Eicar test file

Discussion in 'Prevx Releases' started by guest, Dec 30, 2012.

Thread Status:
Not open for further replies.
  1. guest

    guest Guest

    WSA doesnt dedect eicar test file, is it normal?
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It will detect the correctly formed 68 byte file. Could you double check that there is no trailing new line character and that another AV on the system isn't locking it?
     
  3. guest

    guest Guest

    i checked again.
    i disabled CIS, and download "http://www.eicar.org/download/eicar.com" with chrome
    and run it.
    No dedection. Net connection is fine, WSA is active off couse.
    Right click scan also nothink dedected.
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's detected and automatically removed here on Win7 x64 as "Eicar-Test-Virus". Do you have Windows Defender on which could be blocking WSA from seeing it?
     
  5. guest

    guest Guest

    Downloading your link with Firefox on 32-bit Win7, running Webroot Secure Anywhere and Malwarebytes Antimalware Pro (Trial), WRSA almost immediately got red (icon) and quarantined it. - I wonder why MBAM didn't popup?
     
  6. guest

    guest Guest

    i am running win8 x64.
    But, there is a problem, i dedect. WSA show running byself but windows show it is closed.
    Please look at image.
    Also, right click scan doesnt dedect anything;

    2012-12-30 22:06:55.0682 Scan Results: Files Scanned: 0, Duration: 1s, Malicious Files: 0
    2012-12-30 22:06:55.0687 Scan Aborted: [ID: 17]
    2012-12-30 22:21:47.0039 Scan Started: C:\Users\Mayk Menemen\Downloads\eicar.com.txt|C:\Users\Mayk Menemen\Downloads\eicar.com (1).txt|C:\Users\Mayk Menemen\Downloads\eicar.com| [ID: 18 - Flags: 256/4]
    2012-12-30 22:21:47.0282 Scan Results: Files Scanned: 0, Duration: 1s, Malicious Files: 0
    2012-12-30 22:21:47.0288 Scan Aborted: [ID: 18]
    2012-12-30 22:23:06.0029 Scan Started: C:\Users\Mayk Menemen\Downloads\eicar.com| [ID: 19 - Flags: 256/4]
     

    Attached Files:

    • 1.PNG
      1.PNG
      File size:
      231.2 KB
      Views:
      11
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    See here
     
  8. DBone

    DBone Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    1,041
    Location:
    SoCal USA

    Thanks for the link.
     
  9. guest

    guest Guest

    Thanks. - But I think it would be easier to add at least Eicar detection (something I did believe any given AV would detect just for testing purposes?) as having to answer all those questions from people who wonder why it "fails" on this. :cool: - Can't really imagine that Eicar fingerprint would make MBAM or it's database bloatware or take focus away from fighting real malware, but if they say so .. ;)
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I agree, but that's their policy, I guess. :)
     
  11. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That sounds like it's already been removed and Windows hasn't updated Explorer yet. Could you try rebooting to see if the file still exists?
     
  12. GreekGuy

    GreekGuy Registered Member

    Joined:
    Oct 6, 2011
    Posts:
    41
    Location:
    Toronto, CANADA
    guest....Sounds like Webroot may have crashed. Try rebooting your computer. Or, just shut down Webroot and restart it.

    Then, after shutting down and restarting Webroot, try checking the EICAR file again.
     
  13. guest

    guest Guest


    Yes, You are right, it is working fine after restart.
    Web protection block, i cant access web site, i cant download it.


    is it possible? Because i can open file with notepad. And i downloaded file again, i checked with it.
    And web blocker must stop download, after restart do it.


    Anyway, it is working fine now
    But it is strange, How can i sure it is working normal everytime?
    Because UI show me everything is ok but windows said different. After restart both said running.
     
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It could be CIS interfering if the Webroot service was unable to start properly. I'd recommend adding WRSA.exe under exclusions within CIS to see if that corrects it moving forward.
     
  15. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Did you open the .txt file in Notepad or the .com file in notepad?

    WSA ignores text files in scans because they cannot be executed. In the event that they are loaded for execution, then it will look at them, but that's not an easy thing to do with a text file and requires specific code or utilities.

    I've seen cases where the .com file is still showing in Explorer, but the file is actually not-there. The txt file won't be scanned, so it doesn't get removed. If you happen to try to run it, it will fail. Not sure why the scan of the .com file only didn't do anything though, though I can't say that it didn't because the log cuts off right after thee scan was started of only the .com file. When the three were being scanned, I remember an issue with the path and file length of right-click scans with multiple files, but no idea if that would impact it still. In that case, scanning the directory or trying to run the file caused it to be caught.
     
  16. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    These are very good points. The right click scanner limitations were fixed a while back so you can scan any length. Also, with the OS being Win8, I suspect even double clicking on the .com file won't actually execute it with 16bit support having been removed from the OS.
     
Thread Status:
Not open for further replies.