macOS Defender ATP health check scripts & commands

As mentioned in the following article Troubleshooting Defender ATP installation on macOS Catalina (10.15.1) there are a number of health scripts and commands that can be executed to identify issues with the defender ATP install

mdatp --health

cloudAutomaticSampleSubmission          : true
cloudDiagnosticEnabled                  : true
cloudEnabled                            : true
definitionsUpdated                      : "1572580603073"
definitionsUpdatedMinutesAgo            : 6
definitionsVersion                      : 78727
edrDeviceTags                           : []
edrEarlyPreviewEnabled                  : "disabled"
edrMachineId                            : "e576.......9d6"
healthy                                 : true
licensed                                : true
logLevel                                : "info"
machineGuid                             : "10000002-0000-0000-0000-3000000004"
orgId                                   : "7000000b-0000-0000-0000-4000000002"
realTimeProtectionAvailable             : true
realTimeProtectionEnabled               : true
releaseRing                             : "Production"
versionEngine                           : "100.72.15"

There are also a number of script located inside the kernel extension package (/Library/Extensions/wdavkext.kext/Contents/Resources/Tools)

  • check_state.sh
  • load.sh
  • wdavconfig.py
  • installlib.sh
  • uninstall
  • wdavstate.py

check_state.sh

  /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/check_state.sh
  KEXT wdavkext is loaded
  DAEMON wdavdaemon is running, pid=3311
  3312
  3313
  PROCESS Microsoft Defender is running, pid=2665
  3321
  PROCESS wdavdaemon is running, pid=3311
  3312
  3313

load.sh

Provides the ability to load, unload or check the status of the extension (has the following switches load/unload/status)

daniil@Daniils-MBP ~ % cd /Library/Extensions 
daniil@Daniils-MBP Extensions % /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/load.sh status
Index Refs Address            Size       Wired      Name (Version) UUID <Linked Against>
  191    0 0xffffff7f846ad000 0xd000     0xd000     com.microsoft.wdavkext (100.72.15) F612EC7B-C9EC-3AD0-BC2C-4399BB0DF259 <8 6 5 1>
Ok.

wdavstate.py & wdavconfig.py

These scripts are identical & must be run as root. Provides uuid, orgID & Managed orgID

daniil@Daniils-MBP Extensions % sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavstate.py
uuid            : 10000002-0000-0000-0000-3000000004
orgid           : 10000002-0000-0000-0000-3000000004
orgid managed   : 10000002-0000-0000-0000-3000000004
orgid effective : 

installlib.sh

Installs the kernel extension