This content has been marked as final. Show 4 replies
My understanding of each of the scenarios:
I have a copy of the EICAR Test Signature in a file called EICAR.TXT on my Desktop.
Won't be detected on save to your desktop unless "Scan all files" is checked.
I copy the EICAR.TXT file to Copy of EICAR.txt
Same answer as above.
I Rename Copy of EICAR.TXT to Copy of Eicar.COM
When applying the name change, should be detected with any detection setting.
I Rename Copy of EICAR.TXT to Copy of Eicar.EXE
Should be no difference on server vs workstation. Scriptscan should have nothing to do with it. The real difference is down to what files are scanned - default vs all.
Very simple here..
Using VS 8.7i On Access Scanner set to scan "All Files", when "reading" and "writing" from disc. Previous tests on VS 8.0i and VS 8.5i reveal the same results as below:
First, I must disable the "On Access Scanner to simply place the "EICAR.txt" file on the desktop. Once it's there, as long as it just sits there, I can re-enable the "On Access Scanner" and no detection takes place by the 'On Access Scanner" because the file is just sitting there.. Next, after re-enabling the On Access Scanner, although I can right click "copy" the file, when I attempt to "Paste" the file to any location on the drive, it detects the file, throws a warning screen, and removes it. Nothing gets any further.. No renaming is possible because the file is removed.. The same thing happens if I use a command prompt to perform something like "copy eicar.txt eicar.tx.txt". McAfee pops up and removes the "copy/paste" action.
Likewise, if I attempt to rename the "EICAR.txt" file to "EICAR.com", the act of renaming causes the file to be detected and removed.
The same thing happens immediately if you attempt to run any of the executable variants you've listed.. McAfee pops up and prevent the "run" action.
There should be no difference on a server versus a workstation.
Hope this helps.
And if "default files" is used (and read/write scanning enabled), the .txt files will not be detected, but they shouldn't be allowed to be renamed to .com / .bat or .exe
Also will be detected when launched.
A difference in behaviour between server and desktop indicates that the EPO enforced policy is different for servers and workstations. As they are configured differently in EPO (bearing in mind that they are specified seperately in the VSE 8.5 configuration)
I actually just tested it.
1) have a file EICAR.TXT on the desktop. I try to copy/paste it. As I hit CTRL-C/CTRL-V quite quickly, I'm not sure exactly how fast the reaction was, but VSE stopped me and flashed a Virus Detected window.
Both my original EICAR.TXT and the expected "Copy of..." were deleted/missing after that. This means VSE also deleted the original "idle-infected" file.
This led me to do another 2 tests :
2) file EICAR.TXT is idle on the desktop. I just right-click and select "Properties".
VSE jumps in, detects the "virus" and deletes the file.
3) file EICAR.zip is idle on the desktop. Right-click, properties, nothing special.
Right-click, unzip (using your favourite flavour of unzip) : VSE detects the virus in the new file but doesn't delete the original ZIP.
Seems fine to me.