locked
OneCare 2.0 x64 and eicar test page RRS feed

  • Question

  • I'm trying to verify that the real time scanner is actually running.  I went to the eicar virus test page...

     

    http://www.eicar.org/anti_virus_test_file.htm

     

    ... and OneCare 2.0 x64 version doesn't seem to be detecting any of the test files.  I'm using IE7 in Vista Ultimate x64.  Has anyone else seen this?  Can anyone confirm that OneCare 2.0 x64 has detected a virus with the real time scanner?

     

    Thank you,

     

    Craig

    Thursday, July 12, 2007 4:02 PM

Answers

  • Hi Stephen,

     

    When I click on the "eicar.com" test file link on that website I'm expecting OneCare to display a dialog telling me that it has detected the "DOS/EICAR_Test_File" virus and give me the option to clean or close.  This is what OneCare 1.6 on XP does, anyway.  Doing the above on Vista Ultimate x64 with OneCare 2.0 beta simply pops up a dialog box asking me if I want to Run Save or Cancel.  There is no indication to me that a virus has been detected or that the system has done anything about it.

     

    If I try to Run it nothing appears to happen and the dialog closes.  If I try to Save it I get a generic file system error suggesting I don't have the proper access rights - I suspect that it has been blocked from downloading and therefore there is actually nothing to save and therefore I get that error.  If I Cancel it simply closes the dialog.  From a user point of view I get nothing to indicate there was a virus detected or what action was taken.

     

    There is a line in the system events log to do with the virus that is a bit cryptic but it seems to indicate that it was at least noticed.

    ***************************************
    Event Type: Warning
    Event Source: OneCareMP
    Event Category: None
    Event ID: 3004
    Date:  7/14/2007
    Time:  7:24:08 AM
    User:  N/A
    Computer: *removed
    Description:
    Windows OneCare Live Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Windows OneCare Live can't undo changes that you allow.
     For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=VirusBig SmileOS/EICAR_Test_File&threatid=2147519003
      Scan ID: {DB89FB5C-3259-45FB-9DFB-F413C36494AA}
      Agent: On Access
      User: *removed
      Name: VirusBig SmileOS/EICAR_Test_File
      ID: 2147519003
      Severity: Severe
      Category: Virus
      Path Found: file:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\82UDWNGP\eicar[1].com
      Alert Type:
      Process Name: C:\Program Files\Internet Explorer\iexplore.exe
      Detection Type: Concrete
      Status: Suspend

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    ***************************************

    The above is what I get in the event log using OneCare 1.6 as well so I guess the answer to my original question about whether or not the real time scanner is working is probably yes.  It's strange that I get no warning from the system and have to go digging into the event log to find out, though.

    Saturday, July 14, 2007 4:46 PM

All replies

  • What a you actually doing with the test files? Are you downloading and saving them or opening them? If you are simply saving them, the real time scan won't see them. The real time scan will kick in (or should, I don't have x64 here) when you try to open or execute the files. You can also right click and scan them to see what the scanner does.

    -steve

    Friday, July 13, 2007 7:00 PM
    Moderator
  • Hi Stephen,

     

    When I click on the "eicar.com" test file link on that website I'm expecting OneCare to display a dialog telling me that it has detected the "DOS/EICAR_Test_File" virus and give me the option to clean or close.  This is what OneCare 1.6 on XP does, anyway.  Doing the above on Vista Ultimate x64 with OneCare 2.0 beta simply pops up a dialog box asking me if I want to Run Save or Cancel.  There is no indication to me that a virus has been detected or that the system has done anything about it.

     

    If I try to Run it nothing appears to happen and the dialog closes.  If I try to Save it I get a generic file system error suggesting I don't have the proper access rights - I suspect that it has been blocked from downloading and therefore there is actually nothing to save and therefore I get that error.  If I Cancel it simply closes the dialog.  From a user point of view I get nothing to indicate there was a virus detected or what action was taken.

     

    There is a line in the system events log to do with the virus that is a bit cryptic but it seems to indicate that it was at least noticed.

    ***************************************
    Event Type: Warning
    Event Source: OneCareMP
    Event Category: None
    Event ID: 3004
    Date:  7/14/2007
    Time:  7:24:08 AM
    User:  N/A
    Computer: *removed
    Description:
    Windows OneCare Live Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Windows OneCare Live can't undo changes that you allow.
     For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=VirusBig SmileOS/EICAR_Test_File&threatid=2147519003
      Scan ID: {DB89FB5C-3259-45FB-9DFB-F413C36494AA}
      Agent: On Access
      User: *removed
      Name: VirusBig SmileOS/EICAR_Test_File
      ID: 2147519003
      Severity: Severe
      Category: Virus
      Path Found: file:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\82UDWNGP\eicar[1].com
      Alert Type:
      Process Name: C:\Program Files\Internet Explorer\iexplore.exe
      Detection Type: Concrete
      Status: Suspend

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    ***************************************

    The above is what I get in the event log using OneCare 1.6 as well so I guess the answer to my original question about whether or not the real time scanner is working is probably yes.  It's strange that I get no warning from the system and have to go digging into the event log to find out, though.

    Saturday, July 14, 2007 4:46 PM
  • Thanks for the follow-up.

    It does sound like it is being blocked without any warning to you from OneCare. I haven't yet heard if there is a bug submission form for the beta, but this sounds like something worth reporting. I'll mention it to the OneCare team.

    -steve

    Sunday, July 15, 2007 1:33 AM
    Moderator
  • Appreciate the report.  This issue surrounds where the OneCare installer places files on a Vista x64 box.  We've addressed this and believe V2 Beta users will not be prompted with the correct dialogs.  Please confirm and forward any inconsistent results.

     

    Best regards,

    -Eddy

    Tuesday, July 24, 2007 7:48 PM
  • Thanks for the information, Eddy. Do you want bug submissions for these cases?

    -steve

    Wednesday, July 25, 2007 1:31 AM
    Moderator
  • Hi Eddy,

     

    Thank you for looking into it.  I'm not exactly sure what you mean by "We've addressed this and believe V2 Beta users will not be prompted with the correct dialogs".  Can you clarify what I should be seeing when I click on the "eicar.com" test file, for example?

     

    Thanks,

     

    Craig

    Tuesday, July 31, 2007 5:22 AM
  • I just tried the eicar page again and it's working the same way it does in OneCare x86 so good job devs.

     

    Thanks again,

     

    Craig

    Tuesday, July 31, 2007 5:55 AM
  • Thanks for the update, Craig.

    -steve

    Tuesday, July 31, 2007 5:53 PM
    Moderator
  •  

    Hi Steve - the actual fix wasn't posted against a bug in that the fix was an operational issue. 

     

    Craig - good to see it's now working.  Sorry for the super late reply.

     

    -Eddy

    Thursday, August 9, 2007 11:56 PM