Discussion in 'Prevx Releases' started by guest, Dec 30, 2012.
WSA doesnt dedect eicar test file, is it normal?
It will detect the correctly formed 68 byte file. Could you double check that there is no trailing new line character and that another AV on the system isn't locking it?
i checked again.
i disabled CIS, and download "http://www.eicar.org/download/eicar.com" with chrome
and run it.
No dedection. Net connection is fine, WSA is active off couse.
Right click scan also nothink dedected.
It's detected and automatically removed here on Win7 x64 as "Eicar-Test-Virus". Do you have Windows Defender on which could be blocking WSA from seeing it?
Downloading your link with Firefox on 32-bit Win7, running Webroot Secure Anywhere and Malwarebytes Antimalware Pro (Trial), WRSA almost immediately got red (icon) and quarantined it. - I wonder why MBAM didn't popup?
i am running win8 x64.
But, there is a problem, i dedect. WSA show running byself but windows show it is closed.
Please look at image.
Also, right click scan doesnt dedect anything;
2012-12-30 22:06:55.0682 Scan Results: Files Scanned: 0, Duration: 1s, Malicious Files: 0
2012-12-30 22:06:55.0687 Scan Aborted: [ID: 17]
2012-12-30 22:21:47.0039 Scan Started: C:\Users\Mayk Menemen\Downloads\eicar.com.txt|C:\Users\Mayk Menemen\Downloads\eicar.com (1).txt|C:\Users\Mayk Menemen\Downloads\eicar.com| [ID: 18 - Flags: 256/4]
2012-12-30 22:21:47.0282 Scan Results: Files Scanned: 0, Duration: 1s, Malicious Files: 0
2012-12-30 22:21:47.0288 Scan Aborted: [ID: 18]
2012-12-30 22:23:06.0029 Scan Started: C:\Users\Mayk Menemen\Downloads\eicar.com| [ID: 19 - Flags: 256/4]
Thanks for the link.
Thanks. - But I think it would be easier to add at least Eicar detection (something I did believe any given AV would detect just for testing purposes?) as having to answer all those questions from people who wonder why it "fails" on this. - Can't really imagine that Eicar fingerprint would make MBAM or it's database bloatware or take focus away from fighting real malware, but if they say so ..
I agree, but that's their policy, I guess.
That sounds like it's already been removed and Windows hasn't updated Explorer yet. Could you try rebooting to see if the file still exists?
guest....Sounds like Webroot may have crashed. Try rebooting your computer. Or, just shut down Webroot and restart it.
Then, after shutting down and restarting Webroot, try checking the EICAR file again.
Yes, You are right, it is working fine after restart.
Web protection block, i cant access web site, i cant download it.
is it possible? Because i can open file with notepad. And i downloaded file again, i checked with it.
And web blocker must stop download, after restart do it.
Anyway, it is working fine now
But it is strange, How can i sure it is working normal everytime?
Because UI show me everything is ok but windows said different. After restart both said running.
It could be CIS interfering if the Webroot service was unable to start properly. I'd recommend adding WRSA.exe under exclusions within CIS to see if that corrects it moving forward.
Did you open the .txt file in Notepad or the .com file in notepad?
WSA ignores text files in scans because they cannot be executed. In the event that they are loaded for execution, then it will look at them, but that's not an easy thing to do with a text file and requires specific code or utilities.
I've seen cases where the .com file is still showing in Explorer, but the file is actually not-there. The txt file won't be scanned, so it doesn't get removed. If you happen to try to run it, it will fail. Not sure why the scan of the .com file only didn't do anything though, though I can't say that it didn't because the log cuts off right after thee scan was started of only the .com file. When the three were being scanned, I remember an issue with the path and file length of right-click scans with multiple files, but no idea if that would impact it still. In that case, scanning the directory or trying to run the file caused it to be caught.
These are very good points. The right click scanner limitations were fixed a while back so you can scan any length. Also, with the OS being Win8, I suspect even double clicking on the .com file won't actually execute it with 16bit support having been removed from the OS.
Separate names with a comma.