I just tested McAfee version 8.0, and it passed the eicar.com test, but it did not catch the zipped or double zipped. I was able to download both of the zip files, and then I was able to save them. When both of the zipped files were unzipped, they were detected.

What AV scanners will pass all the Eicar tests? Does the text detection really matter?

etrust 6.2

F-secure for Workstations 5.41

BitDefender St. Ed. v. 7.2

gdata pro 14

Honestly it needs to pass only EICAR.COM
I already explained many times regarding compressed (archived) versions of EICAR. The same applies to real viruses.

{QUOTE-> Honestly it needs to pass only EICAR.COM
I already explained many times regarding compressed (archived) versions of EICAR. The same applies to real viruses. <-QUOTE}

Why would Eicar suggest that good scanners would detect the single zipped, and that the better ones would even detect the double zipped?

Because scanning archives in real-time is waste of CPU time and memory.
Files inside archives are in benign form anyway(very similar state to quaratined files),and when you access them directly inside archive or extract them they will be extracted to selected loaction ot into TEMP folder and then scanned by On-Access (Realtime) part of the antivirus. Packers (UPX,ASPack,ASProtect...) are totaly different stuff and shouldn't be messed with classic archives (ZIP,RAR,ACE,CAB...).

Hey RejZoR-
I agree with you that it's a waste of resources to scan inside of typical archived files. But what about self-extracting archives? Is there any danger in those?

Its the same. SFX (SelF eXtract) archives are the same thing,because compression does the same thing as quarantine. the extract part just replaces some external utility like WinRAR or WinZIP. In the end its purpose is the same,extracting the files. And again,they are scanned when they are extracted/executed.

Thanks, that makes so much sense that it should've been obvious. I can be a little slow on Mondays though... :)

Panda Platinum 7 and Trend Micro Antivirus pass all the Eicar tests.

{QUOTE-> Honestly it needs to pass only EICAR.COM
I already explained many times regarding compressed (archived) versions of EICAR. The same applies to real viruses. <-QUOTE}

Yup, I agree with you.

I agree to RejZor's comment on the relevancy of detecting the compressed samples of eicar.

Being quite a popular AV test nowadays, isnt it possible that an AV vendor can just add a signature for these compressed samples anyways. Thus nullifying the result of whether it really has the ability to scan through multiple zipped files.

It seems most AVs have zip/rar support now anyways.

To me the eicar test seems to be best used for troubleshooting and seeing if your AV is working, not a test on its scanning ability etc.

KAV 4.5 personal passes all tests. KAV 5.0 personal does not. 4.5 is much superior AV and it is a shame it is considered an archived AV because I'd like to purchase it but I don't want to purchase an "old" version. I don't agree that right click detection after downloading but before unzipping is a waste of resources. It is a waste of my time to have to unzip in order to find a virus! I have a fast new box with plenty of RAM and it is by no means a waste of resources! I would not consider it a waste of resources on my older W98SE box either. I want it found on right click. NOD32 makes you unzip also and I don't like that and that is one reason I decided to trial KAV and then learned 5.0 is lousy but 4.5 is outstanding. Further, I do not want to risk sending a virus to someone because I forward a zipped file that I downloaded and haven't yet unzipped and so don't know is infected.

{QUOTE-> I agree to RejZor's comment on the relevancy of detecting the compressed samples of eicar.

Being quite a popular AV test nowadays, isnt it possible that an AV vendor can just add a signature for these compressed samples anyways. Thus nullifying the result of whether it really has the ability to scan through multiple zipped files.

It seems most AVs have zip/rar support now anyways.

To me the eicar test seems to be best used for troubleshooting and seeing if your AV is working, not a test on its scanning ability etc. <-QUOTE}
And most AVs actually will detect those samples if they are tweaked to do so. (For instance, in this case, McAfee has archive scanning off by default)

Command antivirus also passes the eicar test's

F-Prot as well.

{QUOTE-> Further, I do not want to risk sending a virus to someone because I forward a zipped file that I downloaded and haven't yet unzipped and so don't know is infected. <-QUOTE}


I totally 100% agree.

{QUOTE-> I want it found on right click. NOD32 makes you unzip also and I don't like that ...
<-QUOTE}

Huh!

Right click on eicar_com.zip works for me without unzipping.

---
Scan performed at: 7/19/2004 21:25:23 PM
Scanning Log
NOD32 version 1.817 (20040719) NT
Command line: C:\3COM\eicar_com.zip
Operating memory - is OK

date: 19.7.2004 time: 21:25:28
Scanned disks, directories and files: C:\3COM\eicar_com.zip
C:\3COM\eicar_com.zip »ZIP »eicar.com - Eicar test file
number of files scanned: 1
number of viruses found: 1
time of completion: 21:25:28 total scanning time: 0 sec (00:00:00)
----

Also eicarcom2.zip.

----
Scan performed at: 7/19/2004 21:37:17 PM
Scanning Log
NOD32 version 1.817 (20040719) NT
Command line: D:\Documents and Settings\Administrator\My Documents\eicarcom2.zip
Operating memory - is OK

date: 19.7.2004 time: 21:37:22
Scanned disks, directories and files: D:\Documents and Settings\Administrator\My Documents\eicarcom2.zip
D:\Documents and Settings\Administrator\My Documents\eicarcom2.zip »ZIP »eicar_com.zip »ZIP »eicar.com - Eicar test file
number of files scanned: 1
number of viruses found: 1
time of completion: 21:37:22 total scanning time: 0 sec (00:00:00)

---

NOD works for me in this manner also. Right click scan.

F-Prot will detect this file at www.eicar.org when you try to download it.
Even the double zipped version.

I imagine the new version of NOD will do likewise.

NOD32 detects eicar.com when I try to download it.

{QUOTE-> I just tested McAfee version 8.0, and it passed the eicar.com test, but it did not catch the zipped or double zipped. I was able to download both of the zip files, and then I was able to save them. When both of the zipped files were unzipped, they were detected.

What AV scanners will pass all the Eicar tests? Does the text detection really matter? <-QUOTE}
hello sling shot
my norton av passed all the tests
Rita

{QUOTE-> Why would Eicar suggest that good scanners would detect the single zipped, and that the better ones would even detect the double zipped? <-QUOTE}
EICAR is merely suggesting that an AV should detect what is zipped or double zipped, I don't believe they are suggesting that AVs like NOD are inferior because they don't detect it as it is being downloaded, in fact they suggest that AFTER the file is downloaded you should run your chosen scanner on the file. As for the text file if you read their instructions it is not for testing your AV it is for people that have trouble downloading the other versions for whatever reason and you are supposed to rename the file to eicar.com (after downloading it) at which point your AV software should detect it. The AV's that detect the .txt version in my opinion are giving a false positive as text displayed on a web page is harmless, as are text files. Basically it comes down to different schools of thought on virus detection, some feel it is a waste of resources to scan data as it is being downloaded and do it once the file is saved or as the file is being saved, others would rather not download an infected file in the first place. Just my two cents on the subject.

Actually the concept is totally diferent. Here is the example of avast!'s interior of archive scanning.

On-Access -> Off by default (in Pro can be turned on and changed,in Home not)
On-Demand -> Off by default (can be enabled in Pro and Home)
Explorer Extension -> On by default for all possible archives in Pro and Home
Internet Mail -> On by default for both Pro and Home (it can only be chnaged in Pro)
Instant Messaging -> On by default for both (can be only turned of and changed in Pro)

This explains alot about avast!'s multilayer defence. On-Access by itself doesn't scan archives due to previously explaind thing (my posts above in this thread),but on other hand Internet Mail and Instant Messaging provider scan inside compressed archives,so there is no chance that you could forward an infected attachement or send the archive via Instant Messager ala MSN Messanger or mIRC. Explorer Extension is set extra tight (scans all archives,all files without exception on thorough mode which means it scans entire file from beginning to the end and without virus targeting),so you can fast and thoroughly check files.

I was able to download all three test viruses, to desktop, with NAV 2003. Only when i scanned them for viruses, after on my desktop, did i get any response from NAV. Is this the way it's supposed to work? I thought they should be caught while trying to download them.??? I don't really understand what eicar.com.txt is for, when i clicked on it at the website, NAV did nothing.

Well if your NAV didn't catch the *.COM version when you started to download it,then its something really wrong with it. Others are not necessary detected by other AVs. *.TXT sample of EICAR is usually displayed directly in browser (Opera/Mozilla). Its benign file anyway since TXT cannot harm anything.

Why is this good for?

dear flyrfan111, i agree with you regarding the EICAR text file. its just for those who are unable to download that binary file. when we scan a file through right-click context menu, chances are that the archive scanning is turned off. in that case the report might show that the file is clean though it might contain a virus. this creates a false sense of security. this holds true for any type of scans except On-Access scan. also i want to point out that emails and p2p are not all of the exit points of a virus. that is why it is advisable to scan your whole system with max settings. i'm not saying AVs are inferiour if it doesn't scan your archives by default. its just that users should choose their AVs which suits them.

for example an expert will feel comfortable even without On-Access scanner where a neophyte might need something that scans inside archives always except On-Access scans. the point is not detecting viruses in archives, it shouldn't create a false sense of security. so users not familier with viruses are advised to check their AV settings properly.

some AVs detect viruses in data files where there shouldn't be any. this happens due to our paranoid settings. for example .TXT .MPG .JPG etc shouldn't contain any viruses ( except buffer overflow exploits if possible ). this is annoying but sometimes these paranoid settings help new users. DrWeb for example still thinks one of my .CPP file has a modified trojan. bless you Igor.

I was wrong RejZoR when i attempt to download the .com file while using IE, NAV does automatically catch it. But when i try to download it with Firefox (which was what i was doing) NAV won't catch it, and NAV lets me download the file to desktop. Very strange. So it's not NAV, but Firefox is the problem, as it appears. Anyone else have this problem with Firefox? Could i have FF configured in a unsafe way?

{QUOTE-> I was wrong RejZoR when i attempt to download the .com file while using IE, NAV does automatically catch it. But when i try to download it with Firefox (which was what i was doing) NAV won't catch it, and NAV lets me download the file to desktop. Very strange. So it's not NAV, but Firefox is the problem, as it appears. Anyone else have this problem with Firefox? Could i have FF configured in a unsafe way? <-QUOTE}

I have seen this happen as well, not sure why though, I think it is because of the download manager FF uses, I have duplicated this with NOD,Panda and KAV 5. But I am not real sure why it does this.

{QUOTE-> I was wrong RejZoR when i attempt to download the .com file while using IE, NAV does automatically catch it. But when i try to download it with Firefox (which was what i was doing) NAV won't catch it, and NAV lets me download the file to desktop. Very strange. So it's not NAV, but Firefox is the problem, as it appears. Anyone else have this problem with Firefox? Could i have FF configured in a unsafe way? <-QUOTE}

What is the problem? You can have virus on computer but that does not mean you're infected. When you will want to start eicar.exe file, NAV will definetily catch it.

Thanks for that response Flyrfan111. I thought there may have been a problem with FF, but it sounds like you're right about the download manager. Seems a bit strange though.




Kloshar

It's not that there's a problem, for me anyway. Just that i was kinda worried i might have a new problem with my copy of Firefox, that's all.

Well firefox uses strange file caching system that uses extensionless files.
I don't understand whats the point of this,but you can have viruses/trojans in there and you won't even knew it since most of AVs don't scan extensionless files by default (unless you have set Scan all files). Opera and previous Firefoxes used normal files as they are downloaded from pages with extensions. So if it was a *.com file it was cached as *.com file. In Firefox, its saved as file without extension. Asked Mozilla devs,but never actuially got any real info why this is good.

Panda Titanium 2004 passes all test, including Double Zipped one.

NOD's new beta version, 2.000.11b, catches all eicar files, com, txt, zipped and 2zipped on download at least as long as a download manager is not used and its settings for the browser that's used is at "maximum efficiency." Don't know what would happen if download manager, which must be set at "maximum compatibility," is used, or a browser set at "maximum compatibility" is used because I haven't tried it under those circumstances. Perhaps someone else has.

Well avast! for example can catch all EICAR files for a very long time if you want... Its nothing revolutionar with its implimentation in NOD32...

{QUOTE-> Well avast! for example can catch all EICAR files for a very long time if you want... Its nothing revolutionar with its implimentation in NOD32... <-QUOTE}

Well, the NOD beta's new HTTP scanner also includes their AH option which is of added benefit in my mind.