Forum Discussion
EICAR file is not blocked by Defender for Endpoint
Hi ramal,
In MEM (Intune) I'm assuming that you followed these instructions:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide#intune-full-profile
There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
Needs to be changed to:
<key>allowedThreats</key>
<array>
<string></string>
</array>
Thanks,
Yong Rhee - MSFT
MicrosoftAnd regarding Tiennes recommendation about full disk access, make sure to reboot for the setting to take effect, if you already haven't.
If the symptom persists, since I can't reproduce it in my environment, please open a Microsoft support ticket. Have the following data collected and attached to the case. aka.ms/xMDEClientAnalyzer . For more info about the Client Analyzer on macOS, please review https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide
Thanks,
Yong Rhee - MSFT
Hi yongrheemsft
I think the issue is resolved after making the changes to the defender profile as advised by you
But i didn't receive a desktop notification saying that the file is quarantined, they have quarantined the file and it says that it will be removed periodically, do you have an idea when it will be removed and why i didn't get the desktop notification when they quarantined the file ?
- yongrheemsftHello ramal,
We heard from enterprise customers that they don't want to see any sort of notification to their end-users, so that the Sec Admin/SOC take care of the problem behind the scene.
It could be due to:
<key>CriticalAlertEnabled</key>
<false/>
Reference:
Notifications
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-worldwide#notifications
Thanks,
Yong Rhee - MSFT
