how to exclude eicar?

Brent Gardner's picture
Brent Gardner
August 7th, 2009

Running SEP 11.0.3001.2224

How do I configure a centralized exception for eicar so that it is logged but not quarantined/deleted/cleaned, etc?

Why is this not in the list of known risks?

Brent Gardner

Filed under: , , , ,
0 votes
Prachand's picture
Prachand
15 weeks 3 days ago

In the SEPM goto: then

In the SEPM goto:

then uncheck: "delete Eicar events" from the bottom of this list

admin > servers > local site > properties > database tab

Prachand Kumar
MCSE-2003 Symantec Technical Specialist (SCTS)

-1 (1 vote)
Brent Gardner's picture
Brent Gardner
15 weeks 8 hours ago

This solves the issue of SEP

This solves the issue of SEP not sending email notifications for eicar detection events, but that is not my issue.

For other known viruses it is possible to configure an exception such that the virus is detected but not deleted or moved or processed in any other way.

How do I do this for eicar?

0 votes
Prachand's picture
Prachand
15 weeks 3 days ago

Eicar is for Test purpose so

Eicar is for Test purpose so it is not in the  list of known risks

Prachand Kumar
MCSE-2003 Symantec Technical Specialist (SCTS)

0 votes
Brent Gardner's picture
Brent Gardner
15 weeks 8 hours ago

It's hard to use eicar for

It's hard to use eicar for testing if the system keeps deleting or quarantining it.

I need to see that eicar is detected, but I don't want the system to delete or quarantine the file after that.

0 votes
Zoidberg's picture
Zoidberg
15 weeks 8 hours ago

Hi Brent, Part of the testing

Hi Brent,
Part of the testing process is to make sure we can do something about the detection...IE if we can detect but not delete, then there is something wrong. If you want to stop it from continually deleting it and you have to keep on redownloading it, I would say download the 'eicar_com.zip' file, so you have to extract the file in order for it to be detected...

+1 (1 vote)
Brent Gardner's picture
Brent Gardner
15 weeks 7 hours ago

Zoidberg- I understand what

Zoidberg-

I understand what you're saying about the need for testing your product.  If you can detect something bad but can't act on that item further (when you're -trying- to act on it) then that would understandably be a bad thing.

I hope you have read my later post that mentions logic.

I currently have in place some exceptions that prevent certain IT tools from being deleted when they are detected.  I mention this to show that I am familiar enough with the exception tool to know that you -can- configure it to 'detect but not delete.' 

Eicar is a data object that is designed to be detected as a threat.  It is well known in the industry.  In my opinion it should be in the list of known threats.

It is benign.  It is impossible for eicar to cause any kind of harm.  But the current SEP interface allows for items that are known to be harmful to be ignored.

Can you agree with me that this would confuse Mr. Spock?

UIltimately here's what I'm trying to do:

My company makes software that forensicly scans data.  The input data can be nearly any kind of data that can be found on a PC.  In fact, it is not uncommon for a whole hard drive to be hooked up to the system for scanning.  We do not provide antivirus or any other kind of threat detection in our software, that is left to the end user.  Our products only run on Windows, so it is necessary for antivirus software to be used.  We are trying to test how our software works when data is displaced in the middle of processing, such as when an antivirus product would detect and remove a file containing a virus.

It would of course be foolish to use actual virii in testing so we are trying to use eicar.

I would place eicar in a zip as you have suggested, but of course that would have to be a password-protected zip file or SEP would simply detect it and delete it.  However, just as using a password-protected zip file prevents SEP from scanning the contents of the file, so would it prevent our software from scanning the contents of the file.

0 votes
Ajitjha's picture
Ajitjha
15 weeks 2 days ago

Why u want to keep EICAR in

Why u want to keep EICAR in exception, it is not in known risk list.  It just a virus test file.

Regards'
Ajit Jha
TechSuport Engineer
STS

0 votes
Brent Gardner's picture
Brent Gardner
15 weeks 8 hours ago

It is possible to configure

It is possible to configure an exception for a known threat, a -threat-, that can do all kinds of bad stuff to my machines or network, but it is not possible to configure an exception for a piece of data that is designed to be detected as a threat, yet cannot in any possible way harm my machines, my data, or my network?

This defies logic.

0 votes
Giuseppe.Axia's picture
Giuseppe.Axia
15 weeks 2 days ago

Hi, you can create a

Hi,

you can create a centralized or local exception just based on the name of the EICAR files (they are known). Open the administration_guide.pdf in CD1\documentation for further details.

Regards,

Giuseppe

0 votes
Brent Gardner's picture
Brent Gardner
15 weeks 7 hours ago

Giuseppe- Thanks for your

Giuseppe-

Thanks for your reply.  Will you please provide a page number for what you are refering to in the admin guide?  I just ran through it myself.  I searched for eicar and found a few hits, but none that seem to be related to what you're describing.

Thanks.

0 votes
kavin's picture
kavin
15 weeks 5 hours ago

You will get this On page 542

You will get this On page 542 of the Admin guide.

"

Note:

 

 

 

For antivirus and antispyware scans or Tamper Protection, you use

centralized exceptions to specify particular items to exclude from scans. For

proactive threat scans, however, you use centralized exceptions to specify actions

for detected processes or to force a detection."

 

I think in your case Auto protect is detecting Eicar hence you will need to create an exception for the folder.

If Truscan is detecting the threat then you can choose the option of log only.
 

I think this answers your question

 

+1 (1 vote)