Forum Discussion
EICAR file is not blocked by Defender for Endpoint
I have enrolled some Mac Devices and deployed Defender for Endpoint via Intune
Defender for Endpoint is properly configured, but when i download the EICAR file it doesn't automatically get blocked / I didn't even receive an alert
Platform : MacOS Version 12.4 (21F79)
Hi ramal,
In MEM (Intune) I'm assuming that you followed these instructions:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide#intune-full-profile
There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
Needs to be changed to:
<key>allowedThreats</key>
<array>
<string></string>
</array>
Thanks,
Yong Rhee - MSFT
7 Replies
- Hi ramalabey,
For Microsoft Defender for Endpoint to work properly on a macOS device, you need to make sure that MDE has the proper permissions to the file system on a macOS. Please check in the settings of your macOS, please check this article: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide.
yongrheemsftMicrosoft
ramal, after enabling the setting, you need to make sure that the policy is refreshed.
And regarding Tiennes recommendation about full disk access, make sure to reboot for the setting to take effect, if you already haven't.
If the symptom persists, since I can't reproduce it in my environment, please open a Microsoft support ticket. Have the following data collected and attached to the case. aka.ms/xMDEClientAnalyzer . For more info about the Client Analyzer on macOS, please review https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide
Thanks,
Yong Rhee - MSFT
- yongrheemsft
Hi ramal,
In MEM (Intune) I'm assuming that you followed these instructions:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide#intune-full-profile
There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
Needs to be changed to:
<key>allowedThreats</key>
<array>
<string></string>
</array>
Thanks,
Yong Rhee - MSFTHi yongrheemsft
As advised i have modified the xml file as profile deployed, but it still isn't getting blocked / detected
Please refer below screenshot
