Posted on 08-17-2021 01:00 AM
We got a customer who ran ‘eicar’ test on his Mac and found that Jamf Protect doesn’t actually flag it up at all.
How can we put such a detection in place for that ?
Posted on 08-18-2021 05:21 AM
The requirements for Threat Prevention are the following;
macOS 10.15.0 or later
Version 126.96.36.199 or later of the Jamf Protect agent
A plan with the Built-in Threat Prevention Options setting set to Block & Report or Report Only.
Can you confirm the Macs of the customer are meeting the requirements from above?
Herewith also some documentation where you can test Jamf Protect Threat Prevention with the EICAR file.
Posted on 08-26-2021 08:21 AM
Thanks ThijsX for the answer.
It took some time but we finally have the answers : all requirements are endorsed.
The customer made another test and was able to open the eicar file without any blockage or alert.
Additionally, no log was sent to Splunk.
08-30-2021 11:41 PM - edited 08-30-2021 11:42 PM
@francktournant Are there any events / alerts reported at all, for instance a GateKeeper event or even better any other threat detected by Threat Prevention? Do we got the PPPC profiles in place? I suggest to submit a ticket at Jamf support regarding this subject!
Posted on 08-31-2021 12:02 AM
The problem is resolved. It was a question of update. We remove the computer from the scope the put it back and it works. Another problem was also that our customer tried to open the document, not run it.
Thanks for your advize.