Forum Discussion
EICAR file is not blocked by Defender for Endpoint
Hi ramal,
In MEM (Intune) I'm assuming that you followed these instructions:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide#intune-full-profile
There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
Needs to be changed to:
<key>allowedThreats</key>
<array>
<string></string>
</array>
Thanks,
Yong Rhee - MSFT
Hi yongrheemsft
I think the issue is resolved after making the changes to the defender profile as advised by you
But i didn't receive a desktop notification saying that the file is quarantined, they have quarantined the file and it says that it will be removed periodically, do you have an idea when it will be removed and why i didn't get the desktop notification when they quarantined the file ?
MicrosoftWe heard from enterprise customers that they don't want to see any sort of notification to their end-users, so that the Sec Admin/SOC take care of the problem behind the scene.
It could be due to:
<key>CriticalAlertEnabled</key>
<false/>
Reference:
Notifications
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-with-intune?view=o365-worldwide#notifications
Thanks,
Yong Rhee - MSFT