AV detection test for verifying device's onboarding and reporting services

Applies to:

• Microsoft Defender for Endpoint Plan 2

• Microsoft Defender for Business

• Microsoft Defender for Endpoint Plan 1

• Microsoft Defender Antivirus

• Microsoft Defender for Individuals

Scenario requirements and setup

• Windows 11, Windows 10, Windows 8.1, Windows 7 SP1

• Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2

• Linux

• macOS

• Microsoft Defender Real-time protection is enabled

EICAR test file to simulate malware

After you enable Microsoft Defender for Endpoint or Microsoft Defender for Business or Microsoft Defender Antivirus, you can test the service and run a proof of concept to familiarize yourself with its feature and validate the advanced security capabilities effectively protect your device by generating real security alerts.

Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:

Windows

1. Prepare for the EICAR test file:

   1. Use an EICAR test file instead of real malware to avoid causing damage. Microsoft Defender Antivirus treats EICAR test files as malware.

2. Create the EICAR test file:

   1. Copy the following string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

      1. Paste the string into a .TXT file and save it as EICAR.txt

Linux/macOS

1. Ensure that real-time protection is enabled (denoted by a result of 1 from running the following command):

mdatp health --field real_time_protection_enabled

1. Open a Terminal window. Copy and execute the following command:

Linux

curl -o ~/tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt

macOS

curl -o ~/Downloads/eicar.com.txt https://secure.eicar.org/eicar.com.txt

3. The file has been quarantined by Defender for Endpoint on Mac. Use the following command to list all the detected threats:

mdatp threat list