The antivirus test file eicar.com can be executed with File System Auto-Protect enabled
Article ID: 152309
Updated On:
Products
Endpoint Protection
Issue/Introduction
You wonder why the antivirus test file eicar.com can be executed when the real time scanning/ auto-protect in Symantec Endpoint Protection is enabled.
Symptoms
Double clicking the Eicar.com file does not trigger a virus detection: no event is written to the SEP log, nor does a Symantec Endpoint Protection Notification window pop up.
Symptoms
Double clicking the Eicar.com file does not trigger a virus detection: no event is written to the SEP log, nor does a Symantec Endpoint Protection Notification window pop up.
- Via the command line (in a DOS box) you can run the eicar.com test virus by typing at the prompt:
- eicar.com
- If the file can be executed, the reply is
- EICAR-STANDARD-ANTIVIRUS-TEST-FILE!
- If the file is removed by the Symantec Endpoint Protection the reply on the command line will be:
- The system cannot find the file
\eicar.com.
Cause
This is working as designed if Symantec Endpoint Protection client is configured to scan files on modification only.
Resolution
To find out whether the local SEP client is scanning on modification only or when a file is accessed or modified, do the following:
If you have enabled Scan when a file is modified the SEP client actually does what the setting says: it only scans the file when modified.
If you want to change this behaviour, change the setting to Scan when a file is accessed or modified.
___________________________________________________________________
NOTE: the safer setting is to Scan when a file is accessed or modified!
Technical Information
Executing (running) a file (e.g. the antivirus test file) is considered to be accessing the file, and for eicar.com this is possible if Scan when a file is modified is enabled
- Go to File System Auto-Protect
- Go to Advanced
- In the section Scan files when you will find the following options:
- Scan when a file is accessed or modified
- Scan when a file is modified
- (Scan when a file is backed up)
If you have enabled Scan when a file is modified the SEP client actually does what the setting says: it only scans the file when modified.
If you want to change this behaviour, change the setting to Scan when a file is accessed or modified.
___________________________________________________________________
NOTE: the safer setting is to Scan when a file is accessed or modified!
Technical Information
Executing (running) a file (e.g. the antivirus test file) is considered to be accessing the file, and for eicar.com this is possible if Scan when a file is modified is enabled
A copy is considered to be a modification. Therefore a copy of an antivirus test file is never possible with Auto-Protect enabled, regardless of the accessed/modified option.
(The DOS box however shows “1 file(s) copied.”, so that is a bit confusing.)
A Scheduled Scan or a Manual Scan will find the antivirus test file, regardless of your settings for accessed/ modified.
Feedback
Yes
No
Powered by
