You wonder why the antivirus test file eicar.com can be executed when the real time scanning/ auto-protect in Symantec Endpoint Protection is enabled.
Symptoms Double clicking the Eicar.com file does not trigger a virus detection: no event is written to the SEP log, nor does a Symantec Endpoint Protection Notification window pop up.
Via the command line (in a DOS box) you can run the eicar.com test virus by typing at the prompt:
If the file can be executed, the reply is
If the file is removed by the Symantec Endpoint Protection the reply on the command line will be:
The system cannot find the file
This is working as designed if Symantec Endpoint Protection client is configured to scan files on modification only.
To find out whether the local SEP client is scanning on modification only or when a file is accessed or modified, do the following:
Go to File System Auto-Protect
Go to Advanced
In the section Scan files when you will find the following options:
Scan when a file is accessed or modified
Scan when a file is modified
(Scan when a file is backed up)
If you have enabled
Scan when a file is modified the SEP client actually does what the setting says: it only scans the file when modified.
If you want to change this behaviour, change the setting to
Scan when a file is accessed or modified.
NOTE: the safer setting is to Scan when a file is accessed or modified!
Technical Information Executing (running) a file (e.g. the antivirus test file) is considered to be accessing the file, and for eicar.com this is possible if
Scan when a file is modified is enabled
A copy is considered to be a modification. Therefore a copy of an antivirus test file is never possible with Auto-Protect enabled, regardless of the accessed/modified option. (The DOS box however shows “1 file(s) copied.”, so that is a bit confusing.)
A Scheduled Scan or a Manual Scan will find the antivirus test file, regardless of your settings for accessed/ modified.
Imported Document ID: TECH130969
Subscribing will provide email updates when this Article is updated. Login is required.