Jump to content

Secure web filtering not working with EICAR?


carmik
 Share

Recommended Posts

final.png.79d579d64daa288dc951254e3d7a34b6.pngWas looking into something policy-related and ended up checking whether livegrid works/is enabled on our 8.1 endpoint clients. AFAIK, both livegrid as well as tls filtering are enabled.

So I ended up at this test https://support.eset.com/en/kb5552-enable-or-disable-eset-livegrid#TestLiveGrid where for various reasons I could not test (regular HTTP) hxxp://amtso.eicar.org/cloudcar.exe but I could test secure http https://amtso.eicar.org/cloudcar.exe

I was able to download the latter just fine!!! Which is a twofold surprise for me: first, why didn't the web filter block this download in the first place? Second, why didn't saving the file to disk trigger the on-access tagging of this file as malevolent (even though I think that eset scans on read access and not on write access by default).

Any ideas why this happens?

For the record, all options regarding live grid are enabled and all options regarding TLS scan are also enabled:

 

 

509548639_.thumb.png.b13d944579146afbee96f71ed933882c.png

Edited by carmik
Link to comment
Share on other sites

2 hours ago, carmik said:

So I ended up at this test https://support.eset.com/en/kb5552-enable-or-disable-eset-livegrid#TestLiveGrid where for various reasons I could not test (regular HTTP) hxxp://amtso.eicar.org/cloudcar.exe but I could test secure http https://amtso.eicar.org/cloudcar.exe

No problem here for either HTTP or HTTPS cloudcar.exe attempted download and Eset detection when using Firefox.

Link to comment
Share on other sites

@Marcos tested with Firefox 92 (64-bit), normal installation made via group policy. Downloaded cloudcar.com from https://amtso.eicar.org/cloudcar.exe

Furthermore, the downloaded file was intact. It was when I right-clicked on it and selected to demand-scan it that it got detected and quarantined:

1442386562_.png.f403702bc1900ff9757cc0aa16e58aac.png

 

However, right now it works just fine (crazy)! That is, I immediately got a "suspicious" window and the download of eicar.com ended up with a zero-length file! This lack of consistent defense does scare me. But the fact that I can not reproduce the issue is problematic. Would current logs of the pc in question have any decent information that would help, or should extended logging have been enabled beforehand?

Link to comment
Share on other sites

  • Administrators
5 minutes ago, carmik said:

@Marcos tested with Firefox 92 (64-bit), normal installation made via group policy. Downloaded cloudcar.com from https://amtso.eicar.org/cloudcar.exe

Please try downloading the eicar test file, not the CloudCar test file as I asked:

https://secure.eicar.org/eicar_com.zip

Is it detected upon download?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...