4 Replies Latest reply on Jul 10, 2009 1:56 AM by SergeM

    What SHOULD Happen ?

    jmaxwell
      Given the following scenario what SHOULD happen ?

      On Access Scanning is anabled for both read and write and scriptscan is enabled.

      Using AV8.5i 5300 Engine Patch 8


      I have a copy of the EICAR Test Signature in a file called EICAR.TXT on my Desktop.


      I copy the EICAR.TXT file to Copy of EICAR.txt

      I Rename Copy of EICAR.TXT to Copy of Eicar.COM


      I copy the EICAR.TXT file to Copy of EICAR.txt

      I Rename Copy of EICAR.TXT to Copy of Eicar.EXE


      I copy the EICAR.TXT file to Copy of EICAR.txt

      I Rename Copy of EICAR.TXT to Copy of Eicar.BAT


      What should happen with the above three scenarios if On-Access Scanning is working properly ?

      Additionally what should hapnen if you Invoke/Open/Run each of the .com/.bat/.exe variants ?

      Would you expect any of the above "expected behaviours" to be any differnet when attempted on Servers as opposed to Workstations ?

      As you may have guessed I'm having somewhat confusing "results" when I try this myself so any assistance is much appreciated.


      Thanks,

      Jim
        • 1. RE: What SHOULD Happen ?
          My understanding of each of the scenarios:

          I have a copy of the EICAR Test Signature in a file called EICAR.TXT on my Desktop.


          Won't be detected on save to your desktop unless "Scan all files" is checked.

          I copy the EICAR.TXT file to Copy of EICAR.txt

          Same answer as above.

          I Rename Copy of EICAR.TXT to Copy of Eicar.COM

          When applying the name change, should be detected with any detection setting.

          I Rename Copy of EICAR.TXT to Copy of Eicar.EXE

          As above.

          Should be no difference on server vs workstation. Scriptscan should have nothing to do with it. The real difference is down to what files are scanned - default vs all.
          • 2. RE: What SHOULD Happen ?
            Very simple here..

            Using VS 8.7i On Access Scanner set to scan "All Files", when "reading" and "writing" from disc. Previous tests on VS 8.0i and VS 8.5i reveal the same results as below:

            First, I must disable the "On Access Scanner to simply place the "EICAR.txt" file on the desktop. Once it's there, as long as it just sits there, I can re-enable the "On Access Scanner" and no detection takes place by the 'On Access Scanner" because the file is just sitting there.. Next, after re-enabling the On Access Scanner, although I can right click "copy" the file, when I attempt to "Paste" the file to any location on the drive, it detects the file, throws a warning screen, and removes it. Nothing gets any further.. No renaming is possible because the file is removed.. The same thing happens if I use a command prompt to perform something like "copy eicar.txt eicar.tx.txt". McAfee pops up and removes the "copy/paste" action.

            Likewise, if I attempt to rename the "EICAR.txt" file to "EICAR.com", the act of renaming causes the file to be detected and removed.

            The same thing happens immediately if you attempt to run any of the executable variants you've listed.. McAfee pops up and prevent the "run" action.

            There should be no difference on a server versus a workstation.

            Hope this helps.

            Grif
            • 3. RE: What SHOULD Happen ?
              And if "default files" is used (and read/write scanning enabled), the .txt files will not be detected, but they shouldn't be allowed to be renamed to .com / .bat or .exe

              Also will be detected when launched.


              A difference in behaviour between server and desktop indicates that the EPO enforced policy is different for servers and workstations. As they are configured differently in EPO (bearing in mind that they are specified seperately in the VSE 8.5 configuration)
              • 4. RE: What SHOULD Happen ?
                SergeM
                I actually just tested it.

                1) have a file EICAR.TXT on the desktop. I try to copy/paste it. As I hit CTRL-C/CTRL-V quite quickly, I'm not sure exactly how fast the reaction was, but VSE stopped me and flashed a Virus Detected window.
                Both my original EICAR.TXT and the expected "Copy of..." were deleted/missing after that. This means VSE also deleted the original "idle-infected" file.

                This led me to do another 2 tests :

                2) file EICAR.TXT is idle on the desktop. I just right-click and select "Properties".
                VSE jumps in, detects the "virus" and deletes the file.

                3) file EICAR.zip is idle on the desktop. Right-click, properties, nothing special.
                Right-click, unzip (using your favourite flavour of unzip) : VSE detects the virus in the new file but doesn't delete the original ZIP.

                Seems fine to me.

                Serge