Unsolved
This post is more than 5 years old
142 Posts
0
4503
August 6th, 2013 23:00
Why CAVA not detecting EICAR test file as a Virus?
Dear All,
CAVA is running in our environement with the Symantec Endpoint Protection 12 at the background.
All CAVA Servers are showing online.
Files are also getting scanned.
But it is not detecting EICAR test file as a Virus.
Same file we put on the desktop file system, It got detected by the Symantec Endpoint Protection 12.
Below is the output for server_viruschk server_2 -audit
| Every 2.0s: server_viruschk server_2 -audit | Wed Aug 7 11:27:03 2013 |
server_2 :
Total Requests: 1972686.
Requests in progress: 0.
NO ANSWER from the Virus Checker Servers: 0.
ERROR_SETUP: 0.
FAIL: 0.
TIMEOUT: 0.
Total Infected Files: 111.
Deleted Infected Files: 0.
Renamed Infected Files: 0.
Modified Infected Files: 0.
Detected Infected Files: 111.
min=682 uS, max=6085202 uS, average=2366 uS
0 files in the collector queue.
- One more strange observation is above, files are getting detected as a virus but not getting deleted.
- We checked the logs of ALL CAVA servers Symantec Endpoint Protection 12, but no any single was having any Virus Found entry in its log.
So Im wondering, from which antivirus these above files are getting detected?
- We are getting following log for server_log server_2
2013-08-07 11:37:12: SMB: 4: Warning: RecvStream failed I/O error on server CAVASERVER1 (xxx.xxx.x.xx) port 445 with client xxxvnxav (xxx.xxx.x.xx)
2013-08-07 11:37:42: SMB: 4: Warning: RecvStream failed I/O error on server CAVASERVER2 (xxx.xxx.x.xx) port 445 with client xxxvnxav (xxx.xxx.x.xx)
2013-08-07 11:38:14: SMB: 4: Warning: SendStream failed I/O error on server CAVASERVER3 (xxx.xxx.x.xx) port 445 with client xxxvnxav (xxx.xxx.x.xx)
2013-08-07 11:39:04: SMB: 4: Warning: RecvStream failed I/O error on server CAVASERVER4 (xxx.xxx.x.xx) port 445 with client xxxvnxav (xxx.xxx.x.xx)
2013-08-07 11:39:06: SMB: 4: Warning: SendStream failed I/O error on server CAVASERVER5 (xxx.xxx.x.xx) port 445 with client xxxvnxav (xxx.xxx.x.xx)
Anybody has faced this issue?
- Ashish K
0 events found
ogeissler
3 Posts
0
February 17th, 2014 10:00
Hi Ashish,
did you solve the problem in the meanwhile or get an answer?
We're facing the same problem, eicar is detected, but not deleted :-(
Oliver.
ogeissler
3 Posts
0
February 17th, 2014 11:00
Hi Karl,
we do not have RecvStream errors in the log:
...
2014-02-17 20:34:47: VC: 3: 31: The antivirus (AV) engine detected \root_vdm_1\Infrastructure\Infrastructure\Eicar.txt, used by DOMAIN\vmware on IQ-TEST.
but eventlog looks like (translated):
Security Risk found! EICAR Test String in File: \\VNX-CIFS0\CHECK$\root_vdm_1\Infrastructure\Infrastructure\Disks\Eicar.txt from: Auto-Protect-Scan. Action: Clean failed : Isolate failed: Access Denied. Description of Action: The file wasn't modified.
Looks like an access rights problem, but I think I've checked anything yet....
Oliver.
umichklewis
4 Apprentice
•
1.2K Posts
0
February 17th, 2014 11:00
Have you had a look at this post?
Need assistance with CAVA setup on VNX7500
The RecvStream error points to a TCP issue. Have a look and see if this helps!
Karl
Rainer_EMC
6 Operator
•
8.6K Posts
0
February 16th, 2015 13:00
any update on how the Problem was solved ?
Peter_EMC
674 Posts
0
February 16th, 2015 22:00
Please check if the Symantec Protection Engine service is changed from SYSTEM to the same user that is running CAVA?
(the user with the EMC virus-checking right)
ashxos
142 Posts
0
February 16th, 2015 23:00
Hi,
I don't recollect the exact solution, but im listing the possible solutions below :
1) Start the CAVA Service with the Domain Account which is having Administrative rights on CIFS Server.
2) In Antivirus Settings, make sure that the Network Scanning is Enabled
3) Make sure that you restart the CAVA Server atleast once after installation of the CAVA Software
4) Add All the Available CAVA Server IP Addresses in the CAVA Settings
Thanks
- Ashish Kesarkar