Defender for Endpoint for macOS feedback

%3CLINGO-SUB%20id%3D%22lingo-sub-2700980%22%20slang%3D%22en-US%22%3EDefender%20for%20Endpoint%20for%20macOS%20feedback%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2700980%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20MDE%20humans%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETwo%20points%20of%20feedback%20to%20MDE%20on%20macOS%20which%20we%20are%20trialing%20internally.%26nbsp%3B%3C%2FP%3E%3CP%3EClient%20ran%20a%20full%20scan%20after%20being%20concerned%20about%20security%20on%20their%20macOS.%20The%20full%20scan%20scanned%20not%20only%20the%20root%20volume%20but%20also%20the%20time%20machine%20mount%20attached%20to%20the%20mac.%20The%20issue%20was%20that%20the%20time%20machine%20device%20stored%20terabytes%20of%20data%20and%20took%20days%20to%20scan.%3C%2FP%3E%3CP%3EThe%20interesting%20behavior%20out%20of%20this%20is%20that%20while%20MDE%20detected%20adware%20within%20a%20DMG%2C%20I%20did%20not%20get%20an%20alert%20in%20M365%20Defender%20until%20the%20scan%20had%20finished.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20two%20requests%3A%3C%2FP%3E%3CP%3E1.%20Is%20there%20a%20way%20to%20limit%20scanning%20to%20not%20follow%20symlinks%20across%20the%20network%20-%20similar%20to%20how%20a%20full%20scan%20on%20Windows%20will%20do%20C%3A%20by%20default%20but%20not%20network%20attached%20drives.%3C%2FP%3E%3CP%3E2.%20Can%20we%20be%20notified%20through%20MDE%20when%20the%20threat%20is%20found%20in%20a%20full%20scan%20-%20not%20on%20completion%20of%20the%20scan.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDanny%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi MDE humans,

 

Two points of feedback to MDE on macOS which we are trialing internally. 

Client ran a full scan after being concerned about security on their macOS. The full scan scanned not only the root volume but also the time machine mount attached to the mac. The issue was that the time machine device stored terabytes of data and took days to scan.

The interesting behavior out of this is that while MDE detected adware within a DMG, I did not get an alert in M365 Defender until the scan had finished.

 

So two requests:

1. Is there a way to limit scanning to not follow symlinks across the network - similar to how a full scan on Windows will do C: by default but not network attached drives.

2. Can we be notified through MDE when the threat is found in a full scan - not on completion of the scan.

 

Thanks

 

Danny

 

0 Replies