This blog is about “Microsoft Defender for Endpoint” for Linux, hereafter referred to as MDE. The term “Defender” is used across multiple products and technologies.
An overview of Microsoft 365 Defender is illustrated here What is Microsoft 365 Defender? | Microsoft Learn
The typical audience for this blog is SAP Basis administrators and consultants. Enterprise Security is a specialist role and the activities described in this blog should be planned in conjunction with the Security Administrators. The objective of this blog is to provide a basic understanding of MDE on Linux and how to operate, check and troubleshoot problems on SAP VMs running MDE. It is generally recommended that the Enterprise Security Team coordinate with the SAP team and jointly design the MDE configuration, exclusions and scheduling.
Before continuing it is strongly recommended to watch the video in the link below. Microsoft Defender for Endpoint (MDE) is one component in the set of Defender solutions and in turn has multiple subcomponents Microsoft Defender for Endpoint | Microsoft Docs
This blog is focusing on two subcomponents: Next-generation protection (AntiVirus) and Endpoint detection and response (EDR). Next-generation protection is an AntiVirus (AV) product similar to AV solutions for Windows environments. Endpoint detection and response (EDR) detects and can block suspicious activity and system calls.
Microsoft Defender for Endpoint Subcomponents
MDE for Linux may be deployed to VMs running SAP applications automatically in a subscription if Microsoft Defender for Cloud is activated. The SAP administrators and/or infrastructure team may not be aware MDE for Linux will be automatically deployed as a VM Extension. SAP administrators may observe that MDE is not installed when a new VM is first created, but after some time the following extension can be seen in the “Extensions + applications” blade in the Azure Portal.
Microsoft Defender for Cloud may be activated for the subscription containing SAP resources and MDE for Windows and Linux may be deployed by default. Further information can be found here: Using Microsoft Defender for Endpoint in Microsoft Defender for Cloud to protect native, on-premises...
MDE for Linux can also be deployed manually via tools such as yum and zypper, or via ansible, chef and puppet
SAP administrators and consultants should check with the Enterprise Security team for details about which deployment mode is used for the Azure subscription running SAP VMs.
Prerequisites for deploying MDE for Linux on SAP VMs:
Internet connectivity can be confirmed with the command below
This means that the AV component of MDE will not intercept IO calls. There is no IO interception and no scheduled AV scanning therefore MDE for Linux will not cause IO performance degradation on SAP DBMS or Application servers.
Note: if MDE for Linux is deployed by methods other Azure Extension the AntiVirus functionality may be enabled.
The command mdatp health will output the value for real_time_protection_enabled when MDE is deployed as an Azure Extension.
The Linux crontab is typically used to schedule MDE AV scan and log rotation tasks
EDR functionality will be Active whenever MDE for Linux is installed. There is no way to disable EDR functionality through command line or configuration.
See the section “Checklist for Troubleshooting Problems on SAP VMs Running MDE on Linux” for more information on troubleshooting EDR
It is recommended to check the installation and configuration of MDE with the command mdatp health
SAP Application and DBMS servers MDE configuration should be similar the screenshot below. The key parameters are:
This article has some useful hints on troubleshooting installation issues for MDE:
It is generally recommended to enable real_time_protection_enabled = true after identifying the relevant DBMS and SAP exclusions. This provides the optimal protection while at the same time avoiding performance problems.
This article details how to configure AV exclusions for processes, files and folders per individual VM
SAP administrators should contact the Enterprise Security Team to discuss how to configure AV exclusions for all SAP VMs in an Azure Resource Group or Subscription.
|Warning: If real time scanning is enabled on MDE releases lower than 101.88.48 sudo may be blocked. It is strongly recommended to update to the latest version of MDE and verify the MDE release before enabling real time scanning.|
It is recommended to exclude:
Note: It is recommended to have database files on the separate mountpoint with read and write permissions only (exec permission to mount point).
Hana systems should exclude /hana/data, /hana/log and /hana/shared – see Note 1730930.
Oracle ASM systems do not need exclusions as MDE cannot read ASM disks.
Recommended SAP OSS Notes
|Note: MDE for Linux folder exclusions are not recursive, meaning “/usr/sap/trans” exclusion does not include subfolders such as the “cofiles” or “data” subdirectories under “/usr/sap/trans”. Subfolders need to be specifically added.|
After configuring exclusions it is possible to test with the EICAR test file. The EICAR test file can be placed in a temporary location to confirm MDE AV is functioning correctly
In the example below the standard EICAR test file is downloaded with wget and a scan is run manually.
Threats can be listed with the command mdatp threat list and then the file(s) removed with the command below
If there are performance, stability or installation problems on an SAP VM running MDE for Linux it is recommended to follow the checklist below:
This file can be configured with additional debugging/support options
Restart mdatp service with the command sudo service mdatp restart
After completing the above checklist try to reproduce the problem. If the problem reproduces and MDE is a possible cause then follow the procedure below to open a support case.
In rare cases MDE for Linux may impact performance or stability of an SAP VM. If this is suspected follow this checklist:
MDE for Linux support cases should be opened by the Enterprise Security Team via the Defender 365 Portal and not via the typical Azure Portal page. The support message should mention “Defender on Linux performance issues”
In rare cases it may be necessary to uninstall MDE to isolate a problem. SAP support may also occasionally request that a problem is reproduced without any AntiVirus or security software installed.
MDE for Linux can be uninstalled using yum, zypper or dnf. Microsoft Defender for Endpoint on Linux resources | Microsoft Learn
Another option is to use the installer script Deploy Microsoft Defender for Endpoint on Linux manually | Microsoft Learn
The complete list of log and config files for MDE is:
AV or EDR events such as finding a Virus are logged into the Defender 365 Portal.
The deployment and health status of a subscription is also visible within the Defender 365 Portal, an example is illustrated below
It is generally recommended to install nmon and activate sysstat (SAR) on SAP servers. These tools are useful for determining if MDE for Linux or other processes are causing high CPU or disk utilization.
If sysstat needs to be installed follow the steps below:
# sudo yum install sysstat
# sudo service sysstat restart
Redirecting to /bin/systemctl restart sysstat.service
The /var/log/sa/sarXX files can be copied onto a Windows PC with sftp
sftp -i <keyfilename>.pem azureuser@<xx.xx.xx.xx>
On a Windows PC run this command and open the SAR file "Java -jar C:\sap_media\ksar.jar"
KSAR shows long term trends and NMON is a realtime tool.
When reviewing KSAR graphs problems with AV software may be indicated by high “Waiting I/O” times.
Example of NMON logging with analysis in Excel via Nmon-Analyzer macros. CPU shown in blue line and IOPS in pink.
During manual zypper installation on Suse an error “Nothing provides ‘policycoreutils’”
There are several command-line commands that can control the operation of mdatp. To turn off real-time protection, you can use the command:
mdatp config real-time-protection --value disabled
This command will tell mdatp to retrieve the latest definitions from the cloud:
mdatp definitions update
This command will test whether mdatp can connect to the cloud-based endpoints via the network:
mdatp connectivity test
These commands will update the mdatp software if needed:
yum update mdatp
zypper update mdatp
Since mdatp runs as a linux system service, you can control mdatp using the service command, eg:
service mdatp status
sudo mdatp diagnostic create (this command creates a diagnostic file that can be uploaded to Microsoft support)
In /hana/shared there are a very large number of binaries. These binaries should be excluded from Real Time Scanning. A loop like the below can be used:
for f in /hana/shared/<put in full path here>/exe/hdb*; do
mdatp exclusion process add –name “%f”
Microsoft Endpoint Manager does not support Linux at this time Manage Microsoft Defender for Endpoint configuration settings on devices with Microsoft Endpoint Man...
Thanks to Anjan Banerjee, Rahul Tibdewal and Ankit Garg
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.