SEP - EIRCAR Testting using file moved by IIS virtual directroy
Please bear with me and I will fully explain the behaviour we are seeing.
In a nutshell, we are confident our IIS server's SEP client is deleting the EIRCAR file within an atachment when copied to anotehr location, but client logs do not show anything. However, If I manually double click the eircar.exe it shows up in quaratine and all logs fine.
SEPM = 11.0.5
Test VM = 2008 R2
Test Fiels = eircar.exe and mixture of test .zip files within
There are no other services/servers between the test VM and NAS that could intercept the files.
Test 1 - File Copy - Cleans, but no log file entry?
- I copy Eircar files to local Windows server - SEP/real time scanning leaves files alone as not being accessed or modified..
- From this server, I then copy a test zip file (containing eircar.exe) to a file share (we currently have no CIF scanning - nor is SEP configured to scan mapped drives) via usually explorer and copy/paste.
- When I browse to share from either this computer or any otherr - the contents of zip has been replaced by a txt file saying DELETED
- Client debug and client Risks logs and quaratine are all empty, nor can see any indication what cleaned the file.
Test 2 - Manual Execution - Cleans files and shows pop up and log files
- I repat the steps in test one (copy files to server), but instead of cpying to NAS locally double click on one of the eircar.exe files
- Immediately the SEP pop up appears stating test virus file detecred
- Quaratine automatically cleans and then deleted file
- client Risk log shows full details, SEP debug and Windows application event log register the fact
1. What is cleaning the file?
2. Why are items not appearing in the logs to show it has cleared it on a copy?
Many, Many Thanks in advance. If you need anymore infom - please reply.