Jump to content

Eicar file and Malware scan


Recommended Posts

Win 10  EAM build 8954

Did my usual malware scan when I get a new EAM build to check if it works okay.

I keep an Eicar test file (eicar.com.txt) in root of C drive.

Today the scan got to 99/100 percent before eicar came up in the scanning window and then appeared as a detection when the scan result came up.

This is a change in behaviour as it always caught it during the scan before.. not at the end.

Have you changed something in the scanner?

Link to post
Share on other sites

Well a new day with a new scan and the cloud is still 'misbehaving'. At 99% there is still no sign of eicar detection. It only appears at 100%

To me it seems either something is out of sync with the cloud or this scan behaviour has changed.

 

Screenshot (19).png

Link to post
Share on other sites
20 minutes ago, JeremyNicoll said:

@stapp- what's the wallclock/elapsed time that the scanner takes?  I mean, just how slow is Frank claiming the cloud part of this is?

Takes over 4 minutes.

But more concerning to me is that in a second malware scan in the same Windows session, eicar wasn't picked up at all.

Link to post
Share on other sites

> Takes over 4 minutes.

If files in the root directory of the drive being scanned are considered before folders (and their contents) there, which is what your previous behaviour suggests, then that means looking up eicar.com.txt's characteristics is taking vastly too long.  But maybe the scan is now doing folders & contents ahead of plain files, in each folder?  Then it wouldn't be a 4-minute delay for a clud lookup, but instead a 4 minute delay before the file is examined.

I wonder whether the  scanner asks the cloud about every file, or just some of them?

 

> But more concerning to me ...

Absolutely.

Link to post
Share on other sites
31 minutes ago, Frank H said:

Scanner only looks-up the cloud for every detection.

to begin with: debuglogs that cover the non-detection of eicar during a scan would be much appreciated.

Please see your pm's.

Perhaps because 2nd scan is still ''in progress'' it cannot show eicar file.

Link to post
Share on other sites

Any more comments on this Frank?

With first malware scan using 8961 eicar is only found at the end.

This is a change in scanner behaviour from all previous builds.

EDIT A second malware scan just now took 3 seconds longer than the first one (same windows session)

Link to post
Share on other sites

It's not so much the scan engine world, as the whole of ASCII/ANSI character encoding.  Capital letters, probably because they were the only kind of letters orginally on teletypes etc, have lower ASCII codes than those used for small letters (which were presumably added to the ASCII/ANSI collating sequence standards only after they became commonplace).   For example an "A" is represented by a byte with value 65, while an "a" is represented by a byte with value 97.   That, which will have been true for the entire time that Emsisoft products have existed, doesn't really explain the change in behaviour, unless internally EAM etc always used to treat filenames as all lowercase or all uppercase when it came to sorting them into order.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...