"eicar" test file detection

francktournant
New Contributor II

Hello everyone.

We got a customer who ran ‘eicar’ test on his Mac and found that Jamf Protect doesn’t actually flag it up at all.

How can we put such a detection in place for that ?

Thanks

4 REPLIES 4

ThijsX
Valued Contributor
Valued Contributor

Hi @francktournant 

The requirements for Threat Prevention are the following;

  • macOS 10.15.0 or later

  • Version 1.1.0.124 or later of the Jamf Protect agent

  • A plan with the Built-in Threat Prevention Options setting set to Block & Report  or Report Only.

Can you confirm the Macs of the customer are meeting the requirements from above?
Herewith also some documentation where you can test Jamf Protect Threat Prevention with the EICAR file.
https://docs.jamf.com/jamf-protect/evaluation-guide/Threat_Detection_Tests.html?hl=eicar

Cheers,
Thijs

Thanks ThijsX for the answer.
It took some time but we finally have the answers : all requirements are endorsed.
The customer made another test and was able to open the eicar file without any blockage or alert.
Additionally, no log was sent to Splunk.
Thanks,

@francktournant Are there any events / alerts reported at all, for instance a GateKeeper event or even better any other threat detected by Threat Prevention? Do we got the PPPC profiles in place? I suggest to submit a ticket at Jamf support regarding this subject!

Cheers,
Thijs

francktournant
New Contributor II

Hi ThijsX,

The problem is resolved. It  was a question of update. We remove the computer from the scope the put it back and it works. Another problem was also that our customer tried to open the document, not run it.

Thanks for your advize.

Franck