cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 1 of 6

EICAR file detected in .txt but not in .doc/.docx

Hi,

Can anyone suggest me is it OK that EICAR file getting detected by McAfee ENS and its not getting detected when saved in .doc/.docx format.

 

Any idea why it is like that?Is it OK?

5 Replies
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: EICAR file detected in .txt but not in .doc/.docx

@haaris In order to be able to give you an accurate assessment of what could be causing this, Support would need to review the logs from your system and the applied policy configuration. At a base level, I would assume that this is occurring due to some gap in your OAS policy created by exclusions--especially if you are seeing it correctly detected in other formats or locations on your system.

   I would recommend to ensure you are scanning .doc/.docx files, that the folder you're saving in is not excluded somehow, and that the process touching it is not low-risked.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: EICAR file detected in .txt but not in .doc/.docx

Hi @jess_arman,

Thats not the case..Actually in general when you test the EICAR file with .txt and .com its getting detected but not .doc/.docx file.So I wanted to know if there is any specific reason for that?There is no exclusion for the path or the file I tested.

Have you checked the same thing in your test environment? 

McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: EICAR file detected in .txt but not in .doc/.docx

@haaris After diving deeper, I have found that this behavior is to be expected due to the nature of an EICAR detection and the way that Microsoft formats .doc and .docx files.

    By definition, EICAR detection is based in the following: "Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long..."*

    When you have this in a .doc(x) file, the file doesn't begin with this; see the following comparison: 

 MicrosoftTeams-image.png

     If you take the same .doc(x) file, and rename it to a .txt, you'll see it is immediately detected due to its ability to now meet the defined criteria for an EICAR detection by design.

      Hope this sufficiently clarifies for you.

*http://www.eicar.org/86-0-Intended-use.html 

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

 

Reliable Contributor haaris
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: EICAR file detected in .txt but not in .doc/.docx

Hi,

Thanks for the explanation..

Thats what actually I was expecting..

Have you converted the characters to ASCII.

Highlighted
McAfee Employee johma
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: EICAR file detected in .txt but not in .doc/.docx

Hi, 

To add into what Jess said, this is also part of "smart scan" technology that is built into ENS. 

You will see the same behavior when saving either Eicar or Tryguard from Notepad.exe to a TXT file.  VirusScan Enterprise will detect this when scanning "All FIles" instantly on save. 

ENS on the other hand will not detect either of the above, where the filename is .TXT as this is "expected" behaviour. 

We expect to see Notepad.exe saving text to a .TXT file so no scan is initialted.

However, if you were to do a Save As and save the same file as a .COM, .EXE then ENS would detect this immediately as it is not expected for Notepad.exe to be saving files with executable extensions. 

 




Was my reply helpful?


If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community