Jump to content


Photo

Real-Time Scanning Issue With Eicar File

real-time scanning eicar

  • Please log in to reply
6 replies to this topic

#1 jman177

jman177

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 21 November 2013 - 12:50 AM

I had an issue with a eicar detection.

1. Installed Immunet 3 on Windows 2008 R2 (Test also on Windows 7 Home Edition)
2. Left everything as default but turned "ON"

Cloud Dection Engines
ETHOS
SPERO

ClamAV Detection Engine
Enable ClamAV Engine
Allow Defintion Updates

3. Checked for updates

4. Started Downloading the file

http://www.eicar.org...d/eicar.com.txt

It gives a "Warning!" message Threat Quarantined

B48B.tmp has been detected as EICAR:EICAR_Test_file_not_a_virus-tpd. Quarentine was successful

So my real-time detection is working but if I stop the "Immmunet 3" windows service & download the file

http://www.eicar.org...d/eicar.com.txt

After I download the file to my desktop start the immunet 3 service & wait for it to fully start.

I then try to open "eicar.com.txt" from my desktop it will opene the file without any issues if I right click on the file & select "Immunet Protection" - "Scan Now" it will detect the file as a virus.

(I did confirm that the real-time detection is working after restarting the service by trying to re-download the link again but it will blocked via immunet)

Also when I try to delete the file the real-time scanning seems to detect it.

I just find it odd that the real-time scanner would not be triggered by me opening the txt file

Just kinda getting a bit worried using this anti-virus solution as in a scenario if someone brings a virus on a USB drive I could get infected as real-time scanning may not scan it.

Edited by jman177, 21 November 2013 - 01:08 AM.

  • lcdkwehscj likes this

#2 jman177

jman177

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 21 November 2013 - 01:20 AM

As a further test I used a system with no antivirus running to download & then add all the eicar virus files to a USB key.

I then plugged the USB key into a system with Immunet 3.0 & tried to open the files to see if the real-time scanner would trigger your real-time scanner into action here are the results:-

eicar.exe (Opened OK but since it was a widnows 7 x64 bit system the exe would not run saying "The version of this file is not compatiable with the version of Windows you're running")
eicar.com.txt (Opened OK)
eicar_com.zip (Opening zip worked but when trying to extract the eicar.exe file to desktop got detected via Immunet)
eicarcom2.zip (Opening zip worked but when trying to extract the eicar.exe file to desktop got detected via Immunet)

I would have assumed that trying to access/open the eicar.exe file would have triggered immunet 3.0 + the same goes for the eicar.com.txt.

With this small test it looks like if a USB key containing an .exe or .txt is ran it may not be stopped/detected by the realtime scanner.

Please let me know your thoughts on this issue?

I do really like your program since it uses a combination of clamav + cloud definitions + its the only free anti-virus solution for Windows Server :)

========================================================================================================================
Also to be fair I repeated the test with "Microsoft Security Essentials" on the same windows 7 x64 bit system here are the results:-

eicar.exe (Quarantined)
eicar.com.txt (Quarantined)
eicar_com.zip (Quarantined)
eicarcom2.zip (Quarantined)

Summary

As soon as I double clicked to open any of the above files it would immediately quarantined the file but with the zip's files it says access denied then quarainted them.

(Immunet only stopped me from extracting the zip file while still allowing me to keep the zip file with the virus file inside but Security Essentials quarantined the entire zip file)
=========================================================================================================================

Edited by jman177, 21 November 2013 - 01:54 AM.


#3 Jose

Jose

    Advanced Member

  • Administrators
  • 104 posts

Posted 21 November 2013 - 06:09 PM

Hi jman177,

Eicar is treated specially. Is it not detected 'On Execute' but should be detected in all other cases (move, creation, scan...)

And files going into the computer (from USB or other sources) should be scanned correctly (I have been part of the testing myself, from time to time).

Awesome that you are genuinely interested in keeping your computer safe, but this is the only test that you could've ran that gave you this result (tester's luck).

Let me know if you have more questions. Thanks,

-Jose
  • Robert G. and jman177 like this

#4 jman177

jman177

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 25 November 2013 - 12:23 AM

Thanks Jose for the fast reply & for putting my mind at ease.

Just tested copying those virus files from USB to the local disk & like you said they were detected instantely :)

I did notice that if you have two administrator users logged into same server via RDP that the 2nd user that logged cannot scan files & the options "Scan Now" & "Settings" are greyed out & actually tells you that the service is not running if you click "Scan Now" which is a little confusing but the real-time scanning still works if 2nd user copies a virus across from USB to the local disk but only the 1st user gets the quarantine messages + can modify settings & manually scan items.

One last question is there any other sites that have test viruses simliar to "Eicar" which will not spread or kill my computer :P as I would like to test how immunet scans the non-special cases if not don't worry about it.

(I do find these virus test sites very handy to make sure the anti-virus software is installed & working/configured properly)

Edited by jman177, 25 November 2013 - 01:14 AM.


#5 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,891 posts
  • LocationOil City, Pa. U.S.A.

Posted 25 November 2013 - 05:36 AM

Hi jman177, Fast User Switching is not supported with Immunet so I believe that's the cause of the GUI for the 2nd logged in account displaying odd behavior because two instances of iptray.exe have been launched. Only one instance of iptray.exe (the GUI) can properly interact with agent.exe (main process). If you want to switch users it's important to either do a reboot after switching accounts or use Task Manager and kill iptray.exe for the account that's not being used.

I know of one other test virus besides the EICAR string. It's a dummy virus that comes compressed in a zip file by IKARUS Security Software. Here is a link: http://www.ikarussec...o/test-viruses/

P.S. - I enjoyed your and Jose's posts, your tests made for some interesting reading! :-)

Cheers, Ritchie...
  • Robert G. and jman177 like this

* Immunet Global Forum Moderator *


#6 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,891 posts
  • LocationOil City, Pa. U.S.A.

Posted 25 November 2013 - 11:07 PM

Just to confirm things the ClamAV module does include in it's defination signatures the file for the IKARUS test virus using the Detection Name: Clam.Testfile.IKARUS
  • jman177 likes this

* Immunet Global Forum Moderator *


#7 jman177

jman177

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 26 November 2013 - 12:31 AM

Thanks for letting me know will use the virus test site wisely :D

I had always thought that "Fast User Switching" was different to multiple users being logged in via "Remote Desktop" to a single server but guessing it uses the same/similar concept.

I think these conversations have now covered everything & when I get time will check that other virus from IKARUS you mentioned.

Thanks again Jose & ritchie58 for your help & the amazing anti-virus software

Edited by jman177, 26 November 2013 - 12:39 AM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users