Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

eicar file not detected not detected automatically in Azure VM

Copper Contributor

Hi ,

 

We have VM in Azure portal and we used perform the file scan using MSdefender command. Either MSdefender command nor MSDefender endpoint in VM detected the eicar test file.

 

Please let us know whether we are missing any setup for detecting the false positive test files in server.

 

This will be a great help.

 

Regards,

Alagumuthu

6 Replies

Hi @Alagumuthu,

If Microsoft Defender for Endpoint isn't detecting the EICAR test file on your Azure VM, there could be several reasons for this. Here are some troubleshooting steps to address the issue:

  1. Ensure Microsoft Defender for Azure is enabled for the file share:
    By default, Microsoft Defender for Azure may be disabled for new file shares.

  2. Check Microsoft Defender for Azure service status:
    Confirm that the Microsoft Defender for Azure service is running and configured correctly.

  3. Examine Microsoft Defender for Azure logs:
    Review the logs for more insights into why the test file isn't being detected.

  4. Verify the test file's status as a known malware:
    Microsoft Defender for Azure should detect known malware. If the file isn't recognized as malware, it might not trigger detection.

  5. Review exclusion settings:
    Check for any exclusions in Microsoft Defender for Azure, ensuring the test file isn't excluded.

  6. Refresh policy and reboot: After enabling settings, refresh the policy, and reboot to apply changes.

Microsoft Defender AV protection on Azure files - doesn't appear to be detecting test file - Microso...


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

@LeonPavesic 

 

Thanks for your reply, really appreciate. We have noticed a different behavior with the below testing, and it is ruling out understanding of policy change. 

Case1:

I have created a text file manually and copied the EICAR test file virus content and saved the file. MS defender identified the threat.
Case2:
Earlier reported issue is for the file ""eicar_word_macro_cmd_echo.doc" file format. This file was not identified the threat by MS Defender hence we raised an help in the forum.
Today i have opened the file in the server and "Enable Macro content" message pop up and i run the macro. Now MS Defender identified the threat. By default, "Disable all Macro" setting enabled for the word file in our server. 
This conclude that MS Defender unable to identify the threat until the Macro executes. Correct us if i am wrong.
Why MS Defender unable to identify the threat in Macro file? Any settings needed to be enabled for MS Defender to identify when threat in Macro.

Regards,

Alagumuthu

Hi @Alagumuthu,

you are correct, similar to many antivirus solutions, Microsoft Defender may not detect a threat within a macro until the macro is executed.
This is due to macros often containing legitimate code, and it's the actions performed during execution that may turn out to be malicious.

In the scenario you described with the EICAR test file virus content, Microsoft Defender did not initially detect it in the Word document because the macro was disabled. Once the macro was enabled and executed, Microsoft Defender successfully identified the threat.

To increase security, Microsoft has a default setting blocking macros from running in Office applications for files downloaded from the internet. Users receive a warning message when attempting to open such files, and they have the option to enable macros if necessary. However, users should be cautious about the security implications of enabling macros.

For better macro threat detection, you may need to adjust your Microsoft Defender settings or consider additional security measures. Microsoft Defender for Office 365, for instance, provides enhanced security against potentially harmful macros.

Protect yourself from macro viruses - Microsoft Support
Macros from the internet are blocked by default in Office - Deploy Office | Microsoft Learn

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

Hi Leon Pavesiz,

Thanks for your update, can you help us with the link, what settings has to be changed in MS defender in order to detect Macro or cmd based Virus file to detect.

Regards,
Alagumuthu

Hi @Alagumuthu,

thanks for the update.

regarding your question, here are some helpful resources:

  1. Protect yourself from macro viruses - Microsoft Support: This page explains how Microsoft 365 handles active content like macros and mentions that Microsoft Defender Antivirus should detect and block known macro viruses.
    Protect yourself from macro viruses - Microsoft Support

  2. Configure scanning options for Microsoft Defender Antivirus: This resource provides information on configuring scanning options for Microsoft Defender Antivirus.
    Configure scanning options for Microsoft Defender Antivirus | Microsoft Learn

  3. Configure exclusions for files opened by specific processes: Learn how to configure exclusions for files opened by specific processes to tailor Microsoft Defender's behavior.
    Configure exclusions for files opened by specific processes | Microsoft Learn


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

Hi,

Thanks a lot for reply. Sorry again to disturb you. Our client test with below malicious file but again MS defender didn't finds the threat.
https://blog.didierstevens.com/2015/08/28/test-file-pdf-with-embedded-doc-dropping-eicar/
My understanding is below tested file also same as Macro file and Enabling setting for Macro should enable the detection for the below file.
The PDF file contains JavaScript that extracts and opens the DOC file (with user approval). The DOC file contains a VBA script that executes upon opening of the file, and writes the EICAR test file to a temporary file in the %TEMP% folder. This is same as Macro code execution and the finding we provided from MicroSoft website applicable for the same files.
Regards,
Alagumuthu