Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
Hi, I was following the 'how to test' guide and did not get an immediate detection after downloading the eicar test file.
I scanned through the right click menu and detection was then made. I also then ran a manual scan after deleting the document and this correctly picked up that the file had been removed and cleared the event in GUI.
Did you run the SDU from within Central or locally from the endpoint? We're unable to find it on our system and the filename suggests that it may have been run locally.
To upload an SDU automatically…
I've run the SDU test and the name generated was RA MBP_20210111_161310_SDU.zip
To upload an SDU automatically, please:
Thanks so much.
Oops! And I thought I was being so clever... I had run it locally as you say.
I've run SDU from Central and the file name is de6151f6-9d26-84dc-dbd5-3c5ee56e83e8_2021-01-13-09-51-41.zip
Thanks Robin, we have received the SDU and it's proven quite useful.
We noticed that the scan extension (com.sophos.endpoint.scanextension) does not appear to be enabled, or does not have full-disk access permissions. The following articles should provide some assistance for this:
Can you try the steps mentioned to put the scan extension in the correct state and report back? Let us know if you have any difficulty or need some more information.
We also noticed some communication errors between network extension and web daemon, we can't be sure if they're a part of the issue but we'll investigate further while you try out the permissions fix.
Hi, I have the exact same problem. The Eicar test files are not detected on download but are using the right click scan with endpoint tool. I followed the instructions in the two links above but still have the problem.
I ran SDU from Central and the file is fb42f1ab-2718-f431-781e-d406dd3194f8_2021-01-13-21-32-59.zip.
Hope this helps.
Thanks for the SDU, we'll get an engineer right on it.
The right-click scan uses a different mechanism, what happens if you try to open, or cat, the Eicar test file - does that trigger a detection?
Hi, I clicked on the two zip files and they were unzipped. I launched the txt file in Text Editor too. No detections on any of those three. If I right click scan them, they are detected.
Hi Brian, I would expect that it would have been blocked from launching in Text Editor as as your SDU shows that the extensions are enabled and configured correctly. The last obvious thing to try would be a reboot, and I should have asked about it first as this version does require an a reboot after installation to hook the extensions properly.
I just tried rebooting, and the files were still not detected on launch. I reported some findings in a separate thread but never heard back: https://community.sophos.com/intercept-x-endpoint/big-sur-eap/f/discussions/124540/trying-to-confirm-endpoint-protection-on-2020-macbook-pro-with-intel-silicon