Running the analyzer through GUI scenario
- Download the XMDE Client Analyzer tool to the macOS or Linux machine you need to investigate.
The current SHA256 hash of ‘XMDEClientAnalyzer.zip’ that is downloaded from the above link is: ’34C7F043211575544BB2C9CE30AB0998172066E44CD51E1CA018EDE9C96AB834′.
- Extract the contents of XMDEClientAnalyzer.zip on the machine.
- Open a terminal session, change directory to the extracted location and run:
On Linux, if the script does not have permissions to execute, then you’ll need to first run:
chmod a+x mde_support_tool.sh
Running the analyzer using a terminal or SSH scenario
Open a terminal or SSH into the relevant machine and run the following commands:
wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer
unzip -q XMDEClientAnalyzer.zip
chmod +x mde_support_tool.sh
- Run as non-root use to install required pip and lxml which components:
- To collect actual diagnostic package and generate the result archive file run again as root:
- For Linux, the analyzer requires ‘lxml’ to produce the result output. If not installed, the analyzer will try to fetch it from the official repository for python packages below: https://files.pythonhosted.org/packages/\*/lxml\*.whl
- In addition, the tool currently requires Python version 3 or later to be installed.
- If you are running on a machine that cannot use Python 3 or fetch the lxml component, then you can download a binary based version of the analyzer that does not have any of the requirements: XMDE Client Analyzer Binary
- If your device is behind a proxy, then you can simply pass the proxy server as an environment variable to the mde_support_tool.sh script. For example:
Additional syntax help:
-h # Help
# Show help message
performance # Performance
# Collects extensive tracing for analysis of a performance issue that can be reproduced on demand. Using
--length=<seconds> to specify the duration of the benchmark.
-o # Output
# Specify the destination path for the result file
-nz # No-Zip
# If set, a directory will be created instead of a resulting archive file
-f # Force
# Overwrite if output already exists in destination path
Result package contents on macOS and Linux
Description: The main HTML output file that will contain the findings and guidance that the analyzer script run on the machine can produce.
Description: Same diagnostic output that gets generated when running mdatp diagnostic create on either macOS
Description: XML output that is generated while running and is used to build the html report file.
Description: contains the details of the running Microsoft Defender for Endpoint related processes on the system.
Description: contains the same log messages written on screen during the data collection.
Description: The same basic health output that is shown when running mdatp health command.
Description: Additional XML file used by the analyzer when building the HTML report.
Description: details on auditd service and related components for Linux OS
Description: The performance test reports. You will see this only if you are using the performance parameter.