Jump to content

Secure web filtering not working with EICAR?


carmik
 Share

Recommended Posts

final.png.79d579d64daa288dc951254e3d7a34b6.pngWas looking into something policy-related and ended up checking whether livegrid works/is enabled on our 8.1 endpoint clients. AFAIK, both livegrid as well as tls filtering are enabled.

So I ended up at this test https://support.eset.com/en/kb5552-enable-or-disable-eset-livegrid#TestLiveGrid where for various reasons I could not test (regular HTTP) hxxp://amtso.eicar.org/cloudcar.exe but I could test secure http https://amtso.eicar.org/cloudcar.exe

I was able to download the latter just fine!!! Which is a twofold surprise for me: first, why didn't the web filter block this download in the first place? Second, why didn't saving the file to disk trigger the on-access tagging of this file as malevolent (even though I think that eset scans on read access and not on write access by default).

Any ideas why this happens?

For the record, all options regarding live grid are enabled and all options regarding TLS scan are also enabled:

 

 

509548639_.thumb.png.b13d944579146afbee96f71ed933882c.png

Edited by carmik
Link to comment
Share on other sites

2 hours ago, carmik said:

So I ended up at this test https://support.eset.com/en/kb5552-enable-or-disable-eset-livegrid#TestLiveGrid where for various reasons I could not test (regular HTTP) hxxp://amtso.eicar.org/cloudcar.exe but I could test secure http https://amtso.eicar.org/cloudcar.exe

No problem here for either HTTP or HTTPS cloudcar.exe attempted download and Eset detection when using Firefox.

Link to comment
Share on other sites

@Marcos tested with Firefox 92 (64-bit), normal installation made via group policy. Downloaded cloudcar.com from https://amtso.eicar.org/cloudcar.exe

Furthermore, the downloaded file was intact. It was when I right-clicked on it and selected to demand-scan it that it got detected and quarantined:

1442386562_.png.f403702bc1900ff9757cc0aa16e58aac.png

 

However, right now it works just fine (crazy)! That is, I immediately got a "suspicious" window and the download of eicar.com ended up with a zero-length file! This lack of consistent defense does scare me. But the fact that I can not reproduce the issue is problematic. Would current logs of the pc in question have any decent information that would help, or should extended logging have been enabled beforehand?

Link to comment
Share on other sites

  • Administrators
5 minutes ago, carmik said:

@Marcos tested with Firefox 92 (64-bit), normal installation made via group policy. Downloaded cloudcar.com from https://amtso.eicar.org/cloudcar.exe

Please try downloading the eicar test file, not the CloudCar test file as I asked:

https://secure.eicar.org/eicar_com.zip

Is it detected upon download?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...