Skip to main content
Question

"eicar" test file detection

  • August 17, 2021
  • 4 replies
  • 101 views
francktournant
Forum|alt.badge.img+3

Hello everyone.

We got a customer who ran â€˜eicar’ test on his Mac and found that Jamf Protect doesn’t actually flag it up at all.

How can we put such a detection in place for that ?

Thanks

    4 replies

    ThijsX
    Forum|alt.badge.img+20
    • ThijsX
    • Employee
    • August 18, 2021

    Hi @francktournant 

    The requirements for Threat Prevention are the following;

    • macOS 10.15.0 or later

    • Version 1.1.0.124 or later of the Jamf Protect agent

    • A plan with the Built-in Threat Prevention Options setting set to Block & Report  or Report Only.

    Can you confirm the Macs of the customer are meeting the requirements from above?
    Herewith also some documentation where you can test Jamf Protect Threat Prevention with the EICAR file.
    https://docs.jamf.com/jamf-protect/evaluation-guide/Threat_Detection_Tests.html?hl=eicar

    Cheers,
    Thijs

    francktournant
    Forum|alt.badge.img+3
    • francktournant
    • Author
    • New Contributor
    • August 26, 2021

    Hi @francktournant 

    The requirements for Threat Prevention are the following;

    • macOS 10.15.0 or later

    • Version 1.1.0.124 or later of the Jamf Protect agent

    • A plan with the Built-in Threat Prevention Options setting set to Block & Report  or Report Only.

    Can you confirm the Macs of the customer are meeting the requirements from above?
    Herewith also some documentation where you can test Jamf Protect Threat Prevention with the EICAR file.
    https://docs.jamf.com/jamf-protect/evaluation-guide/Threat_Detection_Tests.html?hl=eicar

    Cheers,
    Thijs


    Thanks ThijsX for the answer.
    It took some time but we finally have the answers : all requirements are endorsed.
    The customer made another test and was able to open the eicar file without any blockage or alert.
    Additionally, no log was sent to Splunk.
    Thanks,

    ThijsX
    Forum|alt.badge.img+20
    • ThijsX
    • Employee
    • August 31, 2021

    Thanks ThijsX for the answer.
    It took some time but we finally have the answers : all requirements are endorsed.
    The customer made another test and was able to open the eicar file without any blockage or alert.
    Additionally, no log was sent to Splunk.
    Thanks,


    @francktournant Are there any events / alerts reported at all, for instance a GateKeeper event or even better any other threat detected by Threat Prevention? Do we got the PPPC profiles in place? I suggest to submit a ticket at Jamf support regarding this subject!

    Cheers,
    Thijs

      francktournant
      Forum|alt.badge.img+3
      • francktournant
      • Author
      • New Contributor
      • August 31, 2021

      Hi ThijsX,

      The problem is resolved. It  was a question of update. We remove the computer from the scope the put it back and it works. Another problem was also that our customer tried to open the document, not run it.

      Thanks for your advize.

      Franck

      Terms & ConditionsCookie settingsAccessibility statement