Merge pull request #3517 from joshgingras/docs-editor/validate-antimalware-1744984849

Fixed multiple issues -- real_time_protection_enabled return value, Linux command line, bad assumption about existence of ~/tmp directory, numbering issue

Author: denisebmsft

defender-endpoint/validate-antimalware.md

@@ -1,6 +1,6 @@
 ---
-title: AV detection test for verifying device's onboarding and reporting services
-description: AV detection test to verify the device's proper onboarding and reporting to the service.
+title: Antivirus detection test for verifying device's onboarding and reporting services
+description: Run an antivirus detection test to verify the device's proper onboarding and reporting to the service.
 ms.service: defender-endpoint
 ms.subservice: reference
 ms.author: ewalsh
@@ -15,10 +15,10 @@ ms.collection:
 ms.custom: admindeeplinkDEFENDER
 ms.topic: conceptual
 search.appverid: met150
-ms.date: 03/04/2025
+ms.date: 04/18/2025
 ---
 
-# AV detection test for verifying device's onboarding and reporting services
+# Antivirus detection test for verifying device's onboarding and reporting services
 
 **Applies to:**
 
@@ -30,60 +30,58 @@ ms.date: 03/04/2025
 Scenario requirements and setup
 
 - Windows 11, Windows 10, Windows 8.1, Windows 7 SP1
-
 - Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2
-
 - Linux
-
 - macOS
-
-- Microsoft Defender Real-time protection is enabled
+- [Real-time protection](/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) is enabled
 
 ## EICAR test file to simulate malware
 
-After you enable Microsoft Defender for Endpoint or Microsoft Defender for Business or Microsoft Defender Antivirus, you can test the service and run a proof of concept to familiarize yourself with its feature and validate the advanced security capabilities effectively protect your device by generating real security alerts.
+After you enable Defender for Endpoint, Microsoft Defender for Business, or Microsoft Defender Antivirus, you can test the service by using an EICAR test file. Running a proof of concept like this can help you get familiar with the features, and validate the advanced security capabilities that protect your device by generating real security alerts.
 
-Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
+You can run an antivirus detection test to verify that the device is properly onboarded and reporting to the service. 
 
 ### Windows
 
-1. Prepare for the EICAR test file:
-
-   1. Use an EICAR test file instead of real malware to avoid causing damage. Microsoft Defender Antivirus treats EICAR test files as malware.
-
-1. Create the EICAR test file:
-
-   1. Copy the following string: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
-
-      1. Paste the string into a .TXT file and save it as EICAR.txt
+1. Prepare for the EICAR test file. Use an EICAR test file instead of real malware to avoid causing damage. Microsoft Defender Antivirus treats EICAR test files as malware.
+      
+2. Create the EICAR test file by following these steps:
 
+   1. Copy the following string: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`.
+   
+   2. Paste the string into a `.TXT` file and save it as `EICAR.txt`.
+            
 ### Linux/macOS
 
-1. Ensure that real-time protection is enabled (denoted by a result of 1 from running the following command):
-
-```bash
-mdatp health --field real_time_protection_enabled
-```
-
-1. Open a Terminal window. Copy and execute the following command:
-
-  
-Linux
+1. Ensure that real-time protection is enabled. Run the following command and confirm the output is `"true"`:
 
+   ```
+   mdatp health --field real_time_protection_enabled
+   ```
 
-```bash
-curl -o ~/tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt
-```
+2. Download the EICAR test file. Open a Terminal window and execute the appropriate command for your operating system:
 
-macOS
+   Linux:
+   
+   ```
+   curl -o eicar.com.txt https://secure.eicar.org/eicar.com.txt
+   ```
+   
+   macOS:
+   
+   ```
+   curl -o ~/Downloads/eicar.com.txt https://secure.eicar.org/eicar.com.txt
+   ```
 
+3. Verify that the file is quarantined. Run the following command to list all detected threats:
 
-```bash
-curl -o ~/Downloads/eicar.com.txt https://secure.eicar.org/eicar.com.txt
-```
+   ```
+   mdatp threat list
+   ```
 
-3. The file has been quarantined by Defender for Endpoint on Mac. Use the following command to list all the detected threats:
+## See also
 
-```bash
-mdatp threat list
-```
+- [Microsoft Defender for Endpoint - demonstration scenarios](defender-endpoint-demonstrations.md)  
+- [Microsoft Defender Antivirus in Windows Overview](microsoft-defender-antivirus-windows.md)  
+- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)  
+- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md)