MacOS Defender Test Cases.

Defender_Test_Case.zsh

#!/bin/zsh
#https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide

clear

# Check if real-time protection is enabled
if mdatp health --field real_time_protection_enabled > /dev/null; then
    echo "Real-time protection is Enabled"
    printf "Press Enter to continue..."
    read -r
    clear
else
    echo "Real-time protection is not Enabled"
    exit 1
fi

# Download a file that will trigger if real-time protection is enabled
echo "Downloading a test file that will trigger MDATP Real-time Protection"
curl -o ~/Downloads/eicar.com.txt https://secure.eicar.org/eicar.com.txt > /dev/null

# Check if the file was detected
if mdatp threat list | grep -q "Virus:DOS/EICAR_Test_File" && mdatp threat list | grep -q "Status: \"not_found\""; then
    echo "Test file was detected by MDATP Real-time Protection"
    printf "Press Enter to continue..."
    read -r
    clear
else
    echo "Error: Test file not detected or an error occurred."
    exit 1
fi

# Download, unzip, and execute a file
open https://aka.ms/mdatpmacosdiy

# Wait until the file is available
while [ ! -e ~/Downloads/"MDATP MacOS DIY.app" ]; do
    sleep 1
done

# unzip ~/Downloads/mdatpmacosdiy.zip
chmod -R +x ~/Downloads/"MDATP MacOS DIY.app"
~/Downloads/"MDATP MacOS DIY.app"

# Check Defender portal for alerts
echo "Security Alert: Please be aware that a security event was generated. Security administrators should check for detections at https://security.microsoft.com/alerts."