Jul 28 2022 01:53 PM
I have enrolled some Mac Devices and deployed Defender for Endpoint via Intune
Defender for Endpoint is properly configured, but when i download the EICAR file it doesn't automatically get blocked / I didn't even receive an alert
Platform : MacOS Version 12.4 (21F79)
Jul 28 2022 03:44 PM - edited Jul 28 2022 03:45 PM
SolutionHi @ramal,
In MEM (Intune) I'm assuming that you followed these instructions:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-...
There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
Needs to be changed to:
<key>allowedThreats</key>
<array>
<string></string>
</array>
Thanks,
Yong Rhee - MSFT
Jul 29 2022 01:08 AM
Jul 29 2022 01:30 AM
Hi @Yong Rhee
As advised i have modified the xml file as profile deployed, but it still isn't getting blocked / detected
Please refer below screenshot
Jul 29 2022 01:35 AM
Jul 29 2022 06:39 AM
Jul 30 2022 03:02 AM
Hi @Yong Rhee
I think the issue is resolved after making the changes to the defender profile as advised by you
But i didn't receive a desktop notification saying that the file is quarantined, they have quarantined the file and it says that it will be removed periodically, do you have an idea when it will be removed and why i didn't get the desktop notification when they quarantined the file ?
Aug 01 2022 07:34 AM
Jul 28 2022 03:44 PM - edited Jul 28 2022 03:45 PM
SolutionHi @ramal,
In MEM (Intune) I'm assuming that you followed these instructions:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-...
There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).
<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>
Needs to be changed to:
<key>allowedThreats</key>
<array>
<string></string>
</array>
Thanks,
Yong Rhee - MSFT