Why do I have to click disinfect THREE TIMES before F-Prot will remove eicar? It doesn't matter if I wait up to one minute after clicking disinfect the first time...nothing happens. I click a second time and wait and nothing happens. Only after I click the third time and my screen jumps, blinks black for just a second does the eicar file finally disappear. I wouldn't know though from the F-Prot GUI that the file was removed as the GUI doesn't change ...even the close button looks just like it did the first two times I clicked on disinfect. So, I know it is deleted only because I see the file no longer in my downloaded programs folder.

At first, I clicked disinfect and thought it was gone and clicked close and got another screen with the warning about the eicar virus so I learned by trial and error that I have to click on disinfect three times in a row before F-Prot removes the virus and it doesn't matter how long I wait after I click disinfect the first time. I have waited over one minute and I still have to click disinfect three times before it disinfects! That is a bit odd. Plus there is NO indication on the F-Prot screen that disinfection has been successful. That too is a bit odd. And the Close button doesn't change...the only way I know I can close the window is because I don't see the eicar file any longer. The Help file (which shows eicar as example) says nothing about having to try three times EVERY TIME to get the scanner to disinfect/delete an eicar file. So, I suppose this is not normal behavior for F-Prot?

F-Prot AV doesn't do anything to the test file other than delete it, because there is nothing in the file but test code, and disinfection or repair would leave only a worthless 0 kb file.

Dave

This is apparently a bug in F-Prot. It doesn't have anything to do with the nature of eicar. The same thing would happen with a real virus. F-Prot, if set on ask before doing anything, gets hung when you click on disinfect. It takes three tries to get F-Prot to act. That is a bug and has been reproduced by support. I think support didn't post here about it but sent me a private message because Mike had asked that we not start anymore F-Prot questions here. (Mine was already started when he made that request).

{QUOTE-> I think support didn't post here about it but sent me a private message because Mike had asked that we not start anymore F-Prot questions here. (Mine was already started when he made that request). <-QUOTE}

I don't mind posting here as well. But it is much more easier for us to keep track of questions and problems if they are posted in our support forum. That doesn't mean that you cannot ask questions about F-Prot here. The idea behind this support forum is not to move discussions from F-Prot away from here, but to coordinate it better with our support guys. There's no way that you can register and post in every other public forum where people might post questions because you don't have a support forum.

{QUOTE-> Why do I have to click disinfect THREE TIMES before F-Prot will remove eicar? <-QUOTE}

Ok and now back to your question. The funny thing is there is not even a need to offer Disinfect as option. That should be grayed out for EICAR. Reason is being that the Eicar Files ARE the FULL "VIRUS CODE" itself. There is nothing what you could clean.


:0100 58 POP AX
:0101 35|4F|21 XOR AX,214F
:0104 50 PUSH AX
:0105 25|40|41 AND AX,4140
:0108 50 PUSH AX
:0109 5B POP BX ; BX contains 0140h

:010A 34|5C XOR AL,5C
:010C 50 PUSH AX
:010D 5A POP DX ; DX contains 011Ch Note: Textstring Address

:010E 58 POP AX
:010F 35|34|28 XOR AX,2834
:0112 50 PUSH AX
:0113 5E POP SI
:0114 29|37 SUB [BX],SI ; changes bytes at 140 & 141 into IRQ Call PrintString

:0116 43 INC BX
:0117 43 INC BX
:0118 29|37 SUB [BX],SI ; changes bytes at 142 & 143 into IRQ Call Exit

:011A 7D|24 JGE 0140 ; Jumps last two IRQ instructions

:011C 45 49 43 41 52 2D 53 54 41 EICAR-STA
:0125 4E 44 41 52 44 2D 41 4E 54 NDARD-ANT YOUR DATA STRING
:012E 49 56 49 52 55 53 2D 54 45 IVIRUS-TE which is displayed
:0137 53 54 2D 46 49 4C 45 21 24 ST-FILE!$ by EICAR.


:0140 CD|21 INT 21 ; DOS Function 9h: Display the string
:0142 CD|20 INT 20 ; Program Termination EXIT


Here we go

The two red lines are the important lines - they change the 'trash opcode' at the end of eicar into the 2 IRQ (Interupt commands).

:0114 29|37 SUB [BX],SI ; changes bytes at 140 & 141 into IRQ Call PrintString

and

:0118 29|37 SUB [BX],SI ; changes bytes at 142 & 143 into IRQ Call Exit

That is because the opcode of INT ( CD ) is a non-printable character.
And Eicar is supposed only to use PRINTABLE ASC-II characters to allow a copy+paste functionality. That said: If you disassemble EICAR you will NOT see the last 2 INT opcodes.
However, INT 20 is not a common way to exit a dos program, normaly you should do this via function 41h and INT 21.

As you see there is NOTHING what you could disinfect. And Eicar doesn't infect any other files that you have to remove the eicar code from infected files. So offering "Disinfect" for a Standard Eicar Test File is WRONG. Or let's better say it CONFUSING. This would result in 0 Byte File.

So, Inspector, you are saying that attempting to disinfect the test file would lead to the null string, and not the sting indicating a 0 kb text file. An interesting point!

Dave

{QUOTE-> So, Inspector, you are saying that attempting to disinfect the test file would lead to the null string, and not the sting indicating a 0 kb text file. An interesting point!

Dave <-QUOTE}

Usually if you attempt to disinfect a file with a parasitic virus infection and that fails you have to offer then the delete. (and it is supposed to fail because cleaning it to a 0 byte file is nonsense and as i said earlier eicar is not able to infect other files since it is only a harmless static non-malicious "virus code"))