I had to reinstall SEPM the other day. I ran the migration and deployment wizard using the SYLINKREMOTE_ENG batch that redirects the clients to the new SEPM server. The clients are now being managed by the SEPM.

When I tried to test what a client will do when a virus (using eicar.zip) is found nothing happens.

I copy the the eicar.zip file from a cd onto a test client the auto-protect feature does not work. The file copies with no message or action. Shouldn't the file be scanned as copied onto the file system and quarantined?

After the copy if I open the file by unzipping that does work, a message is displayed and the file is quarantined.

The Antivirus and Antipyware policy has all the auto-protect features enabled and to scan all files.

Any advice on what this could be?

Till the time infected file is in zip it won't infect your computer, as soon as it is unzipped Antivirus Auto Protect will capture it and do the necessary action.

Try copying the code for the eicar file into a basic text editor (notepad) and save it as an exe file and see what happens.

Eicar test string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Shouldn't the file be scanned as copied onto the file system and quarantined?

Answer:

No, they should not. SEP auto-protect would  only scan a .zip file, when trying to unzip it. It would scan any file only when the file is trying  to execute..

Whenever I access/open a folder containing a virus it gets deleted. But I can copy said folder without getting detected. So I guess SEP scans a folder including zip files when they are opened. I don't think an executable would attempt to run simply by opening the folder where it is located.

I'm seem to remember when I tried this about a year ago trying to copy the zip file, auto-protect caught it in the copying process.

It seems pretty ridiculous to me that a zip file containing a virus gets dumped onto a file system and nothing happens (until it's unzipped) That could be hours or days away.

Copying the Eicar test string into a text file and saved as an exe file does get blocked so I guess auto-protect is most likely working.

This leads to my next question.

In the Home Section of the SEPM the action summary is not showing any indication of the action or virus. The preferences were set as default settings. Right now I have them set to

Time Range: 12 hours

Auto-refresh rate: Every 5 minutes

Notifications: Show all notifications

Action Summary display: By number of computers ( also changed to "By detection count on computers")

By default, I believe that the option to "Delete EICAR events" is selected.  It is probably being removed from the database before it ever has a chance to show up on the home page.

You can modify this setting by:

1. Log into the SEPM
2. Go to Admin
3. Click on Servers
4. Click on Loca Site
5. Edit Site Properties
6. Database tab
7. check or uncheck "Delete EICAR events"

Yes I did see that and had it unchecked. Action summary still not indicating there was an issue.

in the home page you should see it under 

Blocked 

Do you see any count? 

Yes that's where I have been looking and wondering why it's not being indicated there. When the client tries to open the eicar.zip file there is a Symantec Endpoint Protection Notification, Auto-protect scan type pop up on the client. On the client if I open the view quarantine it is listed there with an infected status. Not sure why the SEPM is always indicating with a security status of good.

I tested it on my box ; it immediately populated it on the home page

it was listed under blocked with count 1 and under newly infected tab too.

what is the communication mode set for your clients? pull or push mode

try updating the policy on client it should send the log to the manager.. 

I'm checking the communication mode at the top level "My Company", Policies tab, location-specfic settings, Communications Settings,

are set to Push mode, Heartbeat Interval 5 minutes, Download Randomization enabld and set to 5 minutes.

What's strange is the clients do have the green dot and show as being managed by the SEPM.

"try updating the policy on client it should send the log to the manager." is that done by opening the SEP client, Help and Support, troubleshooting and click the Profile Policy Update button?

If so I tried and ten minutes later still not updated.

Test it out on a client you have physical access to. Do the Eicar test again. When SEP acted on it, check the logs. What SEP did and where it went. And you can try to get that report on the SEPM console. Via Monitors > Logs or Reports.

If you can monitor the network traffic, do so. Make sure that there is actual data transfer and not just a basic heartbeat telling the server that the client is turned on.

I've tried running the eicar test several times.

On  the client itself the event is being logged. In the "View Log", The "Eicar test string" has been cleaned by deletion every time except for the zip file which is log only. In the "View Quarantine" it shows the "Eicar Test String" and a status of infected.

On the SEPM this is still not showing up in the home page "Action Summary by Number of Computers ". 

Going through the SEPM Monitors - Logs tab, Scan log type does show when the clients have been scanned. Risk log type shows nothing. Computer status log type, with compliance options selected and infected only checked shows nothing.

I have two notifications configured.  Single Risk Events and Unmanaged Computers. I am receiving unmanaged computer notifications but no single risk events. Prior to the SEPM reinstall last week, both notifications worked so nothing has changed network related. I can run a sniffer but will need approval first.

Edit your AV/AS policy go to Miscellaneous --->log Handling and assure that you selected the required types of logs...

check the damper settings

Symantec Endpoint Protection Manager: EICAR events don't send Email Notifications