OneCare 2.0 x64 and eicar test page
-
giovedì 12 luglio 2007 16:02
I'm trying to verify that the real time scanner is actually running. I went to the eicar virus test page...
http://www.eicar.org/anti_virus_test_file.htm
... and OneCare 2.0 x64 version doesn't seem to be detecting any of the test files. I'm using IE7 in Vista Ultimate x64. Has anyone else seen this? Can anyone confirm that OneCare 2.0 x64 has detected a virus with the real time scanner?
Thank you,
Craig
Tutte le risposte
-
venerdì 13 luglio 2007 19:00Moderatore
What a you actually doing with the test files? Are you downloading and saving them or opening them? If you are simply saving them, the real time scan won't see them. The real time scan will kick in (or should, I don't have x64 here) when you try to open or execute the files. You can also right click and scan them to see what the scanner does.
-steve
-
sabato 14 luglio 2007 16:46
Hi Stephen,
When I click on the "eicar.com" test file link on that website I'm expecting OneCare to display a dialog telling me that it has detected the "DOS/EICAR_Test_File" virus and give me the option to clean or close. This is what OneCare 1.6 on XP does, anyway. Doing the above on Vista Ultimate x64 with OneCare 2.0 beta simply pops up a dialog box asking me if I want to Run Save or Cancel. There is no indication to me that a virus has been detected or that the system has done anything about it.
If I try to Run it nothing appears to happen and the dialog closes. If I try to Save it I get a generic file system error suggesting I don't have the proper access rights - I suspect that it has been blocked from downloading and therefore there is actually nothing to save and therefore I get that error. If I Cancel it simply closes the dialog. From a user point of view I get nothing to indicate there was a virus detected or what action was taken.
There is a line in the system events log to do with the virus that is a bit cryptic but it seems to indicate that it was at least noticed.
***************************************
Event Type: Warning
Event Source: OneCareMP
Event Category: None
Event ID: 3004
Date: 7/14/2007
Time: 7:24:08 AM
User: N/A
Computer: *removed
Description:
Windows OneCare Live Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows OneCare Live can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Virus
OS/EICAR_Test_File&threatid=2147519003
Scan ID: {DB89FB5C-3259-45FB-9DFB-F413C36494AA}
Agent: On Access
User: *removed
Name: VirusOS/EICAR_Test_File
ID: 2147519003
Severity: Severe
Category: Virus
Path Found: file:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\82UDWNGP\eicar[1].com
Alert Type:
Process Name: C:\Program Files\Internet Explorer\iexplore.exe
Detection Type: Concrete
Status: SuspendFor more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
***************************************The above is what I get in the event log using OneCare 1.6 as well so I guess the answer to my original question about whether or not the real time scanner is working is probably yes. It's strange that I get no warning from the system and have to go digging into the event log to find out, though.
-
domenica 15 luglio 2007 01:33Moderatore
Thanks for the follow-up.
It does sound like it is being blocked without any warning to you from OneCare. I haven't yet heard if there is a bug submission form for the beta, but this sounds like something worth reporting. I'll mention it to the OneCare team.
-steve
-
martedì 24 luglio 2007 19:48
Appreciate the report. This issue surrounds where the OneCare installer places files on a Vista x64 box. We've addressed this and believe V2 Beta users will not be prompted with the correct dialogs. Please confirm and forward any inconsistent results.
Best regards,
-Eddy
-
mercoledì 25 luglio 2007 01:31Moderatore
Thanks for the information, Eddy. Do you want bug submissions for these cases?
-steve
-
martedì 31 luglio 2007 05:22
Hi Eddy,
Thank you for looking into it. I'm not exactly sure what you mean by "We've addressed this and believe V2 Beta users will not be prompted with the correct dialogs". Can you clarify what I should be seeing when I click on the "eicar.com" test file, for example?
Thanks,
Craig
-
martedì 31 luglio 2007 05:55
I just tried the eicar page again and it's working the same way it does in OneCare x86 so good job devs.
Thanks again,
Craig
-
martedì 31 luglio 2007 17:53Moderatore
Thanks for the update, Craig.
-steve
-
giovedì 9 agosto 2007 23:56
Hi Steve - the actual fix wasn't posted against a bug in that the fix was an operational issue.
Craig - good to see it's now working. Sorry for the super late reply.
-Eddy
