[Enter feedback here]

Symptom:

While you are going thru Client configuration

1. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:

curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually#client-configuration

You might wait and not get any notifications in the MDE portal.

Cause:

In the "Set preferences" section, you might have the sample "Full configuration profile example" deployed to /etc/opt/microsoft/mdatp/managed/mdatp_managed.json via Ainsible, or Puppet.

You will see that it has this allowed threat in the example:

  "allowedThreats":[
     "EICAR-Test-File (not a virus)"
  ],

You will want to remove that portion if you want to

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-preferences#full-profile

Resolution:

In Ansible or Puppet, remove the following:
"allowedThreats":[
"EICAR-Test-File (not a virus)"
],

for testing, you could edit /etc/opt/microsoft/mdatp/managed/mdatp_managed.json with VI or Nano.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: e2197cba-30ac-1749-e25a-6f39c9ee9d20
• Version Independent ID: bcd14f13-ab59-8e69-5c83-42fee6e51f87
• Content: Deploy Microsoft Defender ATP for Linux manually - Windows security
• Content Source: windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
• Product: w10
• GitHub Login: @Dansimp
• Microsoft Alias: dansimp