Jamf Nation Community

MattTHL · a week ago

Hello,

I've been looking through the documentation to determine if Jamf Protect scans downloaded files for viruses before allowing them to open and I can't seem to find a definitive answer.

I know Jamf Protect focuses on providing comprehensive security for macOS devices, including real-time monitoring and threat detection. However, specific features like scanning downloaded files for viruses before allowing them to open are typically associated with traditional or next-generation antivirus solutions.

Does anyone know the answer to this?

Thanks!
Matt

junjishimazaki · Monday

Hi MattTHL, unlike traditional AV, Jamf Protect is basically an EDR (Endpoint Detection & Response) that leverages the Mac's built-in security (Gatekeeper, XProtect, MRT, etc) to handle all the AV/Malware detection and reports it back to Jamf Protect web console. So, it doesn't scan anything. It detects to see what process is executing whether it is an application, script, or some executable file is legitimate, digitally signed, or notarized. Then it will act on it.

View solution in original post

JL85 · a week ago

I had a test with Case-CS1169047- Can not block Crisis Malware in https://objective-see.org/malware.html "

Here is the feedback from Support Team.

In those cases, where the executable doesn't actually execute then Jamf Protect has nothing to scan, match and prevent because nothing is actually launching / spawning a process.

This is a 32 bit executable which most computers don’t know how to run. Since we scan at runtime, no scan would actually occur since the computer doesn’t know how to run it. Basically, Operating system itself didn't know or allow this to execute correctly, a process wasn't created and no threat is presented and hence no process was created, Protect didn't need to intervene, scan, match and prevent a threat. I would say you might have seen some sort of error or message inside terminal when trying to launch one of those older samples."

MattTHL · a week ago

Thanks @JL85 , it seems that then Jamf Protect does not scan downloaded files and instead waits to see what happens if they are executed successfully... is that your take away as well?

JL85 · a week ago

Yes , that 's the way that jamf protectet can do

junjishimazaki · Monday

Hi MattTHL, unlike traditional AV, Jamf Protect is basically an EDR (Endpoint Detection & Response) that leverages the Mac's built-in security (Gatekeeper, XProtect, MRT, etc) to handle all the AV/Malware detection and reports it back to Jamf Protect web console. So, it doesn't scan anything. It detects to see what process is executing whether it is an application, script, or some executable file is legitimate, digitally signed, or notarized. Then it will act on it.

MattTHL · Monday

@junjishimazaki thank you for that explanation. Do you see this as a weakness since it doesn't individually scan files before execution? I.e., wouldn't it be safer to scan them before they're trying to do something malicious?

junjishimazaki · Monday

Just like any other AV out there, it's never going to be 100% secure. I have yet to encounter any malware/virus that has circumvented the Mac's built-in security. Plus the benefit of Jamf Protect, it uses little system resources since it uses the Mac's built-in security. So, at the end of this, it's going to be what your organization wants .

MattTHL · Monday

Thanks again, I appreciate that perspective!

junjishimazaki · Monday

Just keep in mind, if you do encounter mac that has some sort of malware/virus. You can't force Jamf Protect to scan since it has no scanning feature so you will have to rely on another 3rd party AV software to that.

Jamf Nation Community

Does Jamf Protect scan downloaded files for viruses before allowing them to open?