Bug? Sophos XG does not block EICAR file in realtime since last update

Meghan,

check your settings and try to switch from batch to real again. On my XG is working with no issue.

Hi,

..

I've tried a few times now, but the download isn't blocked by XG, and my Endpoint security doesn't detects the eicar.com/.zip files as virus ...

Does XG remove the malicious Code from the file?

Regards Meghan

Yep, I've had this concern as well, as it was one of the first things I tried to "verify" my XG was working and I was very alarmed to see that I could download it.  However I do note that in the Malware Log, it is detected by XG as "EICAR-AV-Test" so I assume it is allowing it through so you can test your AV solution?  I have no idea, it has been that way since day one for me, not something new with the latest firmware.

Are you using decrypt and scan?

On my XG worked since v15.

I am using decrypt, but what i have found out, is that xg removes the eicar.com file out of the zip, and all code in eicar.com file.

So, my theorie is that Xg is cleaning the files from malicious code in Realtime, while it blocks the files in batch.

Regards Meghan

Meghan,

inside log viewer > malware log you should see the eicar entries. I tested with all possible eicar files and no one was downloaded. I am using decrypt and scan, https scan and firefox.

Regards

Hi Meghan,

since when did you notice this behavior? will try to see this for myself, thanks for sharing though.

Hi all,

I've got this issue since the Update on mr6

Regards

Hi Megan,

Please show us what configurations are made to prevent the EICAR file and how did the network receive the EICAR file? Also, try changing the AV engines and let us know the results.

Thanks

I can confirm that changing from Real Time to Batch blocks the EICAR file from downloading.  Change it back to Real Time and the file downloads but is apparently stripped out and empty.