cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

ENS Linux not detecting EICAR test file

Jump to solution

Hi There,

One of my customers is doing POC testing on their Linux systems. they found after ENS for Linux installed, the EICAR test file cant be detected and deleted.

ENSLTP 10.6.5 + Agent 5.6.2 + CentOS 7.2 + Fresh Installation

Belows are some details:

1. Versions:

/opt/isec/ens/threatprevention/bin/isecav --version
McAfee Endpoint Security for Linux Threat Prevention
Version : 10.6.5.107
License : Full
DAT Version : 9368.0
DAT Date : 02-09-2019
Engine Version : 6010.8670

2. ENSLTP service status is OK:

/opt/isec/ens/threatprevention/bin/isectpdControl.sh status
* isectpd.service - McAfee Endpoint Security for Linux Threat Prevention
Loaded: loaded (/usr/lib/systemd/system/isectpd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2019-12-05 17:19:27 CST; 25min ago
Docs: man:isectpd(8)
Process: 6683 ExecStartPre=/opt/isec/ens/threatprevention/bin/cgroupMountHelper.sh systemd (code=exited, status=0/SUCCESS)
Process: 6645 ExecStartPre=/opt/isec/ens/threatprevention/bin/kernelModuleControlWrapper.sh systemd (code=exited, status=0/SUCCESS)
Process: 6634 ExecStartPre=/opt/isec/ens/threatprevention/bin/AacModuleControlWrapper.sh systemd (code=exited, status=0/SUCCESS)
Main PID: 6694 (isectpd)
Memory: 345.7M
CGroup: /system.slice/isectpd.service
|-6694 /opt/isec/ens/threatprevention/bin/isectpd
|-6741 /opt/isec/ens/threatprevention/bin/isectpd
|-6779 /opt/isec/ens/threatprevention/bin/isectpd
`-6788 /opt/isec/ens/threatprevention/bin/isectpd

Dec 05 17:19:27 localhost.localdomain systemd[1]: Starting McAfee Endpoint Security for Linux Threat Prevention...
Dec 05 17:19:27 localhost.localdomain systemd[1]: Started McAfee Endpoint Security for Linux Threat Prevention.

3. OAS scanning is enabled:

/opt/isec/ens/threatprevention/bin/isecav --getoasconfig --summary
On-Access Scan: Enabled and Compliant
Profile Setting: Standard
Maximum scan time: 45
GTI: Enabled
GTI Sensitivity Level: Medium

4. We use wget command to download EICAR test file(eicar.com) to /tmp, /tmp is not excluded.

5. As per mcafee kb88812, i also checked the isecoasmgr.log, it didn't contain any detection history:

Dec 05 17:20:20 localhost.localdomain INFO OASManager [6788] Starting OAS Manager
Dec 05 17:44:25 localhost.localdomain ERROR OASManager [6788] Skipping since file path /tmp/tmp.aJdI3qPC03/isecesp-mer.txt could not be opened due to - No such file or directory
Dec 05 17:44:26 localhost.localdomain ERROR OASManager [6788] Skipping since file path /opt/isec/ens/threatprevention/bin/isecesp-mer.txt could not be opened due to - No such file or directory
Dec 05 17:44:26 localhost.localdomain ERROR OASManager [6788] Skipping since file path /opt/isec/ens/threatprevention/bin/isecesp-mer.txt could not be opened due to - No such file or directory

 

Can you guide me on how to further troubleshoot this issue? thanks.

1 Solution

Accepted Solutions
Highlighted
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 4

Re: ENS Linux not detecting EICAR test file

Jump to solution

It's working now. not sure why it didn't working yesterday...

View solution in original post

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: ENS Linux not detecting EICAR test file

Jump to solution

Hi @Former Member ,

Good day to you!

Did you confirm if the EICAR file was downloaded on to the machine?

By default the extension ".COM" is not added to the exclusion list hence you should be definitely seeing the detection under isecoasmgr.log.

I also would suggest you to perform the standard method of performing an EICAR test. Steps as below.

1. Vim or Vi EICAR.com

2. Save the Eicar string 

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
3. Check the isecoasmgr.log
 
Hope it helps.
Highlighted
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: ENS Linux not detecting EICAR test file

Jump to solution

Yes we can confirm the eicar test file is correct retrieved to /tmp. we also gave it execution permission and try to run it, but it was still not being detected by ENSLTP..

Will let my customer try your suggestion and update you. thanks.

Highlighted
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 4

Re: ENS Linux not detecting EICAR test file

Jump to solution

It's working now. not sure why it didn't working yesterday...

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community