Behavior monitoring in Microsoft Defender Antivirus on macOS
Applies to:
- Microsoft Defender for XDR
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Business
- Microsoft Defender for Individuals
- Microsoft Defender Antivirus
- Supported versions of macOS
Important
Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Overview of behavior monitoring
Behavior monitoring monitors process behavior to detect and analyze potential threats based on the behavior of the applications, daemons, and files within the system. As behavior monitoring observes how the software behaves in real-time, it can adapt quickly to new and evolving threats and block them.
Prerequisites
- The device must be onboarded to Microsoft Defender for Endpoint.
- Preview features must be enabled in the Microsoft Defender portal.
- The device must be in the Beta channel (formerly
InsiderFast). - The minimum Microsoft Defender for Endpoint version number must be Beta (Insiders-Fast): 101.24042.0002 or newer. The version number refers to the
app_version(also known as Platform update). - Real-time protection (RTP) must be enabled.
- Cloud-delivered protection must be enabled.
- The device must be explicitly enrolled in the preview program.
Deployment instructions for behavior monitoring
To deploy behavior monitoring in Microsoft Defender for Endpoint on macOS, you must change the behavior monitoring policy using one of the following methods:
The following sections describe each of these methods in detail.
Intune deployment
Copy the following XML to create a .plist file and save it as BehaviorMonitoring_for_MDE_on_macOS.mobileconfig
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadUUID</key> <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadOrganization</key> <string>Microsoft</string> <key>PayloadIdentifier</key> <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string> <key>PayloadDisplayName</key> <string>Microsoft Defender for Endpoint settings</string> <key>PayloadDescription</key> <string>Microsoft Defender for Endpoint configuration settings</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadContent</key> <array> <dict> <key>PayloadUUID</key> <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string> <key>PayloadType</key> <string>com.microsoft.wdav</string> <key>PayloadOrganization</key> <string>Microsoft</string> <key>PayloadIdentifier</key> <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string> <key>PayloadDisplayName</key> <string>Microsoft Defender for Endpoint configuration settings</string> <key>PayloadDescription</key> <string/> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadEnabled</key> <true/> <key>antivirusEngine</key> <dict> <key>behaviorMonitoring</key> <string>enabled</string> </dict> <key>features</key> <dict> <key>behaviorMonitoring</key> <string>enabled</string> <key>behaviorMonitoringConfigurations</key> <dict> <key>blockExecution</key> <string>enabled</string> <key>notifyForks</key> <string>enabled</string> <key>forwardRtpToBm</key> <string>enabled</string> <key>avoidOpenCache</key> <string>enabled</string> </dict> </dict> </dict> </array> </dict> </plist>Open Devices > Configuration profiles.
Select Create profile and select New Policy.
Give the profile a name. Change Platform=macOS to Profile type=Templates and choose Custom in the template name section. Select Configure.
Go to the plist file you saved earlier and save it as
com.microsoft.wdav.xml.Enter
com.microsoft.wdavas the custom configuration profile name.Open the configuration profile and upload the
com.microsoft.wdav.xmlfile and select OK.Select Manage > Assignments. In the Include tab, select Assign to All Users & All devices or to a Device Group or User Group.
JamF deployment
Copy the following XML to create a .plist file and save it as Save as BehaviorMonitoring_for_MDE_on_macOS.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>antivirusEngine</key> <dict> <key>behaviorMonitoring</key> <string>enabled</string> </dict> <key>features</key> <dict> <key>behaviorMonitoring</key> <string>enabled</string> <key>behaviorMonitoringConfigurations</key> <dict> <key>blockExecution</key> <string>enabled</string> <key>notifyForks</key> <string>enabled</string> <key>forwardRtpToBm</key> <string>enabled</string> <key>avoidOpenCache</key> <string>enabled</string> </dict> </dict> </dict> </plist>In Computers > Configuration Profiles, select Options > Applications & Custom Settings,
Select Upload File (.plist file).
Set preference domain to com.microsoft.wdav
Upload the plist file saved earlier.
For more information, see: Set preferences for Microsoft Defender for Endpoint on macOS.
Manual deployment
You can enable Behavior Monitoring on Microsoft Defender for Endpoint on macOS by running the following command from the Terminal:
sudo mdatp config behavior-monitoring --value enabled
To disable:
sudo mdatp config behavior-monitoring --value disabled
For more information, see: Resources for Microsoft Defender for Endpoint on macOS.
To test behavior monitoring (prevention/block) detection
See Behavior Monitoring demonstration.
Verifying behavior monitoring detections
The existing Microsoft Defender for Endpoint on macOS command line interface can be used to review behavior monitoring details and artifacts.
sudo mdatp threat list
Frequently Asked Questions (FAQ)
What if I see an increase in cpu utilization or memory utilization?
Disable behavior monitoring and see if the issue goes away.
- If the issue doesn't go away, it isn't related to behavior monitoring.
- If the issue goes away, download the XMDE Client Analyzer, and then contact Microsoft support.
Network real-time inspection for macOS
Important
Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The network real-time inspection (NRI) for macOS feature enhances real-time protection (RTP) by using behavior monitoring in concert with file, process, and other events to detect suspicious activity. Behavior monitoring triggers both telemetry and sample submissions on suspicious files for Microsoft to analyze from the cloud protection backend, and is delivered to the client device, resulting in a removal of the threat.
Is there an impact on performance?
NRI should have a low impact on network performance. Instead of holding the connection and blocking, NRI makes a copy of the packet as it crosses the network, and NRI performs an asynchronous inspection.
Note
When network real-time inspection (NRI) for macOS is enabled, you might see a slight increase in memory utilization.
Requirements for NRI for macOS
- The device must be onboarded to Microsoft Defender for Endpoint.
- Preview features must be turned on in the Microsoft Defender portal.
- The device must be in the Beta channel (formerly
InsiderFast). - The minimum version number for Defender for Endpoint version number must be Beta (Insiders-Fast): 101.24092.0004 or newer. The version number refers to the
app version(also known as Platform update). - Real-time protection must be enabled.
- Behavior monitoring must be enabled.
- Cloud-delivered protection must be enabled.
- The device must be explicitly enrolled into the preview.
Deployment instructions for NRI for macOS
E-mail us at
NRIonMacOS@microsoft.comwith information about your Microsoft Defender for Endpoint OrgID where you would like to have network real-time inspection (NRI) for macOS enabled.Important
In order to evaluate NRI for macOS, send email to
NRIonMacOS@microsoft.com. Include your Defender for Endpoint Org ID. We're enabling this feature on a per-request basis for each tenant.Enable behavior monitoring if it's not already enabled:
sudo mdatp config behavior-monitoring --value enabledEnable network protection in block mode:
sudo mdatp config network-protection enforcement-level --value blockEnable network real-time inspection (NRI):
sudo mdatp network-protection remote-settings-override set --value "{\"enableNriMpengineMetadata\" : true}"Note
While this feature is in preview, and because the setting is set by using command line, network real-time inspection (NRI) doesn't persist following reboots. You must re-enable it.