Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Godgive

2 Posts

1313

January 5th, 2015 02:00

CAVA scan files, but do not delete de Eicar test file.

Hi everyone, I've a problem, with my CAVA environment. After CAVA was installed on a Windows server 2008, and Symantec Endpoint Protection 12, I'm able to see the files on my cifs server being scanned, but the eicar.exe file, is not deleted.

After this command,

#server_viruschk server_2 -audit

I've the following result:

Server_2:

Total Requests:1

Request in progress:1

No ANSWER from the virus checker servers: 0

ERROR_SETUP:0

TIMEOUT:0

0 files in the collector queue

1 file processed by the AV threads.

In the server_log file, I've the following:

RPC: 5: CLIENT::CLIENT3(avSvy) 0x2b1fe25e0e08:  Port acquisition failed for Rpc service 106224 7 version 3 on host xxx.xxx.xxx.xxx

In the share, the eicar.exe file is still present.

Can someone help?

Chetan676767

7 Posts

January 6th, 2015 06:00

Hi,

I am Chetan Savade from Symantec Technical Support Team.

EICAR is detected as a Non-macro virus, by default the "First action" for a detected Non-macro virus is "Clean risk" and the Second action (If first action fails) is "Quarantine risk".

Executing (running) a file (e.g. the antivirus test file) is considered to be accessing the file, and for eicar.com this is possible if Scan when a file is modified is enabled
A copy is considered to be a modification. Therefore a copy of an antivirus test file is never possible with Auto-Protect enabled, regardless of the accessed/modified option.
(The DOS box however shows “1 file(s) copied.”, so that is a bit confusing.)

A Scheduled Scan or a Manual Scan will find the antivirus test file, regardless of your settings for accessed/ modified.

Refer these articles:

How to test Symantec Endpoint Protection (SEP) Clients forwarding their Quarantine Items to Central Quarantine Server with EICAR

http://www.symantec.com/docs/TECH93071

The antivirus test file eicar.com can be executed with File System Auto-Protect enabled

http://www.symantec.com/docs/TECH130969

Rainer_EMC

4 Operator

 • 

8.6K Posts

January 8th, 2015 06:00

Hi Chetan,

thanks very much for answering.

Good to know how Symantec behaves there.

Regards

Rainer

Was this post helpful?

View All

No Events found!

Top