Jump to content

ESET Server security 10.x not reacting to eicar test fila with the latest module updates


Recommended Posts

Hi

 

whit the current definition version eset server security 10.0.12014.0 is not reacting to eicar test file.

it was working yesterday with the same program build, only changes are module updates.

v9 still detecting eicar test file.

Link to comment
Share on other sites

  • Administrators

Please provide logs collected with ESET Log Collector as well as a Procmon log from a test with eicar.

I assume that we are talking about the eicar test file which meets its definition (https://www.eicar.org/download-anti-malware-testfile/ )

It consists entirely of printable ASCII characters, so that it can easily be created with a regular text editor. Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces.

Link to comment
Share on other sites

hi, yes we generate the test file with a script and write it to a folder on c:.

test was triggered for devices with 9.x but not with 10.x

was working for 10.x yesterday

Link to comment
Share on other sites

  • Administrators

ESET Server Security was installed without Web access protection, ie. it won't detect eicar nor other potential malware upon download.

Also you have a bunch of dangerous process exclusions created. I'd recommend removing exclusions and using them with care as a last resort to solve issues:
C:\Windows\System32\SearchFilterHost.exe
C:\Windows\System32\SearchIndexer.exe
C:\Windows\System32\SearchProtocolHost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\winlogon.exe

In performance exclusions you have a bunch of drivers, I assume there were no performance issues loading these:

C:\Windows\System32\drivers\bnistack6.sys
C:\Windows\System32\drivers\CNicTeam.sys
C:\Windows\System32\drivers\CFsDep2.sys
C:\Windows\System32\drivers\CVhdMp.sys

HIPS - Exploit Blocker is disabled. Did you experience any issues when enabled?

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...