stapp

CLOSED Difference in detection and quarantine depending on what you are doing

Recommended Posts

Win 10 64bit 1909... EAM beta 9977

As well as a Reflect image, I also have a little USB stick which, every so often, I copy and paste my docs, downloads and pictures to. It is sort of an emergency backup of files which I keep in a drawer.

On this PC I have 5 eicar items which I keep to test the scanner. The scanner always tells me it has detected them but never quarantines them. I have report only selected in scanner settings.

I have attached what EAM usually does and finds from a scan report.

Today I selected documents, downloads and pictures  in C\ users\ username (room) and chose copy.

Then with my usb stick plugged in and opened I selected paste.

EAM quarantined 2 items. (screenie attached)

The 2 items were from Downloads. Why did it do that when I had it set to report only ? Was it because it wasn't a scan but a copy and paste?

The Zip files in Downloads were not quarantined. The eicar.com.txt in root of C was also not quarantined.

 

Annotation 2020-02-20 095857.jpg
Download Image

scan_200125-054319.txt

Share this post


Link to post
Share on other sites

@stapp  Do you have "Automatically quarantine programs with bad reputation" set in Settings - Advanced?     

(It seems to me that that option doesn't make it clear under what circumstances reputation would be examined.   It does say in the tooltip, that this follows an "alert", whereas the log above shows "Notification" actions.  Since the difference between "notification" and "alert" is significant, I wonder if that's just loose logging terminology or part of the problem.)

I would be most unhappy if anything here got auto-quarantined, since that's more than likely to break applications dependent on files staying put.

Share this post


Link to post
Share on other sites

I do have  "Automatically quarantine programs with bad reputation"  however this must not apply when  running a scan but does apply when doing copy and paste.

Very strange.

Let's s ee what Frank says.

Share this post


Link to post
Share on other sites

hi guys,

you're mixing up 2 settings, like stapp already expected.

Copy/paste actions invoke the File Guard, which obviously applies the settings as configured under 'File Guard'.

The settings under  'Scanner Settings' are applied when running an on demand scan or scheduled scan. For scheduled scans the settings act as a template and can be modified per scheduled scan task.

In this way users are offered to set different functionality for both realtime protection (File Guard) and Scans.

Archives, like ZIP, are only scanned during (scheduled) custom scans and (manual) explorer context menu scans.

 

 

image.thumb.png.12f14a55147f869ab71c068494130039.png
Download Image

 

 

 

Share this post


Link to post
Share on other sites

Thanks Frank for confirming what I suspected, that EAM treats detections differently depending on what you are doing.

However I don't think many users would guess that this would happen.

Share this post


Link to post
Share on other sites
19 minutes ago, Frank H said:

AFAIK you'e this first whom mentioned this :P

But I'm supposed to mention things..I'm a tester :)

  • Like 1

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.