thom0522

Anti-Malware doesn't catch eicar even on executtion

Recommended Posts

I have a Windows XP SP3 with Emsisoft Anti-Malware 5.0.0.64 installed. File Guard is on set to scan not only when executed but also when they are read. When I executed eicar.com, Anti-malware didn't do anything. How do I know that it will catch anything else? It doesn't seem to be working. Can someone please help? Thanks

Share this post


Link to post
Share on other sites

Hi thom0522, welcome to the forum.

1st lease provide more detailed information about your System Environment as in Forum Posting Rules #2)

so the developers would know more than just OS, but say what are other security in place.

You have to disable those in order to test Eicar with EAM

You have to execute Eicar in order to see how "onExecution" feature intercepts it

The scan & newly introduced "onAccess" feature is flagging "all eaicars flaivours" for sure

EicarScan.jpg

Please search this and our old forum with "Eicar" keyword and you will find many discussions

For example this case

In addition you can run several other tests as "TrojanSimulator" or "zapass" (please ask if you cannot find the links)

But isf you are executing the tests and you don't see "onExecution" blockings, please provide a bit more info and definitely you can contact the developers & raise a ticket

My regards

Share this post


Link to post
Share on other sites

Be aware that Eicar and essentially all other test malware is considered Riskware. So unless you have the "Alert Riskware" option enabled in your File Guard settings you won't get any alert.

Share this post


Link to post
Share on other sites

Sorry about not giving enought info. I have Windows XP SP3 x86 installed. I also have Online Armor Premium and MJ RegWatcher installed. Also have mozybackup, comodo time machine, stardock windowblinds, find and run robot, process hacker, panda usb vaccine. In Anti-malware have checked to scan on read as well as execute and have checked to check for riskware. I should also say that when I looked in the logs nothing has posted to them since I upgraded to version 5 in May. I have not seen a pop up of any kind from Anti-malware since I upgraded. When I tried to executed eicar.com, Online Armor alerted me but I tolded to let it run without creating a new rule. It then ran without Anti-malware saying anything. So for some reason it doesn't look like Anti-malware is doing anything on my computer, since there have been no log entries or popups since I upgraded. Before I upgraded everything worked fine. Any ideas what is wrong? Thanks Thom

Share this post


Link to post
Share on other sites

thom0522,

I'm pretty sure something went wrong with the upgrade to version 5. Probably caused by regwatcher, time machine or OA. I'm not familiar with regwatcher and time machine, so i can't tell you what to look for in those programs. Check in OA if all programs are trusted. Also choose to show all trusted programs, maybe a trusted program is blocked.

If i try to download eicar.com from the eicar website EAM immediately warns me that oasrv.exe tries to execute the file. If i allow that and save the file on disk and execute it from there, EAM warns me again that explorer.exe tries to execute the file. I test this on XP SP3 with EAM and OA Premium. My File Guard settings during this test are; Scan only programs before they are executed.

Riskware is not checked.

If i choose File Guard settings "Additionally scan all files etc., the eicar.com file is grabbed by EAM while my browser tries to write it to the browser cache.

I suggest you uninstall EAM. Reboot and check if the EAM folder is empty. If not, remove the leftovers. Download a new EAM setupfile, install EAM and watch closely if other apps block something during install.

Test again with the eicar.com file.

Share this post


Link to post
Share on other sites

I uninstalled anti-malware. Following advice in other threads in the forum, I made sure there were no traces of anti-malware left on my system. I shut down all my other programs and reinstalled it. Ran the eicar.com and again anti-malware did nothing. I also went to some sites that surf protection should have blocked. Nothing happened not a warning, not a block-nothing. I don't know what's going on but it appears that anti-malware is worthless on my system. I have a few more months on my license, but I guess I'll have to find something else now. In the past this program worked great but now the only protection it seems to offer is when I run an on-demand scan.

Share this post


Link to post
Share on other sites

Can you please try the following?

  1. Click on Start, Run. Type "cmd.exe" and press the Enter key.
  2. A console should appear. In there please type "fltmc" and press Enter. Copy the output into a new reply.
  3. Then type "sc query a2antimalware" and press Enter. Copy the output as well.
  4. Then type "sc query a2injectiondriver" and press Enter. Copy the output as well.
  5. Close the console again.

Share this post


Link to post
Share on other sites

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Owner>fltmc

Filter Name Num Instances Frame

------------------------------ ------------- -----

mozyFilter <Legacy>

a2injectiondriver 0 1

a2acc 3 1

OADevice 3 1

pxrts 4 1

CTMFLT <Legacy>

C:\Documents and Settings\HP_Owner>

Share this post


Link to post
Share on other sites

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\HP_Owner>fltmc

Filter Name Num Instances Frame

------------------------------ ------------- -----

mozyFilter <Legacy>

a2injectiondriver 0 1

a2acc 3 1

OADevice 3 1

pxrts 4 1

CTMFLT <Legacy>

C:\Documents and Settings\HP_Owner>sc query a2antimalware

SERVICE_NAME: a2antimalware

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

C:\Documents and Settings\HP_Owner>sc query a2injectiondriver

SERVICE_NAME: a2injectiondriver

TYPE : 2 FILE_SYSTEM_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

C:\Documents and Settings\HP_Owner>

Here is the info you asked for. Thanks for your help. Thom

Share this post


Link to post
Share on other sites

I turned off HIPS, Program Guard, Webshield and the firewall in Online Armor and stopped RegWatcher from starting with windows and then rebooted. I then executed eicar.com, nothing stopped it. Antimalware didn't do anything.

Share this post


Link to post
Share on other sites

I don't know if this means anything but according to processhacker while the private memory use for a2service.exe is 171 mb the working set for the same process is only 1.71mb. Same for a2guard.exe, the private memory is 29.78mb but the working set is 316kb. So it appears that while anti-malware is holding on to a lot of ram, it is not using much to do anything. Does that mean that it is not really running? Thanks Thom

Share this post


Link to post
Share on other sites

That is perfectly normal and part of the memory optimizations we did. When the processes have nothing to do they instruct Windows to page our their memory to keep the footprint as low as possible.

Still for some reasons something is wrong on your system that prevents the Emsisoft Anti-Malware service from communicating with the drivers correctly. Would you be available for a debugging session via VNC? If you are please drop me a mail at [email protected]

Share this post


Link to post
Share on other sites

I am available to do a debugging sessions. But before we do that, since I have comodo time machine, I am going to delete Online Armor, RegWatcher and Superantispyware Pro (which I have but is not running) and then see if EAM works. If not with time machine I can just go back to where everything is still installed. I'll contacted you after I do that. Thom

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.