Hi all,
Please bear with me and I will fully explain the behaviour we are seeing.
In a nutshell, we are confident our IIS server's SEP client is deleting the EIRCAR file within an atachment when copied to anotehr location, but client logs do not show anything. However, If I manually double click the eircar.exe it shows up in quaratine and all logs fine.
SEPM = 11.0.5
Test VM = 2008 R2
Test Fiels = eircar.exe and mixture of test .zip files within
There are no other services/servers between the test VM and NAS that could intercept the files.
Test 1 - File Copy - Cleans, but no log file entry?
- I copy Eircar files to local Windows server - SEP/real time scanning leaves files alone as not being accessed or modified..
- From this server, I then copy a test zip file (containing eircar.exe) to a file share (we currently have no CIF scanning - nor is SEP configured to scan mapped drives) via usually explorer and copy/paste.
- When I browse to share from either this computer or any otherr - the contents of zip has been replaced by a txt file saying DELETED
- Client debug and client Risks logs and quaratine are all empty, nor can see any indication what cleaned the file.
Test 2 - Manual Execution - Cleans files and shows pop up and log files
- I repat the steps in test one (copy files to server), but instead of cpying to NAS locally double click on one of the eircar.exe files
- Immediately the SEP pop up appears stating test virus file detecred
- Quaratine automatically cleans and then deleted file
- client Risk log shows full details, SEP debug and Windows application event log register the fact
2 Questions:
1. What is cleaning the file?
2. Why are items not appearing in the logs to show it has cleared it on a copy?
Many, Many Thanks in advance. If you need anymore infom - please reply.