0 Replies Latest reply on Oct 4, 2016 4:28 AM by mikhail.kovalev

    csscan.exe doesn't detect eicar.com with the Zone.Identifier

    mikhail.kovalev

      Hi,

       

      I am a bit puzzled by the fact that csscan.exe doesn't detect "eicar.com" as infected when the file haze the "Zone.Identifier" set (i.e., the file is downloaded from the internet). Here is the output that I get:

      C:\Windows\system32>"C:\Program Files\Common Files\McAfee\SystemCore\csscan.exe" -Secure "C:\Users\CitrixUser3\Downloads\eicar.com"

       

       

      CommonShell Command Line Scanner Lite (VSCORE.15.4.0.649)

       

       

      Engine Version     : 5800.7501

      Engine Load Time   : 4992 milliseconds

      AV     DAT Version : 8307.0000   670722 detections   Built Montag, 3. Oktober 2016

      Extra DAT          :                  0 detections

       

       

      File     : C:\Users\CitrixUser3\Downloads\eicar.com

      File     : C:\Users\CitrixUser3\Downloads\eicar.com : contains "Testen" called "EICAR test file"  (1023)

      File     : C:\Users\CitrixUser3\Downloads\eicar.com:Zone.Identifier

       

       

      Summary :-

              FilesFound       :        1

              FilesScanned     :        1

              FilesNotScanned  :        0

       

       

              ObjectsFound     :        2

              ObjectsInfected  :        0

              ObjectsCleaned   :        0

              ObjectsDeleted   :        0

       

       

              FilesInfected    :        0

              FilesCleaned     :        0

              FilesMoved       :        0

              FilesDeleted     :        0

       

       

              ArtemisReportMode Detections At VeryLow Level :        0

              ArtemisReportMode Detections At Low Level     :        0

              ArtemisReportMode Detections At Medium Level  :        0

              ArtemisReportMode Detections At High Level    :        0

              ArtemisReportMode Detections At VeryHigh Level:        0

       

       

              Files Scanned by Artemis          :        0

              Files found clean by Artemis      :        0

              DNS queries found in ReportMode   :        0

       

       

       

       

      Started at : 09:26:08 Dienstag, 4. Oktober 2016

      Ended at   : 09:26:08 Dienstag, 4. Oktober 2016

      Duration   : 0 seconds

       

      In case if I remove the "Zone.Identifier" flag than it works fine:

       

      C:\Windows\system32>"C:\Program Files\Common Files\McAfee\SystemCore\csscan.exe" -Secure "C:\Users\CitrixUser3\Downloads\eicar.com"

       

       

      CommonShell Command Line Scanner Lite (VSCORE.15.4.0.649)

       

       

      Engine Version     : 5800.7501

      Engine Load Time   : 4993 milliseconds

      AV     DAT Version : 8307.0000   670722 detections   Built Montag, 3. Oktober 2016

      Extra DAT          :                  0 detections

       

       

      File     : C:\Users\CitrixUser3\Downloads\eicar.com

      File     : C:\Users\CitrixUser3\Downloads\eicar.com : contains "Testen" called "EICAR test file"  (1023)

      C:\Users\CitrixUser3\Downloads\eicar.com : No action taken

       

       

      Summary :-

              FilesFound       :        1

              FilesScanned     :        1

              FilesNotScanned  :        0

       

       

              ObjectsFound     :        1

              ObjectsInfected  :        0

              ObjectsCleaned   :        0

              ObjectsDeleted   :        0

       

       

              FilesInfected    :        1

              FilesCleaned     :        0

              FilesMoved       :        0

              FilesDeleted     :        0

       

       

              ArtemisReportMode Detections At VeryLow Level :        0

              ArtemisReportMode Detections At Low Level     :        0

              ArtemisReportMode Detections At Medium Level  :        0

              ArtemisReportMode Detections At High Level    :        0

              ArtemisReportMode Detections At VeryHigh Level:        0

       

       

              Files Scanned by Artemis          :        0

              Files found clean by Artemis      :        0

              DNS queries found in ReportMode   :        0

       

       

       

       

      Started at : 09:12:05 Dienstag, 4. Oktober 2016

      Ended at   : 09:12:05 Dienstag, 4. Oktober 2016

      Duration   : 0 seconds

       

      At the same time, On-access scanner detects the file in both cases. I am using VirusScan Enterprise 8.8.

       

      Is this a bug or expected behaviour?