AV for Windows Servers 9.0 on-access scan
I have a bit uncommon setup, in which FSAV scans e-mail traffic trough on-access functionality.
The mailing program drops the whole message (.eml) and attachments to the disk and waits some time for FSAV to scan them. If the files get deleted or renamed (indicating that FSAV has performed a cleaning action) the e-mail is considered infected and is dropped.
this worked like a charm for more than a year, the OS is 2008R2.
Now, the mailing program reports "On access AV is not available", as on startup, it plants the EICAR test file for FSAV to delete. And now, this is not working anymore as FSAV completely ignores the test file.
No errors in windows of FSAV logs.
Occassionaly, FSAV catches few adware/riskware applications, but this is it. But, weird enough, if I try to open local copy of the mail on the server, FSAV detects the virus as it should.
What I was able to deduct is that if the file is written to disk via network share or via email server, the file is ignored by the FSAV. But, as soon as I try to acces this file, e.g. open or copy it, FSAV kicks in as it should.
I have tried to reinstall the FSAV couple of times, to no avail.
My guess is that FSAV is not checking the file at create, but later at read/access stage. Is there a way around this?