Endpoint Protection

I was playing around testing SEP's funtionality today when i stumbled across the fact that my clients are not protected against commands executed from a CMD shell or from within powershell.

If you drop the following into a command prompt you will see

powershell -command "& { iwr http://www.eicar.org/download/eicar_com.zip -OutFile c:\users\admin\eicar.zip }"

Am i missing something from my SEP policy.?

Further details here http://rangler.co.uk/symantec-antivirus-back-door-advisory/

Nope, not being detected for whatever reason. If you run a manual scan on the zip after downloading, SEP flags it. Not good....

Bypasses Download Insight as well. May want to kick this over to Symantec for review. Seems like a pretty standard action here.

If I understand your script correctly, it's downloading eicar.zip from the eicar.org website to the Admin folder. If that's true, SEP is working as designed.

When you download eicar.com (not compressed), it will be detected by Intrusion Prevention (IPS) or (if IPS is off) by Auto-Protect. But the content of compressed files is not inspected by Auto-Protect. It's detecting Eicar as soon as you decompress eicar.zip, so it's not a security gap. IPS does not discover compressed eicar files, too.

This behavior is the same with all user interfaces, not only shells.

...but MS SCEP detects it?

Can confirm eicar.com download is blocked by IPS.

Change the file save path and try it yourself.

Also if you download the zip with your browser SEP blocks it as does sophos.

Im going to test the PS using a sophos setup as well to see if it blocks it.

This is normal behavious of SEP.

Auto-protect doesn't scan compressed files. Whatever the infection be (not only eicar), if its in a compressed file, it won't be detected by auto-protect. However, if the file is decompressed, it willbe immediately detected and acted upon by SEP.

On the other hand, the scheduled scan or manual scan will detect infections in compressed files as well. The number of levels to be scanned can be set using the option "Change the number of levels to scan compressed files". The default level is 3.

Also if you download the zip with your browser SEP blocks it as does sophos.

In my environment, it's possible to download the eicar.zip file by IE, but Firefox is blocking it. But Firefox does not use SEP for blocking but Google Safe Browsing. If you disable Safe browsing in the Firefox security settings, eicar.zip will be downloaded as well.

SEP does not detect zipped (eicar) files with Auto-Protect or IPS.

Other security products are following other philosophies. If you pass on the real time Auto-Protect testing of zipped files, it's better for performance but malware will be detected later. That's Symantec's way. Apparently, Sophos (and other like MS SCEP) prefer early finding of viruses at the expense of performance.