Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Symantec Scan Engine doesn't receive EICAR test file as it is intercepted by Symantec End Point Protection

Created: 18 Mar 2013 • Updated: 06 May 2013 | 2 comments

 

I have tried to summarize my question with the above picture. Our application requires anti-virus scanning of all uploaded files using Symantec Scan Engine. We are using the EICAR test virus file to validate this feature. We do get an error message "FILE_ACCESS_FAILED" on the UI. But we don't see any report of an infection/risk on the Symantec Scan Engine console. In fact, the file doesn't get dropped in the directory where the Scan Engine picks it up.

After some investigation, our guess is that the Symantec End Point Protection installed on our servers is probably throwing the error. However, when we check the Symantec End Point Protection Manager console, we don't see any risks/infections either. This is a little bewildering.

The uploaded files are being reported in the server logs with an appropriate POST/GET.

Can someone help us out in this investigation?

Thanks,

InfoImage-PD

Operating Systems:

Comments 2 CommentsJump to latest comment

Beppe's picture

Hello,

it is expected that the SEP agent detects the EICAR file. Once the file is detected and removed by SEP, you get the access error. Did you check the risk logs in the involved SEP client itself? Did you try to disable the AV component of that SEP client from its interface? Did you try to add an exception for the EICAR file in SEP? If I remember well, the EICAR-related events logging in the SEPM is disabled by default.

Regards,

Giuseppe

Rafeeq's picture

Have you checked if Eicar events are appearing in SEPM.

have you unchecked delete eicar events in SEPM.

Symantec Endpoint Protection Manager: EICAR events don't send Email Notifications

 
for each new test you have to download the file again from internet coz the moment you drop it, SEP will detect and delte it.