As mentioned in the following article Troubleshooting Defender ATP installation on macOS Catalina (10.15.1) there are a number of health scripts and commands that can be executed to identify issues with the defender ATP install
mdatp --health
cloudAutomaticSampleSubmission : true
cloudDiagnosticEnabled : true
cloudEnabled : true
definitionsUpdated : "1572580603073"
definitionsUpdatedMinutesAgo : 6
definitionsVersion : 78727
edrDeviceTags : []
edrEarlyPreviewEnabled : "disabled"
edrMachineId : "e576.......9d6"
healthy : true
licensed : true
logLevel : "info"
machineGuid : "10000002-0000-0000-0000-3000000004"
orgId : "7000000b-0000-0000-0000-4000000002"
realTimeProtectionAvailable : true
realTimeProtectionEnabled : true
releaseRing : "Production"
versionEngine : "100.72.15"
There are also a number of script located inside the kernel extension package (/Library/Extensions/wdavkext.kext/Contents/Resources/Tools)
- check_state.sh
- load.sh
- wdavconfig.py
- installlib.sh
- uninstall
- wdavstate.py
check_state.sh
/Library/Extensions/wdavkext.kext/Contents/Resources/Tools/check_state.sh
KEXT wdavkext is loaded
DAEMON wdavdaemon is running, pid=3311
3312
3313
PROCESS Microsoft Defender is running, pid=2665
3321
PROCESS wdavdaemon is running, pid=3311
3312
3313
load.sh
Provides the ability to load, unload or check the status of the extension (has the following switches load/unload/status)
daniil@Daniils-MBP ~ % cd /Library/Extensions
daniil@Daniils-MBP Extensions % /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/load.sh status
Index Refs Address Size Wired Name (Version) UUID <Linked Against>
191 0 0xffffff7f846ad000 0xd000 0xd000 com.microsoft.wdavkext (100.72.15) F612EC7B-C9EC-3AD0-BC2C-4399BB0DF259 <8 6 5 1>
Ok.
wdavstate.py & wdavconfig.py
These scripts are identical & must be run as root. Provides uuid, orgID & Managed orgID
daniil@Daniils-MBP Extensions % sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavstate.py
uuid : 10000002-0000-0000-0000-3000000004
orgid : 10000002-0000-0000-0000-3000000004
orgid managed : 10000002-0000-0000-0000-3000000004
orgid effective :
installlib.sh
Installs the kernel extension