I'm working with mdatp (Microsoft Defender Advanced Threat Protection) for Linux. The idea is to detect any malicious file in a specific folder, using a command like:
mdatp scan custom --path /tmp/
The problem is that mdatp is automatically removing, without asking, any detected files and putting it in the quarantine folder. My question is: there's any way to prevent this behavior? I checked in the settings but I found nothing useful.
Microsoft provided a document that provides the steps for excluding the directory entirely using the following from the command line on the Linux server:
Add an antivirus exclusion for a directory: mdatp exclusion folder add\ --path [path-to-directory]
Unfortunately, I'm not aware of anything that allows you to set the behavior to NOT quarantine files other than setting Defender in 'Passive' mode and I'm not sure that will do you any good.
Enable/Disable passive mode in MDE (aka mdatp, Defender): mdatp config passive-mode [enabled|disabled]
Reference: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-defender-for-endpoint-linux-configuration-and/ba-p/1577902