SOLVED

EICAR file is not blocked by Defender for Endpoint

Occasional Contributor

I have enrolled some Mac Devices and deployed Defender for Endpoint via Intune 

Defender for Endpoint is properly configured, but when i download the EICAR file it doesn't automatically get blocked / I didn't even receive an alert 

 

Platform : MacOS Version 12.4 (21F79)

 

ramalabey_0-1659041321369.png

ramalabey_1-1659041373959.png

ramalabey_2-1659041461743.png

 

 

 

7 Replies
best response confirmed by ramalabey (Occasional Contributor)
Solution

Hi @ramalabey,

In MEM (Intune) I'm assuming that you followed these instructions:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-...

There is a section, that showcases, how to allow a treat, in case if it's a False Positive (FP).

<key>allowedThreats</key>
<array>
<string>EICAR-Test-File (not a virus)</string>
</array>

Needs to be changed to:

<key>allowedThreats</key>
<array>
<string></string>
</array>

Thanks,
Yong Rhee - MSFT

Hi ramalabey,

For Microsoft Defender for Endpoint to work properly on a macOS device, you need to make sure that MDE has the proper permissions to the file system on a macOS. Please check in the settings of your macOS, please check this article: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=....

Hi @Yong Rhee

 

As advised i have modified the xml file as profile deployed, but it still isn't getting blocked / detected 

Please refer below screenshot

 

ramalabey_0-1659083255029.png

ramalabey_1-1659083424149.png

 

 

 

Hi @Tiennes

 

I have already provided full disk access for MDE

But it still isn't getting detected 

 

ramalabey_0-1659083658293.png

 

 

 

@ramalabey, after enabling the setting, you need to make sure that the policy is refreshed.

And regarding Tiennes recommendation about full disk access, make sure to reboot for the setting to take effect, if you already haven't.

If the symptom persists, since I can't reproduce it in my environment, please open a Microsoft support ticket. Have the following data collected and attached to the case. aka.ms/xMDEClientAnalyzer . For more info about the Client Analyzer on macOS, please review https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?v...

Thanks,
Yong Rhee - MSFT

Hi @Yong Rhee

 

I think the issue is resolved after making the changes to the defender profile as advised by you 

But i didn't receive a desktop notification saying that the file is quarantined, they have quarantined the file and it says that it will be removed periodically, do you have an idea when it will be removed and why i didn't get the desktop notification when they quarantined the file ?  

 

ramalabey_0-1659175342094.png

 

Hello @ramalabey,

We heard from enterprise customers that they don't want to see any sort of notification to their end-users, so that the Sec Admin/SOC take care of the problem behind the scene.

It could be due to:
<key>CriticalAlertEnabled</key>
<false/>

Reference:
Notifications
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-with-intune?vi...

Thanks,
Yong Rhee - MSFT