection against future campaigns, file collection and investigation package collection response actions are now available in public preview for macOS and Linux platforms. 

Analysts with the relevant permissions will be able to download files identified on the device and .zip packages that provide additional context about the device's current state for further analysis of the affected device and a better understanding of the tools and techniques employed by the attacker. 

File Collection 

In the event of detecting suspicious activity or a security breach, file collection enables analysts to gather any suspected or malicious files, to assist in the investigation and response process. 

It all begins with the "Collect File" step, and only after that does the Download button become active. 

Note: In scenarios where files are automatically quarantined by Microsoft Defender for Endpoint, you will be able to download those files immediately. 

After navigating to your list of response actions, select "Download file" to initiate the download of a local, password-protected .zip archive containing your desired file. This efficient and secure method helps preserve data confidentiality without impeding your ongoing investigation or response. 

Image 1: File collection

Investigation Package Collection 

The investigation package is a comprehensive collection of forensic data that can be extracted from devices as part of the response process. This package allows us to delve deep into the details of security incidents, better understand their nature and scope, and provide valuable evidence for threat research, and legal, and regulatory purposes.  

The investigation package includes a range of critical information, such as system logs, network activity data, process histories, and other relevant artifacts. 

To download an investigation package and investigate the events that occurred on a device, select "Collect investigation package" from the row of response actions at the top of the device page. Then, the zip file downloads. 

Image 2: Investigation package collection

Troubleshooting mode for macOS

A year and a half ago we released tamper protection for macOS devices to help secure these devices against advanced malware where it would disable antimalware settings. Now we are extending troubleshooting mode to macOS, allowing SecOps, security administrators, helpdesk and other roles to investigate issues seen on macOS such as high CPU, high memory consumption, application compatibility, or even eliminate antimalware, so you can focus on the actual issue. This mode will enable the local admin on the devices to override antivirus security policy configurations on the device.

Troubleshooting mode is initiated on the device page and is time bound for up to 4 hours.  Once troubleshooting mode has expired, the security settings that were configured on the device prior to troubleshooting mode will be restored, and any new policies that were created by your security or IT admin during troubleshooting mode will be applied.

Additional diagnostic files will be available for collection after troubleshooting mode. Your security admin can collect the diagnostic files by using the xMDEClientAnalyzer feature.

What is the troubleshooting mode scope?

• Real-Time Protection/ Passive mode / On-Demand
  • Change the enforcement modes such as Disable Real-Time Protection temporarily
• Network Protection
  • Disable Network Protection temporarily
• realTimeProtectionStatistics
• Ability to capture it even with Tamper Protection enabled.
• tags
  • Ability to set or update the device tag
• groupIds
  • Ability to set or update the Group Id
• Endpoint DLP
  • Ability to disable Endpoint DLP temporarily.

Troubleshooting mode pre-requisites

• Access to the Microsoft Defender XDR portal (https://security.microsoft.com)
• Turn on the previews features in the Microsoft Defender XDR portal
• Manage security settings in Security Center permissions
• Meet the minimum macOS system requirements for Microsoft Defender for Endpoint on macOS
• Minimum required Platform Update version for Microsoft Defender for Endpoint on macOS: 101.23092.0007 or newer

Enable troubleshooting mode for macOS

Logon to Microsoft Defender XDR portal (https://security.microsoft.com)

Search for the device that you want to enable troubleshooting mode.

On the device page, search for the device on which you would like to turn on troubleshooting mode, then select Turn on troubleshooting mode.

On a macOS device, if you run mdatp health, you will see the “troubleshooting_mode” setting as indicated below. 

Where do I see Troubleshooting Mode signals?

Troubleshooting mode signals can be seen in Microsoft Defender XDR portal, via advanced hunting, and in local device logs.

In the device timeline:

Search for troubleshooting, and you will see “Event of type [AntivirusTroubleshootModeEvent] observed on device”

Via Advanced Hunting:

In the device log:

The logs can also be found locally on the device. Troubleshooting mode events are logged in the following area: “/Library/Logs/Microsoft/mdatp/microsoft_defender_core.log”

Based on the logs, you can check the status of Troubleshooting mode using this command:

sudo cat /Library/Logs/Microsoft/mdatp/microsoft_defender_core.log | grep troubleshootingMode

Having the right security capabilities in place for each OS in your environment is critical and Defender for Endpoint continues to innovate its multiplatform support for the best possible device protection – no matter the OS.

More information  

• Check out our documentation for more details on how to use response actions in Microsoft Defender for Endpoint 
• To learn more about collecting a file, click here  
• To learn more about collecting an investigation package, click here

• Microsoft Defender for Endpoint on Mac documentation 
• Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS