Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: All Supported Versions
Question
Why are eicar files allowed to download and execute?
Answer
- As documented in Carbon Black Cloud: Malware allowed to propagate to other devices and Endpoint Standard: Why was a file drop for Known Malware not blocked? the sensor does not block downloads of malicious files, it blocks execution.
- However, eicar files must be opened by a known script host (e.g. python.exe, cmd.exe, powershell.exe, excel.exe, etc, ) in order for execution to be blocked. If the eicar is opened by notepad, or mspaint, the eicar would not be intepreted as a script or executed as such.
- Eicar files are designed for Windows OS, so it is not suitable for testing in other OS.
Additional Notes
A script host or command interpreter is an executable that reads code from another file and executes it.
Related Content