Hi kulhand,
A question and a couple of points:
Sheriff's Office Forensics department..... an Android mounted image
What kind of an image is this? I know very little about images created by FTK, EnCase, DD etc. If those require special proporietary tools to view and work with, SEP (and other software on a typical computer) may not be able to open, access and scan those image files without help from that prorietary tool.
A good example is a VMWare image: the regular SEP client cannot scan a .vmdk or .vmx file and identify all of the suspicious/malicious files within. (If that image is launched in VMWare, though, and its hard drive is mapped to the host machine then SEP can work that way.)
It is possible to scan the mounted drive of an Android device that is connected to a Win7 computer protected by SEP 12.1 RU2. (Note that what gets mounted is the SD Card for the Android, not the phone's internal memory/OS/etc.) The file system o fthe SD Card I just tested is FAT, which SEP can read and work with.
Eicar is definitely the best test file to use: don't go hunting around for an infected .apk file to test with (as that might get loose). I can 100% confirm that SEP definitions cover all known Android threats, so anyone who unwittingly tries to copy an infected .apk onto their device from their Windows/Mac/Linux desktop machine will be kept safe.
Mounting the Android's drive an scanning it with SEP is a very poor security measure. Symantec has two products which are designed to protect Android devices: here is an article which describes them:
Comparing Symantec Mobile Security 7.2 and Norton Mobile Security
Article URL http://www.symantec.com/docs/TECH202054
I very strongly recommend that all Androids are protected by SMS 7.2 or NMS. Every daty new Android malware is discovered. There are whole botnets of infected Android devices, numbering in the millions.
MDK: The Largest Mobile Botnet in China
https://www-secure.symantec.com/connect/blogs/mdk-largest-mobile-botnet-china
Android.Exprespam Potentially Infects Thousands of Devices
https://www-secure.symantec.com/connect/blogs/androidexprespam-potentially-infects-thousands-devices
Another good site that I recommend is http://www.mobilesecurity.com/
Hope this helps!! Please do update the thread with additional details about what type of forensic tool and image is in use and how it works. With that information at hand members of the forum might be able to give absolute confirmation.
With thanks and best regards,
Mick