ssj100

EEK not detecting EICAR and other "malware" under certain conditions

Recommended Posts

Hi there,

 

Tested on both Windows XP 32-bit and Windows 7 64-bit (both freshly installed, no other 3rd party software installed or running).  Reasonably sure it's a relatively new bug, perhaps only introduced in last couple of versions:

 

EEK 10.0.0.5488

 

How to reproduce:

1. Create a folder

2. Place EICAR test file (or other "malware" that EEK will usually detect) in the folder

3. Place a large file (eg. 500Mb video) into the same folder (that isn't "malware")

4. Run EEK.

Select "Scan", then "Custom Scan".

Ensure to remove all default listed directories to be scanned.

Also remove all checkboxes under "Scan Objects" (not necessary to reproduce this bug but will speed up the scan)

Select "Add folder"

Browser to the folder you created in step 1. above

5. Click "Next" to scan the folder

6. Notice that EEK doesn't detect the "malware"

7. Remove the large file from the folder

8. Repeat the scan of this folder as in steps 4-5

9. Notice that EEK now detects the "malware"

 

Can anyone else reproduce this?  If so, can the devs take a look please?  I like using EEK as my on-demand scanner, but I've lost some trust in it now.

 

One workaround is to scan the parent folder instead of the actual folder, but this sort of defeats the purpose of "Custom Scan".

 

Note I'm not sure how large a file it needs to be.  A bit more testing reveals rather random behavior, with EEK detecting it sometimes and sometimes not, with various files within the folder.  Quite bizarre.  But pretty sure everyone should be able to reproduce it at least once if they follow the steps above carefully.

Share this post


Link to post
Share on other sites

Several of us were testing this earlier. One of us is able to reproduce it, but the others were not. We're going to have to do some more testing, and see if we can figure out what is going on.

Share this post


Link to post
Share on other sites

Somehow it seems to be fixed now (latest signatures installed).  Perhaps some bug in the signature detection before?  Would really appreciate feedback on what exactly happened.

Share this post


Link to post
Share on other sites

I'm not sure if we know what caused it yet. It may have been temporary issue that required a reboot to resolve.

Share this post


Link to post
Share on other sites

I don't think it's related to a reboot (or anything about the host OS for that matter) - I tested it in cleanly installed VMs.  Anyway, this is why I always have a test malware in the folder that I use for on-demand scanning.  If the on-demand scanner isn't picking up the test malware, then you know something is wrong.  Also another good reason to always run unknown files sandboxed until you are sure they are safe.

Share this post


Link to post
Share on other sites

I only mentioned the reboot because I was able to reproduce the issue once after a reboot, and then I couldn't reproduce it again. It's difficult to know for certain what is going on, at least until our developers have been able to go through the debug information. ;)

Share this post


Link to post
Share on other sites

Noticing this same behavior again today.  Warning to all users of EEK using this type of on demand scanning - don't trust it.

 

As in the OP - one workaround is to scan the parent folder instead of the actual folder.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.