Threat Prevention

Threat Prevention is Jamf Protect's built-in feature that detects, blocks, and quarantines malicious processes on the Mac. Threat Prevention uses the Jamf Protect threat database, an extensive repository of signatures and certificate information associated with known macOS malware, to monitor computers for processes that match the database. When matches occur, Jamf Protect can automatically block the matching process and quarantine the associated file.

Important:

To use Threat Prevention, you need the following:

  • Computers with macOS 10.15.0 or later

  • Computers with version 1.1.0.124 or later of the Jamf Protect agent

Threat Prevention Information

You can click Threat Prevention in the Jamf Protect sidebar for an overview of threat prevention capabilities with Jamf Protect. The Overview pane includes the following:

  • The version history of the Jamf Protect threat database, which is regularly updated by Jamf

  • Which computers are on the latest and previous versions of the database

    Note:

    Updates are automatically sent to computers the next time they check in with Jamf Protect.

  • Any custom prevent lists you have configured

Threat Database Matches and Prevention

When the Jamf Protect agent detects a process that matches the database, the following Threat Prevention measures occur:

  • By default, the process is blocked.

    Note:

    Plans created before the general availability of 1.1.0.124 of the Jamf Protect agent will not block processes by default and are configured to Report Only. Use the Built-in Threat Prevention Options setting in a plan to change the response to a database match.

  • A prompt about the blocked process similar to the following is displayed to end users:

  • The associated file is assigned a unique event identifier and quarantined in the following location:

    Library/Application Support/JamfProtect/Quarantine/<EVENT_UUID>/<ITEM>
  • An entry is created in the Alerts page in the Jamf Protect web app. Alerts caused by a threat database match are in red text and look similar to the following:

    Click on any entry in the Alerts pane to view additional information about a database match.

Threat Prevention Options

You can use the Built-in Threat Prevention Options setting in a plan to do any of the following in response to a database match:

  • Block & Report

    Block and quarantine any process that matches the threat database. This setting is enabled by default for new plans.

  • Report Only

    Disable process blocking and file quarantine but report database matches as an alert in the Jamf Protect web app. This setting is enabled by default for any plans that were created before general availability of 1.1.0.124 of the Jamf Protect

  • Disable

    Disable all process blocking, file quarantines, and reporting in response to a threat database match

Known Limitations of Threat Prevention

The following are known limitations of the Threat Prevention feature that will not be blocked by Jamf Protect:

  • DMG quarantine

  • AppTranslocation quarantine
    Note:

    Threat Prevention may not block or report detected malware before Gatekeeper removes app from the AppTranslocation folder.

  • Malicious script detection prior to macOS 10.15.5

  • Primary zip detection, DMG detection, PKG detection, Safari plug-ins