Fighting with Microsoft Defender for Endpoint on Linux

I have been setting up a new Linux server at work to replace our development server that hosts various things such as the source code repositories. Since I need to copy data to the new machine I was setting up passwordless login as one does.

ssh-copy-id root@newmachine

But it didn’t work. No matter what I tried I could not get SSH to work without using a password. I was assuming an sshd setting, but the only settings I found restricted log in via password for root, not by keyfile.

Then I tried copying some scripts I had created for making backups. Simple bash scripts, nothing too fancy. Two copied OK, one did not, even though the scripts were virtually identical. No errors from scp, the file just did not exist in the location it was supposed to be copied to.

Then I realized what has happening: mdatp - Microsoft Defender for Endpoint, which the company mandates gets installed was just deleting the files. It was also deleting the “authorized_keys” file for SSH which is why I could not get the passwordless login to work. As soon as ssh-copy-id copied the key to the authorized_keys file, mdatp deleted the file. We have also had this problem before on one of our build machines, with build artifacts just getting randomly deleted.

Setting an exclusion for the ssh directory means I can now ssh without a password. But why is this necessary? If it randomly deletes files that are no threat then the only way to run a stable server is to set exclusions, which defeats the whole purpose of a tool that is suppost to monitor for malicious files. A program that runs in the background and randomly deletes files seems like a form of malware to me. It is clearly not fit for purpose.

Oh, and on my Windows machine it consistently runs at 80% CPU for long periods.