Jamf Nation Community

francktournant · ‎08-17-2021

Hello everyone.

We got a customer who ran ‘eicar’ test on his Mac and found that Jamf Protect doesn’t actually flag it up at all.

How can we put such a detection in place for that ?

Thanks

ThijsX · ‎08-18-2021

Hi @francktournant

The requirements for Threat Prevention are the following;

macOS 10.15.0 or later
Version 1.1.0.124 or later of the Jamf Protect agent
A plan with the Built-in Threat Prevention Options setting set to Block & Report or Report Only.

Can you confirm the Macs of the customer are meeting the requirements from above?
Herewith also some documentation where you can test Jamf Protect Threat Prevention with the EICAR file.
https://docs.jamf.com/jamf-protect/evaluation-guide/Threat_Detection_Tests.html?hl=eicar

Cheers,
Thijs

francktournant · ‎08-26-2021

Thanks ThijsX for the answer.
It took some time but we finally have the answers : all requirements are endorsed.
The customer made another test and was able to open the eicar file without any blockage or alert.
Additionally, no log was sent to Splunk.
Thanks,

ThijsX · ‎08-30-2021

@francktournant Are there any events / alerts reported at all, for instance a GateKeeper event or even better any other threat detected by Threat Prevention? Do we got the PPPC profiles in place? I suggest to submit a ticket at Jamf support regarding this subject!

Cheers,
Thijs

francktournant · ‎08-31-2021

Hi ThijsX,

The problem is resolved. It was a question of update. We remove the computer from the scope the put it back and it works. Another problem was also that our customer tried to open the document, not run it.

Thanks for your advize.

Franck

Jamf Nation Community

"eicar" test file detection