carmik 0 Posted September 20, 2021 Share Posted September 20, 2021 (edited) Was looking into something policy-related and ended up checking whether livegrid works/is enabled on our 8.1 endpoint clients. AFAIK, both livegrid as well as tls filtering are enabled. So I ended up at this test https://support.eset.com/en/kb5552-enable-or-disable-eset-livegrid#TestLiveGrid where for various reasons I could not test (regular HTTP) hxxp://amtso.eicar.org/cloudcar.exe but I could test secure http https://amtso.eicar.org/cloudcar.exe I was able to download the latter just fine!!! Which is a twofold surprise for me: first, why didn't the web filter block this download in the first place? Second, why didn't saving the file to disk trigger the on-access tagging of this file as malevolent (even though I think that eset scans on read access and not on write access by default). Any ideas why this happens? For the record, all options regarding live grid are enabled and all options regarding TLS scan are also enabled: Edited September 20, 2021 by carmik Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted September 20, 2021 Administrators Share Posted September 20, 2021 What browser/version do you use? Is it installed on the machine or it's a portable version? Is the zipped eicar detected upon download via https? https://secure.eicar.org/eicar_com.zip Link to comment Share on other sites More sharing options...
itman 1,630 Posted September 20, 2021 Share Posted September 20, 2021 2 hours ago, carmik said: So I ended up at this test https://support.eset.com/en/kb5552-enable-or-disable-eset-livegrid#TestLiveGrid where for various reasons I could not test (regular HTTP) hxxp://amtso.eicar.org/cloudcar.exe but I could test secure http https://amtso.eicar.org/cloudcar.exe No problem here for either HTTP or HTTPS cloudcar.exe attempted download and Eset detection when using Firefox. Link to comment Share on other sites More sharing options...
carmik 0 Posted September 21, 2021 Author Share Posted September 21, 2021 @Marcos tested with Firefox 92 (64-bit), normal installation made via group policy. Downloaded cloudcar.com from https://amtso.eicar.org/cloudcar.exe Furthermore, the downloaded file was intact. It was when I right-clicked on it and selected to demand-scan it that it got detected and quarantined: However, right now it works just fine (crazy)! That is, I immediately got a "suspicious" window and the download of eicar.com ended up with a zero-length file! This lack of consistent defense does scare me. But the fact that I can not reproduce the issue is problematic. Would current logs of the pc in question have any decent information that would help, or should extended logging have been enabled beforehand? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted September 21, 2021 Administrators Share Posted September 21, 2021 5 minutes ago, carmik said: @Marcos tested with Firefox 92 (64-bit), normal installation made via group policy. Downloaded cloudcar.com from https://amtso.eicar.org/cloudcar.exe Please try downloading the eicar test file, not the CloudCar test file as I asked: https://secure.eicar.org/eicar_com.zip Is it detected upon download? Link to comment Share on other sites More sharing options...
Recommended Posts