eicar test not working as expected

Discussion in 'ESET NOD32 Antivirus' started by NoCelery, Aug 24, 2009.

Thread Status:
Not open for further replies.
  1. NoCelery

    NoCelery Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    21
    I recently upgraded to version 4 and decided to do some testing using the test files provided here: http://www.eicar.org/anti_virus_test_file.htm

    HTTP detection is OK, i.e. the test virus is detected and access is blocked if I go to: http://www.eicar.org/download/eicar.com.txt

    However it fails for HTTPS (I have HTTPS checking enabled - it is strangely off by default), e.g. https://secure.eicar.org/eicar.com.txt

    In Firefox, no warning is received and the test virus string is displayed, i.e. the URL is not blocked. If I save the file to disk, then the file monitor picks it up.

    In IE, a warning is generated by the file monitor when the temp file is created, however the url is not blocked and the test string is clearly visible.

    Please advise if there is something I can do to stop this. Reiterating, I have HTTPS turned on:
    HTTPS settings.jpg
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Under Protocol filtering -> SSL, do you have SSL filtering mode set either to "Always scan SSL protocol" or "Ask about non-visited sites" ?
     
  3. NoCelery

    NoCelery Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    21
    Yes I do, it is set to:
    - Always scan SSL protocol

    What happens on your PC when you go to: https://secure.eicar.org/eicar.com.txt ? Do you see the text string or is your access blocked by nod32.
     
    Last edited: Aug 25, 2009
  4. Fidelius

    Fidelius Registered Member

    Joined:
    Oct 2, 2006
    Posts:
    146
  5. NoCelery

    NoCelery Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    21
    Thanks for the response, but I don't know to make use it. Some questions ?

    - When you say blocked and quarantined, does it actually prevent you form seeing the text at the url ? For me in Internet Explorer, it shows the text and generates a warning but this is not the same behaviour as visiting the url using http wher eit is completely blocked.
    - which browser are you using ?
    - are you behind a transparent proxy ? or do you use an auto configuration script ?
     
  6. NoCelery

    NoCelery Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    21
    Hmmmm . . .looks like another bug

    The SSL scanning only works using IE when connected directly to the internet. In Firefox, SSL certificates are invalid because the Root Certificate authority is not installed. It is not possible to export the private key and import into Firefox, therefore can't enable this feature. This has occurred on 2 more than one computer running both XP and Vista.

    At work when sitting behind an ISA server, SSL scanning does not work at all even with all the necessary checkboxes ticked. I can tell because the root certificate authority is not ESET_RootSslCert when clicking on the certificates. Therefore, one can visit virus infected SSL URLS without having the protection of the scanner.
     
  7. JuliusB

    JuliusB Registered Member

    Joined:
    Aug 12, 2008
    Posts:
    82
    Why would be SSL scanning off by default?
     
Thread Status:
Not open for further replies.