Test your Anti-Virus web protection by trying to download the following files;D .

Eicar file= is a standardized test file for signature based virus detection software. This file can be used to verify the correct operation of antivirus software
See below for more details.
http://www.eicar.org/anti_virus_test_file.htm

All files are NOT viruses, but they appear to be viruses, therefore your Anti-Virus should stop the downloads.

If you can download any of these files, then your Anti-Virus is NOT effective! Just delete any file downloaded and empty Recycle Bin.

http://www.eicar.org/download/eicar.com =Test 1

http://www.eicar.org/download/eicar.com.txt =Test 2

http://www.eicar.org/download/eicar_com.zip = Test 3

http://www.eicar.org/download/eicarcom2.zip = Test 4

Your Antivirus should pass all these test in order to be totally effective!!!:thumb:

Note:
REALTIME PROTECTION & ON DEMAND SCANNING ARE TOO DIFFERENT THINGS, THE ANTIVIRUS YOU HAVE MAY HAVE GREAT DETECTION RATES BUT ITS REALTIME PROTECTION MAY BE LACKING

ALL ANTIVIRUS SHOULD BE SET AT MAX SETTINGS FOR THIS TEST TO COMPLETE.
It Should be set to scan all archives at maximum settings
Note:
Disable any download manager!

i hear 4 pigs sound ;)

Why oh why does that rubbish "test" raise it's ugly head again and again and again.... someone else please explain, i already did at least 10 times why it doesn't make any sense....

If the realtime detection fails to detect the standard EICAR string inside the ZIP files then there is no need to worry. Please do not make people panic. The realtime scanner should pick it up as soon as the ZIP file is unzipped.

If it says Virus, it is a fake file. Eicar files are harmless see official website for explanation.

Oh my gosh! Why are you posting this now the eicar test file is from 1997 - 10 years old. ::) ::) ::)

Like these tests
Nod32 blocked all.
AVIRA let the text test through and allowed the Zip files to be saved and extracted before saving - just like Kapersky

Kaspersky settings must be set at max settings & to scan all archives.;D Kaspersky passed in my computer!!

{QUOTE-> Like these tests
Nod32 blocked all.
AVIRA let the text test through and allowed the Zip files to be saved and extracted before saving - just like Kapersky <-QUOTE}


change your Kasp Web AV to max. then try again.

Avira doesn't alert on the text one. I just get the string ...as text in a new tab. Ho, hum...Proxo is protecting me. Avira doesn't get a chance on that one. :D

KIS7 stopped all at recommended settings! ESS allows zip file to be downloaded but alerts you when you try to extract.

With the four test , when I click OK, a download prompt comes for test 1 ,3 ,4 but saving is not possible because there is no file to download :) With test 2, I get the X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* display.

Good, my Nod32 v3.0.566.0 passed all 4 tests. Web protection at max settings.
Test1 = passed
Test2 = passed
Test3 = passed
Test4 = passed
It passed only 1 test in default settings, failed 3 in default settings

Awesome, my KIS v 7.0.125.0 passed all 4 tests at only recommended or default settings(Web Antivirus)

Test1 = passed
Test2 = passed
Test3 = passed
Test4 = passed

By the way anybody tested this against nod32 v.2.7?
If nod32 v2.7 failed these tests, it could mean that version 3.0.566.0 is better than it.!!!!!

Damn it,
My Avira Premium Trial only passed one test at web guard at max settings(scan archives enabled) (Scan all files)

Test 1= Passed
Test 2=Failed
Test 3= Failed
Test 4= Failed

Guess Avira Web Antivirus is lacking!!!

Its just to test if your AV is working at all.

{QUOTE-> If the realtime detection fails to detect the standard EICAR string inside the ZIP files then there is no need to worry. Please do not make people panic. The realtime scanner should pick it up as soon as the ZIP file is unzipped. <-QUOTE}
You must understand that realtime protection consist of file & web antivirus, It is common to all antivirus so even if its file antivirus is good, it really also means the ff:
It also proves one thing its web antivirus is lacking & inefficient even if its file antivirus detects it after extraction.

Here: Differences
Web Antivirus=Online Scanning
File Antivirus=Offline Scanning

{QUOTE-> Damn it,
My Avira Premium Trial only passed one test at web guard at max settings(scan archives enabled) (Scan all files)

Test 1= Passed
Test 2=Failed
Test 3= Failed
Test 4= Failed

Guess Avira Web Antivirus is lacking!!! <-QUOTE}Avira premium does NOT have "web guard", no??

Anyway, i think eicar test is just a check on your realtime (e.g. if u're unsure if it's on or off), and a check on your settings (at WHICH point is eicar detected). Dun be so excited over it.

Btw, the results I reported where with the personal edtion premium, not the suite.

{QUOTE-> Avira premium does NOT have "web guard", no??

Anyway, i think eicar test is just a check on your realtime (e.g. if u're unsure if it's on or off), and a check on your settings (at WHICH point is eicar detected). Dun be so excited over it. <-QUOTE}

Actually it has a web antivirus by the way, Im using Avira premium by the way.
By the way, I max out Avira settings for the text, see above, the others also say it failed the test.:'(

{QUOTE-> Btw, the results I reported where with the personal edtion premium, not the suite. <-QUOTE}Yes, I believe u enabled "Scan archive" for guard, while ultragunnerdcl did not.

Actually telling the truth I did enable scanning the archive & scan all files option. Like I said maximum settings.;D

I have avira premium too, if I enable "scan archives" for guard I will get same results as De Hollander.

As for "web guard", pls see http://www.avira.com/en/products/personal.html

Bitdefender Antivirus 2008 ;D

Also did great:thumb:

Test1=passed
Test2=passed
Test3=passed
Test4=passed
At only default settings same as Kaspersky!!!!!!!!!!!!;D

I'm giving BitDefender IS 2008 a test run, and it blocked all four Eicar files when I go to the site using IE 7. With Firefox, which is my default browser, there is no warning when I click on eicar.txt file test. This happens with all AVs I've tried when I go to the Eicar site using Firefox. Must be something to do with Firefox.

Actually when I was using Opera & IE, It block it, But firefox, it didnt, that is kind of strange???

I think this test is about a 100 years old. Most av's have problems with the online string indeed

{QUOTE-> By the way anybody tested this against nod32 v.2.7?
If nod32 v2.7 failed these tests, it could mean that version 3.0.566.0 is better than it.!!!!! <-QUOTE}

See this thread, used Blackspear's settings.
http://www.wilderssecurity.com/showthread.php?t=191248

drweb gets 3/4

but i too, cant believe eicar has been posted to Test!! :)

This is not a "if your antivirus detects this and that or is good" type of test, but is there just for people to check if their virus protection is running or not.

Wonder if there is a test file that test the antivirus Heurtics & packer/cryptor
detection as well?????? EICAR only test the AV signature based detection.::)

{QUOTE-> Oh my gosh! Why are you posting this now the eicar test file is from 1997 - 10 years old <-QUOTE}
{QUOTE-> I think this test is about a 100 years old. <-QUOTE}
Methinks so too, it has been around for a long time. Still, lot of folk trying it out.::)
So I did, too. (Again. :-[ )
Avast, default settings, webshield on, prevented all pages from loading, just as it's supposed to.8)
Webshield paused, Alert on 1, no alert on 2, unless it was renamed to an .exe then run, or saved then manually scanned as a text file, alert on 3 and 4 when unzipping them; double unzipping in the case of 4.
Nothing has changed.

{QUOTE-> Damn it,
My Avira Premium Trial only passed one test at web guard at max settings(scan archives enabled) (Scan all files)

Test 1= Passed
Test 2=Failed
Test 3= Failed
Test 4= Failed

Guess Avira Web Antivirus is lacking!!! <-QUOTE}
You should check your settings.
I got access denied 4 times

The suite with it's webguard will pass the 2nd test.

{QUOTE-> You should check your settings.
I got access denied 4 times <-QUOTE}

You are correct, I went to the Avira official forum & they taught me how.
AVIRA passed the test on Hightest settings,;D

Even if your AV does not detect the three packed files you are protected just the same. Why? Archives are not dangerous until their contents are unpacked, which is when the on-access component of your favourite AV will detect the infection anyway, before it can execute. This is deactivated (or at least severely limited) by default in most AVs since with too aggressive/thorrough settings it can completely grind your system to a halt whenever you try to view a folder containing archives with explorer (especially SFXes).

So, after all I am restating this since noone did:
This so called test does NOT in any way indicate whether you are protected or not, only whether your AV is scanning archives on-access (or can be configured to do so).

Don't make any claims or choices about the quality of a product based on something as nonsensical as this, please :)

Although EICAR is long been somewhat useful in testing AV's has anyone ever considered the field is ripe for another virus testing app aside from just EICAR which is been around since Windows 98 days.

Does anyone share this interest with me?

I'm really quite surprised that not even an AV vendor is produced there own fashioned AV tester with perhaps a bit more evasive code in order to better benchmark AV's then EICAR.

{QUOTE-> Don't make any claims or choices about the quality of a product based on something as nonsensical as this, please :) <-QUOTE}
:thumb: :thumb: :thumb:

{QUOTE->
So, after all I am restating this since noone did:
This so called test does NOT in any way indicate whether you are protected or not, only whether your AV is scanning archives on-access (or can be configured to do so).

Don't make any claims or choices about the quality of a product based on something as nonsensical as this, please :) <-QUOTE}

I used to think like you do. But not anymore. Why? Because I got tired of having to take the time to use WinRAR and unpack and THEN have my AV alert. The AV should alert on right click scan before you do anything like unpacking or alert in WinRAR (if you set your AV to work with WinRAR) before you unpack. I never use an AV at default settings. Those always weak. I have Avira set for Guard to scan archives to a maximum recursion depth of 10 (Luke FileWalker to a depth of 50). I've never had any problems with Explorer slowing down. If I could not set Avira in this way, I wouldn't use it. It is one reason I left NOD32. I should not have to spend extra time unpacking because my AV is too weak to perform properly.

{QUOTE-> Although EICAR is long been somewhat useful in testing AV's has anyone ever considered the field is ripe for another virus testing app aside from just EICAR which is been around since Windows 98 days.

Does anyone share this interest with me?

I'm really quite surprised that not even an AV vendor is produced there own fashioned AV tester with perhaps a bit more evasive code in order to better benchmark AV's then EICAR. <-QUOTE}

Eicar was created by CARO (Computer AntiVirus Researcher's Organization) and published by Eicar. According to Eicar when the new page was published last December: "The content of this documentation (title-only) was adapted 1 September 2006 to add verification of the activity of anti-malware or anti-spyware products. It was decided not to change the file itself for backward-compatibility reasons." You'd need to ask CARO to create a new file and obviously they chose not to do so in 2006 so I doubt they would want to a year later.

{QUOTE-> I used to think like you do. But not anymore. Why? Because I got tired of having to take the time to use WinRAR and unpack and THEN have my AV alert. The AV should alert on right click scan before you do anything like unpacking or alert in WinRAR (if you set your AV to work with WinRAR) before you unpack. <-QUOTE}
Why? How does this improve your security? How does failing to do so increase your risk to malware?

{QUOTE-> I should not have to spend extra time unpacking because my AV is too weak to perform properly. <-QUOTE}
Looks like you're still confusing archive formats with packer formats.

No it is semantics. I know exactly what I am talking about. Unpacking, unraveling, taking apart, etc. all the same. What matters is my time. I should not have to take the time to open, unpack, unravel, etc a zipped/RARed file just to find later that it is infected. The AV should tell me before I bother to do anything with it ...then I won't have bothered for nothing.

{QUOTE-> What matters is my time. <-QUOTE}
Either you're running on a 486 if unzipping time is that big a deal to you, or you're just another random person with strange idiosyncrasies, but you're still wrong either way. Avira decompresses archive files to C:\Documents and Settings\[insert user name here]\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP before it can scan the files. So you're not saving any time here, since Avira decompresses them anyway. In fact, you're WASTING time since you have to decompress all clean files twice. But I love how misguided people like to act based on subconscious assumptions.

At any rate, I'm glad Avira has the option to turn off real-time archive scanning, or I'd have to look for another AV for my mom's 256MB Celeron laptop.

{QUOTE-> then I won't have bothered for nothing. <-QUOTE}
Why live? You'll just die in the end anyway.

{QUOTE-> Actually it has a web antivirus by the way, Im using Avira premium by the way. <-QUOTE}
I admire your enthusiasm but no, AntiVir PE Premium does not have 'web antivirus' ;)

Go for the Premium Security Suite if you want 'web scan' module.

Solcroft, I think Mele is saying that she dropped Nod for what Avira can do.

Looks like the OP didn't even read the instructions written on the page he mentionned. Besides remarks by FRug, that are absolutely correct, it should be noticed that test 2 (the .txt file) does not make any sense.

When in a text file, the EICAR test string is...just a string. When in a .com file, it is an executable (that just writes a string). Detecting the text file is absolutely useless and irrelevant.

{QUOTE-> I admire your enthusiasm but no, AntiVir PE Premium does not have 'web antivirus' ;)

Go for the Premium Security Suite if you want 'web scan' module. <-QUOTE}

thanks for the advice.

Avira passed the test now
, I went to the Avira official forum & they taught me how. to setup, scan all archives & scan all files(max settings)
AVIRA passed the test on Hightest settings,

{QUOTE->
I'm really quite surprised that not even an AV vendor is produced there own fashioned AV tester with perhaps a bit more evasive code in order to better benchmark AV's then EICAR. <-QUOTE}
kaspersky has a few files to test their emulator (they shouldn't have malicious content): http://tav.kaspersky.fr/test/emul.zip

{QUOTE-> Looks like the OP didn't even read the instructions written on the page he mentionned. Besides remarks by FRug, that are absolutely correct, it should be noticed that test 2 (the .txt file) does not make any sense.

When in a text file, the EICAR test string is...just a string. When in a .com file, it is an executable (that just writes a string). Detecting the text file is absolutely useless and irrelevant. <-QUOTE}

IE detects it and the majority of users still use IE and it is the average/newbie user that the eicar test is aimed at mostly anyway. Avira on IE alerts twice on all four...I don't know why it alerts twice. In Opera, if you copy the address of the txt file download and put that in Opera's address bar then Avira alerts but it doesn't if you just click on the file on the download page and Fx never alerts ...it streams the text so there is nothing to alert on.

I thought this was interesting that only 16 of 30 AV vendors can detect eicar embedded in a rich text file which means that someone could embed an already detected nasty in a rich text file and one-half of the scanners would not detect it. Avira detects it. :)

http://vil.nai.com/images/Blog-%20RTF%20Malware4.JPG

Can I post this? It is not from Jotti or Virustotal rather it is from a Symantec blog. I'll post it and we'll see what happens.

{QUOTE-> kaspersky has a few files to test their emulator (they shouldn't have malicious content): http://tav.kaspersky.fr/test/emul.zip <-QUOTE}
Just clicked on that link expecting to open a link to a test at the Kaspersky site and NOD32 v3.0.563.0 promptly stopped the test file and quarantined it. Eset has identified it as 'Probably unknown NewHeur_PE virus' and asked me to submit a sample. Done. At least I know my anti virus is working!
Ian

{QUOTE-> kaspersky has a few files to test their emulator (they shouldn't have malicious content): http://tav.kaspersky.fr/test/emul.zip <-QUOTE}

That's just Eicar.

{QUOTE-> kaspersky has a few files to test their emulator (they shouldn't have malicious content): http://tav.kaspersky.fr/test/emul.zip <-QUOTE}

NOD32 3.0.556 caught this one immediately: stopped the .zip file download after sending the file to quarantine.

{QUOTE-> Can I post this? It is not from Jotti or Virustotal rather it is from a Symantec blog. I'll post it and we'll see what happens. <-QUOTE}Posting of Jotti and/or Virustotal screenshots was prohibited when product fans/advocates/bashers started to use them as supposedly "objective" measures of intrinsic product performance neglecting, of course, that they constituted a very fluid dynamic snapshot in time which was often outdated within minutes to hours of the posting, often provided no definitive checks and balances to validate the specific file as an actual threat (versus a non-functional piece of digital flotsam), did not definitively mimic the performance of all products installed on a standalone Windows based PC, and yielded escalating and completely unproductive image flamewars. I hope everyone understands that if this thread goes down that road, it will be closed and/or pulled offline. For now, I'll leave the image as is, although please be congnizant of a few facts: The original mention and screenshot come from the McAfee Avert Labs Blog. See Rich Text Malware (http://www.avertlabs.com/research/blog/index.php/2007/05/25/rich-text-malware/) for the original source. The specific image shown is not due to Symantec. It also dates from May 2007. Read the original analysis to understand the scope of the comments made.
Be aware what any Eicar test results do and do not tell you about a product, as well as other interdependencies
The purpose of this text fragment is to provide facile feedback as to whether a product is working or not at a very basic level. This thread is already heading in directions that are really beyond the designed scope of this tool
Blue

{QUOTE-> Wonder if there is a test file that test the antivirus Heurtics & packer/cryptor
detection as well?????? EICAR only test the AV signature based detection.::) <-QUOTE}

That would be almost useless as all AV would add signature detection against it some hours after it's released.

I'm surprised ibk doesn't do a packer test, he
must own them all :)

maybe in the future or as one of those side-tests that he sometimes likes to do

You never know :)

{QUOTE->
I thought this was interesting that only 16 of 30 AV vendors can detect eicar embedded in a rich text file which means that someone could embed an already detected nasty in a rich text file and one-half of the scanners would not detect it. Avira detects it. :)
<-QUOTE}

This is nothing new, I remember reading this technique (embedded OLE objects) in an "underground" forum a couple of years ago.

The following is taken from a message sent by Vesselin Bontchev to ntbugtraq in 2003 (ESATF stands for Eicar Standard Antivirus Test File). My conclusion: either AVERT or Vesselin Bontchev must be wrong, and I don't think it's Bontchev.


(1) The above 68 characters *MUST* be at the beginning of the file. If they
aren't there, it's not the ESATF - it's that simple. Any anti-virus product
that detects as "the ESATF" something which is not it is wrong. For
instance, any product that detects it in this message is wrong. This
message, despite that it contains these 68 characters, is not the ESATF,
since they are not at its very beginning. Keep that in mind when examining
the various examples you gave. Had you paid attention to this requirement
in the first place, you wouldn't have bothered writing half of your paper.

(2) The only characters that can follow the above 68 characters are SPACE,
TAB, CR, LF, and EOF (Ctrl-Z). The total size of the file MUST NOT exceed
128 bytes. Any file that does not match this condition simply isn't "the
ESATF".

> Every AV should react when facing ESATF. It's a now well known industry-
> standard test file and all credible running AV must "detect" it. Actually,
> it should behave "as if" ESATF was a virus: appropriate warning message
> (some display something like "File infected with EICAR-Test-File" but
> they ought to be less stressful; ESATF isn't a virus and AVs shouldn't
> frighten novices) locking access to the file, putting in quarantine,

Don't know about the other products, but ours (F-PROT) even *disinfects* it
as a virus. It treats it as a simple overwriting COM infector. Keep that in
mind - it is important when addressing some other of your points.

> Okay, some will say "Hey dude, ESATF is not designed to test and stress
> AVs algorithms, but to check if AVs are working...". I know that, but

Precisely. It's not even designed to test their virus detection abilities
and MUST NOT be used for such purposes. The ability of an anti-virus
product to detect the ESATF is completely unrelated to its ability to
detect other viruses. Just because a product detects the ESATF does not
necessarily mean that it also detects viruses and how well. It only tells
us that the product is active and working.

This is another important point, because in your experiments you have used
the ESATF (and various modifications of it) for such purposes as to test
the abilities of the heuristics to detect new variants, to discover
(unsuccessfully) what detection techniques are used, etc. This is WRONG and
MISLEADING. The ESATF is simply NOT SUITABLE for such purposes. And test
results obtained in this aspect are wrong, misleading, incompetent.

That is very interesting and I vaguely recall reading something like that in the past.

I agree it is highly unlikely (actually almost impossible) that Bontchev would be wrong about something like this. At the same though, Symantec is no slouch either when it comes to AV experts. I'd love to see the two debate this.

They are not contradictory - so what's the problem? ;)

Not contradictory ? You must be kidding...

Virus total uses the "on demand" component of various antiviruses
After scanning its "embedded Eicar" with VirusTotl, the AVERT guy concluded his post by "In layman’s terms, one could take an already detected malware and embed it inside a rich text file and half the antivirus software on the market would not detect this type of threat."
In the wordpad document, the 68 bytes that constiture the ESATF are not at the beginning of the file


End of the demonstration (no need to mention that the size of the file exceeds 128 bytes, that it contains many characters that differ from SPACE,
TAB, CR, LF, and EOF and that the 68 bytes of ESAFT cannot be directly found inside it, he ?).

{QUOTE-> Just clicked on that link expecting to open a link to a test at the Kaspersky site and NOD32 v3.0.563.0 promptly stopped the test file and quarantined it. Eset has identified it as 'Probably unknown NewHeur_PE virus' and asked me to submit a sample. Done. At least I know my anti virus is working!
Ian <-QUOTE}

AVG free stopped that file cold also in Firefox.

Nice to see it is doing its job also.

Probably some antivirus intentionally don't detect a modified EICAR test file.

From http://www.allbusiness.com/technology/computer-software/967064-1.html

{QUOTE-> EXPLOITATION OF THE EICAR TEST FILE

The EICAR test file is a good tool for auditing anti-vims software but can also be used for malicious purposes. Ideally, the EICAR test file detection should not be able to be faked for malicious purposes. Unfortunately, at least one new worm, called BWG.A, exploits the EICAR test file to avoid proper detection by anti-virus software.

If malicious code can masquerade as the EICAR test file, some users may ignore such a detection, assuming that the file is "safe." If the old 68-byte EICAR test file is detected, the only way to truly validate the nature of the file is to visually inspect the code. If anything other than the 68 bytes exist, the file is in question and may be malicious in nature.

BWG.A is a new worm that was discovered in the wild on April 29, 2002. It is a batch file worm that attempts to masquerade as a legitimate EICAR test file. BWG.A is 3999 bytes and distributes itself via e-mail and instant messaging with a .bat file attachment. It attempts to masquerade as the EICAR test file by prepending the EICAR test file to the batch file. By prepending, the test file was originally misdetected by antivirus software as the EICAR test file.

Batch, HTML, and script-based file types can all employ a similar BWG.A type exploitation of the EICAR test file. For example, in HTML, the EICAR test file can be injected with scripts into the header of an HTML document. The injected code does not adversely impact the functionality of the malicious HTML file. Similarly, mIRC is a popular instant messaging program that references a script file (script.ini) upon startup. Malicious code and faked EICAR test string data can be inserted prior to the [script] tag within script.ini.

The concept of the EICAR test file was reportedly discussed by the elusive CARO group several years ago and was rejected as dangerous because of the multiple entry points available for malicious purposes. That is, there is no way to ensure that any such string value or program can be considered safe.

Because of such vulnerabilities and the BWG.A worm, the EICAR Institute has updated standards for the EICAR test file. Changes to the standard were widely adopted on May 1, 2003. The standards for the EICAR test file are now as follows:
IMAGE FORMULA 4

* The above 68 characters can be prepended with any combination of white space characters not to exceed 128 characters. White space characters include the space character, tab, LF, CR, and CTRL-Z.

The string itself has not been changed, but the definition of the EICAR test file has been modified. This minor modification will help anti-virus programs properly distinguish between the EICAR test file and malicious code attempting to masquerade as the EICAR test file. <-QUOTE}

Of course I don't consider the embedded Eicar detectable directly ;)

Embedding Eicar into RTF is just packing it into an archive. So, if the antivirus supports unpacking this particular type of archive, it detects the embedded file. If it doesn't, Eicar is not detected; there's nothing mysterious about it.

AE is not an AV but it still stopped this test dead in it's track's. ;D

Personally, I think the Eicar test file is dumb, especially because the only way to "test" this file, is based off of how A/V's work where they only test each file against the signatures and if the file happens to be a match, then the file is deemed a virus and then the appropiate action is taken. Thing that sucks is that some A/V's don't even detect something as simple as this test virus! If your A/V isn't even detecting a test virus, then how could you trust it to detect real viruses (or atleast most of the real viruses)? Thats what turned me off of A/V's, they just seemed to be doing half the job. It's like, either your A/V happens to detect the file, or it doesn't, where as using something like Sandboxie, you can download and/or execute the file as many times as you wish, cause in the end, you know the file is going to be gone since it's trapped inside a sandbox the whole time and when you delete that sandbox, then it's gone for good.;)

By the way, to all members pls use Opera or Internet Explorer on this test. Most AV have a difficuly with Firefox.;D

eh, firefox is fine.

Firefox/Avast/Eicar (and now Kaspersky test) fine here, also.

{QUOTE-> eh, firefox is fine. <-QUOTE}

The following was posted by NiteHawk on the Avira forum. He explained why Avira's (non web) guard won't pass the 2nd test if Firefox is used.

"There are some - e.g. Firefox - that do not store the eicar.com.txt page into the disk cache, but instead 'stream' it directly from the internet. Since no disk operation is involved in this case, the guard can't get active"

{QUOTE-> Embedding Eicar into RTF is just packing it into an archive. So, if the antivirus supports unpacking this particular type of archive, it detects the embedded file. <-QUOTE}
I guess it's related to file parsing, not unpacking. Proper file parsing is as important as good unpacking.

If the browser is able to display the string in the second test then the antivirus actually failed even if it was detected in the cache. If it were an actual exploit it is likely that the browser will execute it anyway.

{QUOTE-> I guess it's related to file parsing, not unpacking. Proper file parsing is as important as good unpacking. <-QUOTE}
That's just terminology - I consider "parsing" and "unpacking" being mostly the same thing in this context (i.e. when I say that the antivirus "unpacks" something, it doesn't mean the file has really to be compressed - most usual compressed formats as ZIP or RAR have an option to "store" the files only anyway). So yes, you can call it parsing, extraction...

{QUOTE-> The following was posted by NiteHawk on the Avira forum. He explained why Avira's (non web) guard won't pass the 2nd test if Firefox is used.

"There are some - e.g. Firefox - that do not store the eicar.com.txt page into the disk cache, but instead 'stream' it directly from the internet. Since no disk operation is involved in this case, the guard can't get active" <-QUOTE}

It has nothing to do with Fx. All browsers using Avira will display the text string. Actually, I don't know if Safari will...I just got it yesterday...Let me see...Yep, it also displays the string.

I mean it won't warn about the string (it doesn't for me). Neither did avast without the webguard or avg.
Do you get a guard popup with the text string in Firefox?

When I click on the .txt using Firefox, the page with the string opens, but there is no pop up warning from my AV. When using IE, there is a pop up warning. I've tried it with every AV/suite I've used, including Avira, NOD, KAV, and now Bitdefender, and always the same results. I'm going to check over at the Mozilla forum, and see what I can find out.

{QUOTE-> When I click on the .txt using Firefox, the page with the string opens, but there is no pop up warning from my AV. When using IE, there is a pop up warning. I've tried it with every AV/suite I've used, including Avira, NOD, KAV, and now Bitdefender, and always the same results. I'm going to check over at the Mozilla forum, and see what I can find out. <-QUOTE}

Same thing happened to me too. I totally agree with you on that.

One post removed. No links to possible malware allowed on these forums.

F-Secure wipes 4/4 automatically, with no user intervention.

got rid of the doc? ;D

{QUOTE-> got rid of the doc? ;D <-QUOTE}
yes, for the time being.

they are failing to answer my questions at the moment, and im feeling blue :)

might aswell give one of my other licences a whirl

... for the time being ;)

I haven't got any replies about the few suspicious files I have sent to them. This could also be some spam filter/etc. problem.. though I get the "suspicious file submitted [id #blah]" message :-[

{QUOTE-> AE is not an AV but it still stopped this test dead in it's track's. ;D <-QUOTE}

Excellent report with that result lonewolf, thanks. I also use AE and find it as aggressive as any malware, definitely a big boy with a big stick to boot.

Off topic post removed.

And another off topic post removed. If people have a personal question for someone, please use the PM feature and refrain from making off topic posts. Thanks.

Nod32 v3 passed all the 4 test. ;D

Kaspersky detected the test files the second that I clicked to download them. It allowed me to block all 4 files before they were even downloaded.

This is something that is lacking with Avira AntiVir, both classic and premium - they do not have a web scanner.
When I tested those files with Avira I was able to download all of them, and it only detected 2 of the 4 files even when right clicking and scanning.

For Avira to detect the zipped ones, you have to set the Guard to do that. It is not the default setting. On default setting, Avira will detect those two upon unzipping and attempting to execute. Avira will detect those before you can even download them. You just have to configure Guard correctly.

As for Avira lacking a webscanner, the Suite has a webscanner. I am beta testing version 8 and the webscanner, just like all other AV webscanners I have tried, crippled my computer. I had to uninstall that module just to be able to use the computer. Those scanners are totally redundant and unnecessary. <Snip>My internet speed was cut by MORE than ONE-HALF by Avira's webscanner. No point in paying for expensive broadband if your AV cripples your enjoyment of the internet. Guard will catch everything including the zipped eicars if set up properly so why endure extremely slow internet speed in order to have the webscanner catch the same thing Guard will catch without slowing you down?

Mele20, i used to think like you do..

KAV's web-av module is sooo transparent that i can hardly tell that it's there.

Pity that you hate Kaspersky :wacko: (yeah i know your reasons)

Avast! kills all 4 guy!! lol

{QUOTE-> Even if your AV does not detect the three packed files you are protected just the same. Why? Archives are not dangerous until their contents are unpacked, which is when the on-access component of your favourite AV will detect the infection anyway, before it can execute. This is deactivated (or at least severely limited) by default in most AVs since with too aggressive/thorrough settings it can completely grind your system to a halt whenever you try to view a folder containing archives with explorer (especially SFXes).

So, after all I am restating this since noone did:
This so called test does NOT in any way indicate whether you are protected or not, only whether your AV is scanning archives on-access (or can be configured to do so).

Don't make any claims or choices about the quality of a product based on something as nonsensical as this, please :) <-QUOTE}

This test is really useful. It will tell you if your AV product is set up correctly (is it really scanning?) and the action taken for different file types when detected. Its a good way to verify your setting are what you want them to be so when an actual virus arrives you're not surprised.

Most of this is obvious to users of this forum. Other users, who will benefit from these tests, probably don't know about them. It may be a good idea for all the AV makers to put in their documentation (in very simple well explained terms) that after installation to try out the EICAR site. Something like "try this and you will see what will happen if you get a real virus."

Its a matter of personal preference if you want archives scanned when downloaded. Some users want to catch viruses at download and others at extract time. The default for Avira is not to scan archives at download time. They will be caught when extracted.

You run your tests, you discover the defaults and then its up to you to change the behavior.

on the other hand....

should AV's really detect this, because its NOT malware or a threat.

FP-ALERT! :shifty:

{QUOTE-> on the other hand....

should AV's really detect this, because its NOT malware or a threat.

FP-ALERT! :shifty: <-QUOTE}

Agreed. It just seems kindof hokey to have a test file that everyone knows is just a test file. It defeats the purpose.

{QUOTE-> Agreed. It just seems kindof hokey to have a test file that everyone knows is just a test file. It defeats the purpose. <-QUOTE}
The purpose is as I stated above, so it is useful.

Hi,

Eicar test is to thw AV industry the same as a "ping" command for a network administrator, so what is the fuzz about?

Avast free has a Web module so it kicks in at that moment. Avast standard shields checks at reads/executes/writes. Antivir free only checks at read and writes (on the gaming PC of my son it is only configured to check at writes). Does Avasts 4x checking in practise perform better than Antivirs check at write only? NO it only means that the virus is detected in an earlier stage. Looking at IBK's detection rates the paid antivir seems to perform better than (on detection rates) than the free Avast. I have no idea whether the free Antivir still detects more than the free Avast because it lacks the antispaywere component.

Regards K

{QUOTE-> on the other hand....

should AV's really detect this, because its NOT malware or a threat.

FP-ALERT! :shifty: <-QUOTE}

Sure it should, that's what it is made for.......come on now! I can tell you this much.....if I ever test an AV program and it is not able to tackle the Eicar stuff.........I sure as hell won't use that AV program. It is the minimum that should be detected.

{QUOTE-> This test is really useful. It will tell you if your AV product is set up correctly (is it really scanning?) and the action taken for different file types when detected. Its a good way to verify your setting are what you want them to be so when an actual virus arrives you're not surprised.

Most of this is obvious to users of this forum. Other users, who will benefit from these tests, probably don't know about them. It may be a good idea for all the AV makers to put in their documentation (in very simple well explained terms) that after installation to try out the EICAR site. Something like "try this and you will see what will happen if you get a real virus."

Its a matter of personal preference if you want archives scanned when downloaded. Some users want to catch viruses at download and others at extract time. The default for Avira is not to scan archives at download time. They will be caught when extracted.

You run your tests, you discover the defaults and then its up to you to change the behavior. <-QUOTE}{QUOTE-> Even if your AV does not detect the three packed files you are protected just the same. Why? Archives are not dangerous until their contents are unpacked, which is when the on-access component of your favourite AV will detect the infection anyway, before it can execute. This is deactivated (or at least severely limited) by default in most AVs since with too aggressive/thorrough settings it can completely grind your system to a halt whenever you try to view a folder containing archives with explorer (especially SFXes).

So, after all I am restating this since noone did:
This so called test does NOT in any way indicate whether you are protected or not, only whether your AV is scanning archives on-access (or can be configured to do so).

Don't make any claims or choices about the quality of a product based on something as nonsensical as this, please <-QUOTE}I think the 2 above posts best summize what the eicar test IS and ISN'T about.