We got a customer who ran ‘eicar’ test on his Mac and found that Jamf Protect doesn’t actually flag it up at all.
How can we put such a detection in place for that ?
The requirements for Threat Prevention are the following;
macOS 10.15.0 or later
Version 18.104.22.168 or later of the Jamf Protect agent
A plan with the Built-in Threat Prevention Options setting set to Block & Report or Report Only.
Can you confirm the Macs of the customer are meeting the requirements from above?
Herewith also some documentation where you can test Jamf Protect Threat Prevention with the EICAR file.
Thanks ThijsX for the answer.
It took some time but we finally have the answers : all requirements are endorsed.
The customer made another test and was able to open the eicar file without any blockage or alert.
Additionally, no log was sent to Splunk.
The problem is resolved. It was a question of update. We remove the computer from the scope the put it back and it works. Another problem was also that our customer tried to open the document, not run it.
Thanks for your advize.