cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Seregil
Level 8
Report Inappropriate Content
Message 1 of 8

ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

Hi Community,

I'm testing out the Endpoint Security Threat Prevention for our customer and ran into a problem.

I'm using two linux machines (SUSE Linux Enterprise Server 15 SP1), one is to prepare the EICAR test files in different ways and the other one to test if they get detected.

So I opened vim to copy the String from the EICAR website into it and then I saved it under the name eicar.com. Then i also put the file into different archives (zip, tar, etc.)

After i've done that I copied the files on the testing machine via scp.

The OAS instantly found and delteted the infected files, except the one in the tar-archive.

So I tried to do a ODS and it also didn't found it.

So now my question is, is there a way to make the Threat Prevention system recognize also tar files?

The logfiles at /var/McAfee/ens/log/tp don't give an indication that there are skipped files.

I also checked the ePO policy for OAS and ODS and both of them have archive scanning activated.

Maybe I'm just missing something, so any help would be greatly appreciated.

 

Here some version information:

McAfee Endpoint Security for Linux Threat Prevention
Version : 10.7.0.351
License : Full
DAT Version : 4296.0
DAT Date : 12-07-2020
Engine Version : 6100.8979

2 Solutions

Accepted Solutions
Udaya6626
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

Ideally OAS & ODS both will scan the tar archive files, If their respective policies have the "Compressed archive files" scanning is enabled.  

Can you check for the file type exclusion and the location being scanned is not excluded.  

Also you can check for the option "What to scan" in OAS policy , if any specific files been mentioned for the same. If these option are fine. I would request you to create a service request with support, as we may need to deep dive into the logs. 

View solution in original post

gururaj
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

Hi ,

we need to look into the logs and see why the Eicar is not detecting , kindly raise the Service Request. 

View solution in original post

7 Replies
Udaya6626
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

Ideally OAS & ODS both will scan the tar archive files, If their respective policies have the "Compressed archive files" scanning is enabled.  

Can you check for the file type exclusion and the location being scanned is not excluded.  

Also you can check for the option "What to scan" in OAS policy , if any specific files been mentioned for the same. If these option are fine. I would request you to create a service request with support, as we may need to deep dive into the logs. 

View solution in original post

Seregil
Level 8
Report Inappropriate Content
Message 3 of 8

Re: ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

I just checked it.

"Compressed archive files" scanning is enabled for both OAS & ODS

There are no files excluded

In ODS for Scan locations i have:

- All local drives

- All mapped drives

- Temp folder

- The folder I copied the files to

For "What to scan" in OAS and "File Types to Scan" in ODS i have set "All files"

 

If you don't say there is something wrong with my settings I guess i have to go with the service request. 

gururaj
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

Hi ,

we need to look into the logs and see why the Eicar is not detecting , kindly raise the Service Request. 

View solution in original post

Seregil
Level 8
Report Inappropriate Content
Message 5 of 8

Re: ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

Hey,

thank you for the quick heads up. I will inform my superior in order to raise the service request.

Iridium6
Level 7
Report Inappropriate Content
Message 6 of 8

Re: ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

Compressed files take longer to scan. Did you check to see if the scan was timing out?

Event ID: 1059 

Event Description: Scan Timed Out

If the scan exceeds the time limit specified for each file in the ODS policy, the file will be skipped.

gururaj
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

Event ID: 1059 

Event Description: Scan Timed Out

If the scan exceeds the time limit specified for each file in the ODS policy, the file will be skipped.

Yes if the specified time is completed or unarchiving taken more the specified time i will scan Time out move to next file .

Regards,

Gururaj.m.d

Seregil
Level 8
Report Inappropriate Content
Message 8 of 8

Re: ENS Threat Prevention for Linux not detecting EICAR test file in archive

Jump to solution

I checked the log files for your suggestion, the scan didn't time out.

But McAfee is already on the case, so i hope the devs will find the problem soon.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community