Forum Discussion
eicar file not detected not detected automatically in Azure VM
Hi ,
We have VM in Azure portal and we used perform the file scan using MSdefender command. Either MSdefender command nor MSDefender endpoint in VM detected the eicar test file.
Please let us know whether we are missing any setup for detecting the false positive test files in server.
This will be a great help.
Regards,
Alagumuthu
- LeonPavesicSilver Contributor
Hi Alagumuthu,
If Microsoft Defender for Endpoint isn't detecting the EICAR test file on your Azure VM, there could be several reasons for this. Here are some troubleshooting steps to address the issue:
Ensure Microsoft Defender for Azure is enabled for the file share:
By default, Microsoft Defender for Azure may be disabled for new file shares.Check Microsoft Defender for Azure service status:
Confirm that the Microsoft Defender for Azure service is running and configured correctly.Examine Microsoft Defender for Azure logs:
Review the logs for more insights into why the test file isn't being detected.Verify the test file's status as a known malware:
Microsoft Defender for Azure should detect known malware. If the file isn't recognized as malware, it might not trigger detection.Review exclusion settings:
Check for any exclusions in Microsoft Defender for Azure, ensuring the test file isn't excluded.Refresh policy and reboot: After enabling settings, refresh the policy, and reboot to apply changes.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)- AlagumuthuCopper Contributor
Thanks for your reply, really appreciate. We have noticed a different behavior with the below testing, and it is ruling out understanding of policy change.
Case1:
I have created a text file manually and copied the EICAR test file virus content and saved the file. MS defender identified the threat.
Case2:
Earlier reported issue is for the file ""eicar_word_macro_cmd_echo.doc" file format. This file was not identified the threat by MS Defender hence we raised an help in the forum.
Today i have opened the file in the server and "Enable Macro content" message pop up and i run the macro. Now MS Defender identified the threat. By default, "Disable all Macro" setting enabled for the word file in our server.
This conclude that MS Defender unable to identify the threat until the Macro executes. Correct us if i am wrong.
Why MS Defender unable to identify the threat in Macro file? Any settings needed to be enabled for MS Defender to identify when threat in Macro.
Regards,Alagumuthu
- LeonPavesicSilver Contributor
Hi Alagumuthu,
you are correct, similar to many antivirus solutions, Microsoft Defender may not detect a threat within a macro until the macro is executed.
This is due to macros often containing legitimate code, and it's the actions performed during execution that may turn out to be malicious.In the scenario you described with the EICAR test file virus content, Microsoft Defender did not initially detect it in the Word document because the macro was disabled. Once the macro was enabled and executed, Microsoft Defender successfully identified the threat.
To increase security, Microsoft has a default setting blocking macros from running in Office applications for files downloaded from the internet. Users receive a warning message when attempting to open such files, and they have the option to enable macros if necessary. However, users should be cautious about the security implications of enabling macros.
For better macro threat detection, you may need to adjust your Microsoft Defender settings or consider additional security measures. Microsoft Defender for Office 365, for instance, provides enhanced security against potentially harmful macros.
Protect yourself from macro viruses - Microsoft Support
Macros from the internet are blocked by default in Office - Deploy Office | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)