stapp

CLOSED Eicar file and Malware scan

Recommended Posts

Win 10  EAM build 8954

Did my usual malware scan when I get a new EAM build to check if it works okay.

I keep an Eicar test file (eicar.com.txt) in root of C drive.

Today the scan got to 99/100 percent before eicar came up in the scanning window and then appeared as a detection when the scan result came up.

This is a change in behaviour as it always caught it during the scan before.. not at the end.

Have you changed something in the scanner?

Share this post


Link to post
Share on other sites

Well a new day with a new scan and the cloud is still 'misbehaving'. At 99% there is still no sign of eicar detection. It only appears at 100%

To me it seems either something is out of sync with the cloud or this scan behaviour has changed.

 

Screenshot (19).png
Download Image

Share this post


Link to post
Share on other sites
20 minutes ago, JeremyNicoll said:

@stapp- what's the wallclock/elapsed time that the scanner takes?  I mean, just how slow is Frank claiming the cloud part of this is?

Takes over 4 minutes.

But more concerning to me is that in a second malware scan in the same Windows session, eicar wasn't picked up at all.

Share this post


Link to post
Share on other sites

> Takes over 4 minutes.

If files in the root directory of the drive being scanned are considered before folders (and their contents) there, which is what your previous behaviour suggests, then that means looking up eicar.com.txt's characteristics is taking vastly too long.  But maybe the scan is now doing folders & contents ahead of plain files, in each folder?  Then it wouldn't be a 4-minute delay for a clud lookup, but instead a 4 minute delay before the file is examined.

I wonder whether the  scanner asks the cloud about every file, or just some of them?

 

> But more concerning to me ...

Absolutely.

Share this post


Link to post
Share on other sites

Scanner only looks-up the cloud for every detection.

to begin with: debuglogs that cover the non-detection of eicar during a scan would be much appreciated.

Share this post


Link to post
Share on other sites
31 minutes ago, Frank H said:

Scanner only looks-up the cloud for every detection.

to begin with: debuglogs that cover the non-detection of eicar during a scan would be much appreciated.

Please see your pm's.

Perhaps because 2nd scan is still ''in progress'' it cannot show eicar file.

Share this post


Link to post
Share on other sites

Any more comments on this Frank?

With first malware scan using 8961 eicar is only found at the end.

This is a change in scanner behaviour from all previous builds.

EDIT A second malware scan just now took 3 seconds longer than the first one (same windows session)

Share this post


Link to post
Share on other sites

Issue seems related to the 2018.9 grid population. it's a GUI issue.

I've tested this in 2018.8.1 and 2018.6 and eicar is shown in the grid at 83%

We are investigating this atm.

 

Share this post


Link to post
Share on other sites

Culprit is the scanengine support for Case Sensitive Windows filesystem in 2018.9

Eicar.com will be scanned in an earlier phase than eicar.com
'E' comes before 'e' 

 

Share this post


Link to post
Share on other sites

It's not so much the scan engine world, as the whole of ASCII/ANSI character encoding.  Capital letters, probably because they were the only kind of letters orginally on teletypes etc, have lower ASCII codes than those used for small letters (which were presumably added to the ASCII/ANSI collating sequence standards only after they became commonplace).   For example an "A" is represented by a byte with value 65, while an "a" is represented by a byte with value 97.   That, which will have been true for the entire time that Emsisoft products have existed, doesn't really explain the change in behaviour, unless internally EAM etc always used to treat filenames as all lowercase or all uppercase when it came to sorting them into order.

Share this post


Link to post
Share on other sites
2 hours ago, JeremyNicoll said:

unless internally EAM etc always used to treat filenames as all lowercase or all uppercase when it came to sorting them into order.

correct

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.