Loading...

Knowledge Center


How to troubleshoot a failure to detect the EICAR malware test file in MOVE Antivirus Agentless
Technical Articles ID:   KB89358
Last Modified:  5/19/2017
Rated:


Environment

McAfee MOVE Antivirus Agentless (MOVE AV Agentless) 4.x

Summary

Most serious failures that occur in the MOVE AV Agentless system result in a failure to detect the EICAR malware test file. Therefore, most problems in MOVE AV Agentless can be framed as an EICAR detection failure issue. The following procedure details how to troubleshoot a failure to detect the EICAR test file by verifying the configuration of the entire system. Correct any conflicts between the existing configuration on the faulting system and the configuration listed in this article, and then retest. 

Problem

Copying, opening, saving, or downloading the EICAR test file is permitted on a system that should be protected by a MOVE AV Agentless.

Solution

Check the following settings:

  1. In the On Access Scan (OAS) Policy:
    1. Enable OAS.
    2. Enable scan when writing to disk.
    3. Enable scan when reading from disk.
    4. Verify there are no exclusions for the file type, name, or location present.
    5. Ensure File Types to Scan is either All files or includes the file type.
       
  2. In Security Virtual Machine (SVM) Settings Policy, click test connect. If it fails, audit the SVM connection information and credentials.
     
  3. At the endpoint, check for the vsepflt filter driver:
    1. Open an elevated command prompt.
    2. Run the command sc query vsepflt. This should display that the file is present on the endpoint and is in a running state.

      NOTE: There should be one instance of the driver loaded per volume on the endpoint.
       
    3. If the query shows the filter loaded but the EICAR file is still not detected, unload and reload the driver by running the command fltmc unload vsepflt followed by fltmc load vsepflt.
    4. If the query fails to find the driver, look for vsepflt.sys in c:\windows\system32\drivers.
    5. If the file is present, go back to the command prompt and run the command fltmc load vsepflt.
    6. If the driver loads, but EICAR file is still not detected, verify the vsepflt.sys is the latest version. This is a VMware owned driver, updated through the VMware Tools package and deployed to every guest in a VMware environment. Load the updated driver and test.
       
  4. Review the following KB articles:
  5. Verify the VMware side of the installation as described in the MOVE Install Guide (PD26806):
    • For NXS deployments, see the "Deploying McAfee MOVE AntiVirus (Agentless) in an NSX environment" section.
    • For vCNS deployment, see the "Deploying McAfee MOVE AntiVirus (Agentless) in vCNS environment" section.
IMPORTANT: If all of the above checks are confirmed good, the system should be investigated for a fault condition. Collect a MER from each SVM that is not detecting the EICAR test file (see KB80097) and contact Technical Support.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.