OneCare 2.0 x64 and eicar test page
Question
Answers
-
Hi Stephen,
When I click on the "eicar.com" test file link on that website I'm expecting OneCare to display a dialog telling me that it has detected the "DOS/EICAR_Test_File" virus and give me the option to clean or close. This is what OneCare 1.6 on XP does, anyway. Doing the above on Vista Ultimate x64 with OneCare 2.0 beta simply pops up a dialog box asking me if I want to Run Save or Cancel. There is no indication to me that a virus has been detected or that the system has done anything about it.
If I try to Run it nothing appears to happen and the dialog closes. If I try to Save it I get a generic file system error suggesting I don't have the proper access rights - I suspect that it has been blocked from downloading and therefore there is actually nothing to save and therefore I get that error. If I Cancel it simply closes the dialog. From a user point of view I get nothing to indicate there was a virus detected or what action was taken.
There is a line in the system events log to do with the virus that is a bit cryptic but it seems to indicate that it was at least noticed.
***************************************
Event Type: Warning
Event Source: OneCareMP
Event Category: None
Event ID: 3004
Date: 7/14/2007
Time: 7:24:08 AM
User: N/A
Computer: *removed
Description:
Windows OneCare Live Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows OneCare Live can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Virus
OS/EICAR_Test_File&threatid=2147519003
Scan ID: {DB89FB5C-3259-45FB-9DFB-F413C36494AA}
Agent: On Access
User: *removed
Name: VirusOS/EICAR_Test_File
ID: 2147519003
Severity: Severe
Category: Virus
Path Found: file:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\82UDWNGP\eicar[1].com
Alert Type:
Process Name: C:\Program Files\Internet Explorer\iexplore.exe
Detection Type: Concrete
Status: SuspendFor more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
***************************************The above is what I get in the event log using OneCare 1.6 as well so I guess the answer to my original question about whether or not the real time scanner is working is probably yes. It's strange that I get no warning from the system and have to go digging into the event log to find out, though.
All replies
-
Hi Stephen,
When I click on the "eicar.com" test file link on that website I'm expecting OneCare to display a dialog telling me that it has detected the "DOS/EICAR_Test_File" virus and give me the option to clean or close. This is what OneCare 1.6 on XP does, anyway. Doing the above on Vista Ultimate x64 with OneCare 2.0 beta simply pops up a dialog box asking me if I want to Run Save or Cancel. There is no indication to me that a virus has been detected or that the system has done anything about it.
If I try to Run it nothing appears to happen and the dialog closes. If I try to Save it I get a generic file system error suggesting I don't have the proper access rights - I suspect that it has been blocked from downloading and therefore there is actually nothing to save and therefore I get that error. If I Cancel it simply closes the dialog. From a user point of view I get nothing to indicate there was a virus detected or what action was taken.
There is a line in the system events log to do with the virus that is a bit cryptic but it seems to indicate that it was at least noticed.
***************************************
Event Type: Warning
Event Source: OneCareMP
Event Category: None
Event ID: 3004
Date: 7/14/2007
Time: 7:24:08 AM
User: N/A
Computer: *removed
Description:
Windows OneCare Live Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows OneCare Live can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=VirusOS/EICAR_Test_File&threatid=2147519003
Scan ID: {DB89FB5C-3259-45FB-9DFB-F413C36494AA}
Agent: On Access
User: *removed
Name: VirusOS/EICAR_Test_File
ID: 2147519003
Severity: Severe
Category: Virus
Path Found: file:C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\82UDWNGP\eicar[1].com
Alert Type:
Process Name: C:\Program Files\Internet Explorer\iexplore.exe
Detection Type: Concrete
Status: SuspendFor more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
***************************************The above is what I get in the event log using OneCare 1.6 as well so I guess the answer to my original question about whether or not the real time scanner is working is probably yes. It's strange that I get no warning from the system and have to go digging into the event log to find out, though.
