How does ATP 2.0 report finding EICAR in network traffic?
book
Article ID: 162916
calendar_today
Updated On:
Products
Symantec Products
Issue/Introduction
You seek to understand how Advanced Threat Protection (ATP) 2.0 detects and reports instances of the EICAR test string.
Resolution
In the events, ATP reports the presence of the eicar.com file as "Malicious traffic: 24461".
If a web server serves an instance of eicar.com via Hyper Text Transfer Protocol (HTTP), the HTTP URL appears in the "External" column, whether that server is eicar.org, testatp.coe.org.uk, or some other site.
If a web server serves an instance of eicar.com via File Transfer Protocol (FTP), no URL appears in the "External" column.