What to do in the event that Scan Engine does not detect a file or traffic content as being viral and a file system scanner does?
search cancel

What to do in the event that Scan Engine does not detect a file or traffic content as being viral and a file system scanner does?

book

Article ID: 177330

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Scan Engine AntiVirus for Caching Protection for SharePoint Servers Protection Engine for NAS

Issue/Introduction

You have Scan Engine set up to scan files and/or web traffic. Your file system scanner on your local system detected viral content in a file that passed through the scan engine system. The scan engine system did not register the file as being viral. You are concerned the scan engine software is not working.

Symptoms
Web traffic and/or files is getting scanned by Symantec Scan Engine.


Condition:

Virus definitions on the scan engine server may not be fully up to date.

Resolution

In the event that a file system scanner detected viral traffic in a file that Symantec Scan Engine scanned and let through, you will need to do the following:

  1. Ensure that Scan Engine's virus definitions are fully up to date. If they are not up to date, update them immediately. If the Liveupdate component does not update the scan engine software, you will want to download the latest version of our Intelligent Updater and run it on the scan engine server.
  2. Ensure that the File-System Auto-protect program is excluding the directory that Scan Engine is using to scan files. Default directory is c:\program files\symantec\scan engine\temp. If this directory is not excluded, the file-system auto-protect scanner could be detecting these files as being viral before the Scan Engine software is able to examine the files.
  3. If the file system scanner was a Symantec Scanner, then you will want to run a full system scan to ensure that nothing else got through. Best practice would dictate that you should run a full sweep across your entire network.
  4. If, however, the file system scanner is that of another vendor, you will want to submit the file that was detected to https://symsubmit.symantec.com/. Fill out the information at that site and upload the file. Within a few hours you should get a response to the email address you provided with additional details after analysis has been completed. While this is otherwise a complete process you can always call Symantec support and open a support ticket if questions remain. When you reach a technician, give them the tracking number so they can run queries against it and give you any updates on your submission.
  5. After ensuring that the virus definitions are fully updated, download a copy of the EICAR test string and drop it in the folder that Scan Engine uses to scan incoming files and then use the Scan Engine command line scanner to call for an on demand scan of eicar. If the file is detected, it should get deleted and/or quarantined. If it is quarantined, then your Scan Engine software is most likely functioning and the problem is either a) The definitions were previously not up to date, or b) The viral content has not yet been submitted to us.


If EICAR not detected as being viral, you will need to contact Symantec Scan Engine support for assistance.


References
How to use the Scan Engine Command Line Scanner:  https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/8-2/SSECLS_Demonstration_Tool_11/c-based-command-line-scanner-syntax-and-usage-v128510193-d4995e25461.htmlhttp://www.symantec.com/business/support/index?page=content&id=TECH82008&locale=en_US


Where to download the EICAR.com test string: http://www.eicar.org

Where to download the latest Intelligent Updater for Symantec Antivirus Scan Engine: https://www.broadcom.com/support/security-center/definitionshttp://www.symantec.com/avcenter/download/pages/US-CS.html