Video Screencast Help

SEP - EIRCAR Testting using file moved by IIS virtual directroy

Created: 13 Mar 2012 | 6 comments

Hi all,

 

Please bear with me and I will fully explain the behaviour we are seeing. 

In a nutshell, we are confident our IIS server's SEP client is deleting the EIRCAR file within an atachment when copied to anotehr location, but client logs do not show anything.  However, If I manually double click the eircar.exe it shows up in quaratine and all logs fine.

 

SEPM = 11.0.5

Test VM = 2008 R2

Test Fiels = eircar.exe and mixture of test .zip files within

There are no other services/servers between the test VM and NAS that could intercept the files.

 

 

Test 1 - File Copy - Cleans, but no log file entry?

- I copy Eircar files to local Windows server - SEP/real time scanning leaves files alone as not being accessed or modified..

- From this server, I then copy a test zip file (containing eircar.exe) to a file share (we currently have no CIF scanning - nor is SEP configured to scan mapped drives) via usually explorer and copy/paste.

- When I browse to share from either this computer or any otherr - the contents of zip has been replaced by a txt file saying DELETED

- Client debug and client Risks logs and quaratine are all empty, nor can see any indication what cleaned the file.

 

Test 2 - Manual Execution - Cleans files and shows pop up and log files

- I repat the steps in test one (copy files to server), but instead of cpying to NAS locally double click on one of the eircar.exe files

- Immediately the SEP pop up appears stating test virus file detecred

- Quaratine automatically cleans and then deleted file

- client Risk log shows full details, SEP debug and Windows application event log register the fact

 

2 Questions:

1. What is cleaning the file?

2. Why are items not appearing in the logs to show it has cleared it on a copy?

 

Many, Many Thanks in advance.  If you need anymore infom - please reply.

Discussion Filed Under:

Comments 6 CommentsJump to latest comment

P_K_'s picture

Hope this helps. The EICAR event may be getting deleted by database maintenance before the notification task can process it.
To prevent this: In the SEPM, go to Admin > Servers > Local Site > Properties > Database tab, and uncheck "Delete EICAR events".

http://www.symantec.com/business/support/index?page=content&id=TECH104580

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Davinci_uk's picture

That may just help!  Would this effect the client logs/client behaviour as well?

P_K_'s picture

In Respect to EICAR, yes

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

Simpson Homer's picture

 

Cause

This is by design and expected. Depending on the options and settings that have been configured there can be different results. Be aware that "Scan Actions" settings and "Security Risk" types detected will determine whether or not a file will be Quarantined locally and or be forwarded to the Central Quarantine Server.

A Cleaned risk which is a configurable "Scan Action" won't be Quarantined either locally or forwarded to the Central Quarantine Server. 
EICAR is detected as a Non-macro virus, by default the "First action" for a detected Non-macro virus is "Clean risk" and the Second action (If first action fails) is "Quarantine risk".

If EICAR is detected it wont be Quarantined locally or be forwarded to the Central Quarantine Server unless you change the default "Scan Actions" or a condition causes the first action to fail that causes the second action "Quarantine risk" to be taken.

Solution

Change the default action taken on a EICAR detection in order for it to generate an event. 
Change the "First action" for Non-macro virus to "Quarantine risk" for EICAR to be Quarantined locally and forwarded to the Central Quarantine Server.

For example in the SEP Client User Interface (UI):

For example in the Symantec Endpoint Protection Manager (SEPM) Console, Antivirus and Antispyware Policy, File System Auto-Protect, Actions tab:

Then verify the SEP Clients are forwarding their Quarantine Items to the Central Quarantine Server by checking the SEP Clients Antivirus and Antispyware, System Log, for example:


 

Davinci_uk's picture

Wow, great posts everyone and sure to check it out (the policy is default for this server, so it will try and clean and delete).  My question is more rleated to:

 

- If I try and execute the eircar.exe it gets caught in logs

- If I copy to a nas share, it is cleaned somehow, but no logs or actions are noted anywhere, so hard to check which client is clesaning it. 

Simpson Homer's picture

You should be able to see the logs in AV and AS Risk logs