Endpoint Detection & Response - Testing Behavioral Detections

  • Ensure that the Avert Library Item has behavioral detections enabled and has been successfully applied to the device by confirming that a green dot is visible next to the Avert Library Item located within the Status tab of a Device Record.

  1. Open Terminal.

  2. Run the following command to trigger a behavioral event.

    cp 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
    Bash

When the Behavior Posture Mode in the Avert Library Item is set to Detect mode:

  • EDR will identify the test as malicious behavioral activity. This will be reported with a status of Detected in both the Threats module (accessible via the left-hand navigation bar) and the Threats tab within a Device Record.

When the Behavior Posture Mode in the Avert Library Item is set to Protect mode:

  • EDR will recognize the test as malicious activity and block it. This will be reflected with a status of Blocked in both the Threats module (accessible via the left-hand navigation bar) and the Threats tab within a Device Record.