cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

EICAR file is not blocked by Defender for Endpoint

ramal
Copper Contributor

‎Jul 28 2022 01:53 PM

‎Jul 28 2022 01:53 PM

EICAR file is not blocked by Defender for Endpoint

I have enrolled some Mac Devices and deployed Defender for Endpoint via Intune 

Defender for Endpoint is properly configured, but when i download the EICAR file it doesn't automatically get blocked / I didn't even receive an alert 

 

Platform : MacOS Version 12.4 (21F79)

 

ramalabey_0-1659041321369.png

ramalabey_1-1659041373959.png

ramalabey_2-1659041461743.png

 

 

 

7,890 Views
0 Likes
7 Replies
Reply
7 Replies
best response confirmed by ramal (Copper Contributor)
Yong Rhee

‎Jul 28 2022 03:44 PM - edited ‎Jul 28 2022 03:45 PM

‎Jul 28 2022 03:44 PM - edited ‎Jul 28 2022 03:45 PM

Solution

Re: EICAR file is not blocked by Defender for Endpoint

Hi @ramal,

In MEM (Intune) I'm assuming that you followed these instructions:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-...

There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).

<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>

Needs to be changed to:

<key>allowedThreats</key>
<array>
<string></string>
</array>

Thanks,
Yong Rhee - MSFT

2 Likes
Reply
Tiennes

‎Jul 29 2022 01:08 AM

‎Jul 29 2022 01:08 AM

Re: EICAR file is not blocked by Defender for Endpoint

Hi ramalabey,

For Microsoft Defender for Endpoint to work properly on a macOS device, you need to make sure that MDE has the proper permissions to the file system on a macOS. Please check in the settings of your macOS, please check this article: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=....
0 Likes
Reply
ramal

‎Jul 29 2022 01:30 AM

‎Jul 29 2022 01:30 AM

Re: EICAR file is not blocked by Defender for Endpoint

Hi @Yong Rhee

 

As advised i have modified the xml file as profile deployed, but it still isn't getting blocked / detected 

Please refer below screenshot

 

ramalabey_0-1659083255029.png

ramalabey_1-1659083424149.png

 

 

 

0 Likes
Reply
ramal

‎Jul 29 2022 01:35 AM

‎Jul 29 2022 01:35 AM

Re: EICAR file is not blocked by Defender for Endpoint

Hi @Tiennes

 

I have already provided full disk access for MDE

But it still isn't getting detected 

 

ramalabey_0-1659083658293.png

 

 

 

0 Likes
Reply
Yong Rhee

‎Jul 29 2022 06:39 AM

‎Jul 29 2022 06:39 AM

Re: EICAR file is not blocked by Defender for Endpoint

@ramal, after enabling the setting, you need to make sure that the policy is refreshed.

And regarding Tiennes recommendation about full disk access, make sure to reboot for the setting to take effect, if you already haven't.

If the symptom persists, since I can't reproduce it in my environment, please open a Microsoft support ticket. Have the following data collected and attached to the case. aka.ms/xMDEClientAnalyzer . For more info about the Client Analyzer on macOS, please review https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?v...

Thanks,
Yong Rhee - MSFT
0 Likes
Reply
ramal

‎Jul 30 2022 03:02 AM

‎Jul 30 2022 03:02 AM

Re: EICAR file is not blocked by Defender for Endpoint

Hi @Yong Rhee

 

I think the issue is resolved after making the changes to the defender profile as advised by you 

But i didn't receive a desktop notification saying that the file is quarantined, they have quarantined the file and it says that it will be removed periodically, do you have an idea when it will be removed and why i didn't get the desktop notification when they quarantined the file ?  

 

ramalabey_0-1659175342094.png

 

0 Likes
Reply
Yong Rhee

‎Aug 01 2022 07:34 AM

‎Aug 01 2022 07:34 AM

Re: EICAR file is not blocked by Defender for Endpoint

Hello @ramal,

We heard from enterprise customers that they don't want to see any sort of notification to their end-users, so that the Sec Admin/SOC take care of the problem behind the scene.

It could be due to:
<key>CriticalAlertEnabled</key>
<false/>

Reference:
Notifications
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-with-intune?vi...

Thanks,
Yong Rhee - MSFT
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by ramal (Copper Contributor)
Yong Rhee

‎Jul 28 2022 03:44 PM - edited ‎Jul 28 2022 03:45 PM

‎Jul 28 2022 03:44 PM - edited ‎Jul 28 2022 03:45 PM

Solution

Re: EICAR file is not blocked by Defender for Endpoint

Hi @ramal,

In MEM (Intune) I'm assuming that you followed these instructions:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-...

There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).

<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>

Needs to be changed to:

<key>allowedThreats</key>
<array>
<string></string>
</array>

Thanks,
Yong Rhee - MSFT

View solution in original post

2 Likes
Reply