Endpoint Protection

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

how to exclude eicar?

  • 1.  how to exclude eicar?

    Posted Aug 07, 2009 06:22 PM
    Running SEP 11.0.3001.2224

    How do I configure a centralized exception for eicar so that it is logged but not quarantined/deleted/cleaned, etc?

    Why is this not in the list of known risks?


    Brent Gardner




  • 2.  RE: how to exclude eicar?

    Posted Aug 07, 2009 09:11 PM

    In the SEPM goto:

    then uncheck: "delete Eicar events" from the bottom of this list

    admin > servers > local site > properties > database tab


  • 3.  RE: how to exclude eicar?

    Posted Aug 07, 2009 09:13 PM
    Eicar is for Test purpose so it is not in the  list of known risks


  • 4.  RE: how to exclude eicar?

    Posted Aug 08, 2009 02:29 AM

    Why u want to keep EICAR in exception, it is not in known risk list.  It just a virus test file.



  • 5.  RE: how to exclude eicar?

    Posted Aug 08, 2009 12:48 PM
    Hi,

    you can create a centralized or local exception just based on the name of the EICAR files (they are known). Open the administration_guide.pdf in CD1\documentation for further details.

    Regards,





  • 6.  RE: how to exclude eicar?

    Posted Aug 10, 2009 05:41 PM
    This solves the issue of SEP not sending email notifications for eicar detection events, but that is not my issue.

    For other known viruses it is possible to configure an exception such that the virus is detected but not deleted or moved or processed in any other way.

    How do I do this for eicar?





  • 7.  RE: how to exclude eicar?

    Posted Aug 10, 2009 05:43 PM
    It's hard to use eicar for testing if the system keeps deleting or quarantining it.

    I need to see that eicar is detected, but I don't want the system to delete or quarantine the file after that.




  • 8.  RE: how to exclude eicar?

    Posted Aug 10, 2009 05:49 PM
    Hi Brent,
    Part of the testing process is to make sure we can do something about the detection...IE if we can detect but not delete, then there is something wrong. If you want to stop it from continually deleting it and you have to keep on redownloading it, I would say download the 'eicar_com.zip' file, so you have to extract the file in order for it to be detected...



  • 9.  RE: how to exclude eicar?

    Posted Aug 10, 2009 05:52 PM
    It is possible to configure an exception for a known threat, a -threat-, that can do all kinds of bad stuff to my machines or network, but it is not possible to configure an exception for a piece of data that is designed to be detected as a threat, yet cannot in any possible way harm my machines, my data, or my network?

    This defies logic.




  • 10.  RE: how to exclude eicar?

    Posted Aug 10, 2009 05:58 PM
    Giuseppe-

    Thanks for your reply.  Will you please provide a page number for what you are refering to in the admin guide?  I just ran through it myself.  I searched for eicar and found a few hits, but none that seem to be related to what you're describing.

    Thanks.




  • 11.  RE: how to exclude eicar?

    Posted Aug 10, 2009 06:21 PM
    Zoidberg-

    I understand what you're saying about the need for testing your product.  If you can detect something bad but can't act on that item further (when you're -trying- to act on it) then that would understandably be a bad thing.

    I hope you have read my later post that mentions logic.

    I currently have in place some exceptions that prevent certain IT tools from being deleted when they are detected.  I mention this to show that I am familiar enough with the exception tool to know that you -can- configure it to 'detect but not delete.' 

    Eicar is a data object that is designed to be detected as a threat.  It is well known in the industry.  In my opinion it should be in the list of known threats.

    It is benign.  It is impossible for eicar to cause any kind of harm.  But the current SEP interface allows for items that are known to be harmful to be ignored.

    Can you agree with me that this would confuse Mr. Spock?


    UIltimately here's what I'm trying to do:

    My company makes software that forensicly scans data.  The input data can be nearly any kind of data that can be found on a PC.  In fact, it is not uncommon for a whole hard drive to be hooked up to the system for scanning.  We do not provide antivirus or any other kind of threat detection in our software, that is left to the end user.  Our products only run on Windows, so it is necessary for antivirus software to be used.  We are trying to test how our software works when data is displaced in the middle of processing, such as when an antivirus product would detect and remove a file containing a virus.

    It would of course be foolish to use actual virii in testing so we are trying to use eicar.

    I would place eicar in a zip as you have suggested, but of course that would have to be a password-protected zip file or SEP would simply detect it and delete it.  However, just as using a password-protected zip file prevents SEP from scanning the contents of the file, so would it prevent our software from scanning the contents of the file.




  • 12.  RE: how to exclude eicar?

    Posted Aug 10, 2009 08:31 PM
    You will get this On page 542 of the Admin guide.

    "

    Note:

     

     


     

    For antivirus and antispyware scans or Tamper Protection, you use

    centralized exceptions to specify particular items to exclude from scans. For

    proactive threat scans, however, you use centralized exceptions to specify actions

    for detected processes or to force a detection."

     

    I think in your case Auto protect is detecting Eicar hence you will need to create an exception for the folder.

    If Truscan is detecting the threat then you can choose the option of log only.
     

    I think this answers your question