Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

EICAR file is not blocked by Defender for Endpoint

New Contributor

I have enrolled some Mac Devices and deployed Defender for Endpoint via Intune 

Defender for Endpoint is properly configured, but when i download the EICAR file it doesn't automatically get blocked / I didn't even receive an alert 


Platform : MacOS Version 12.4 (21F79)








7 Replies
best response confirmed by ramal (New Contributor)

Hi @ramal,

In MEM (Intune) I'm assuming that you followed these instructions:

There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).

<string>EICAR-Test-File (not a virus)</string>

Needs to be changed to:


Yong Rhee - MSFT

Hi ramalabey,

For Microsoft Defender for Endpoint to work properly on a macOS device, you need to make sure that MDE has the proper permissions to the file system on a macOS. Please check in the settings of your macOS, please check this article:

Hi @Yong Rhee


As advised i have modified the xml file as profile deployed, but it still isn't getting blocked / detected 

Please refer below screenshot







Hi @Tiennes


I have already provided full disk access for MDE

But it still isn't getting detected 






@ramal, after enabling the setting, you need to make sure that the policy is refreshed.

And regarding Tiennes recommendation about full disk access, make sure to reboot for the setting to take effect, if you already haven't.

If the symptom persists, since I can't reproduce it in my environment, please open a Microsoft support ticket. Have the following data collected and attached to the case. . For more info about the Client Analyzer on macOS, please review

Yong Rhee - MSFT

Hi @Yong Rhee


I think the issue is resolved after making the changes to the defender profile as advised by you 

But i didn't receive a desktop notification saying that the file is quarantined, they have quarantined the file and it says that it will be removed periodically, do you have an idea when it will be removed and why i didn't get the desktop notification when they quarantined the file ?  




Hello @ramal,

We heard from enterprise customers that they don't want to see any sort of notification to their end-users, so that the Sec Admin/SOC take care of the problem behind the scene.

It could be due to:


Yong Rhee - MSFT