Hey guys,
I think i found something that could be called a very tiny security issue in IE :)
I need people with AV software installed to test it for me
Go to: http://www.stormbyte.com/vtest/test.php
and report :
a. If your antivirus warned you about a new virus on your system
b. Your operating system, browser, and antivirus

Don't worry there will be no viruses or spyware installed. I just found a way to trick some antiviruses into thinking that computer is being infected by just visiting a web site.

Thanks!
Mariusz

A - nope
B - Win2k, Firefox 0.9.1, NOD32

Just got a blank page there so if it's anything Proxo might have blocked - that might be the case as well.

-{ Quote: "A - nope
B - Win2k, Firefox 0.9.1, NOD32

Just got a blank page there so if it's anything Proxo might have blocked - that might be the case as well." }-

Yeah. Firefox is safe. Try with IE :)

-{ Quote: "Yeah. Firefox is safe. Try with IE :)" }- I've got my own doubts about doing that. I used firefox, clicked on the link, and got a blank page with absolutely nothing happening at all.
I used IE, and also I get a blank page with nothing happening at all. I'm very secure here.

Same result - IE 6.0 - also routing through Proxo. I'll try without.

Same in IE without Proxo.

-{ Quote: "Same result - IE 6.0 - also routing throw Proxo. I'll try without." }-

Then NOD32 is not looking at it as a virus.
But when you scan cookies folder you should find "Eicar" virus.
Unless Nod does not scan txt's or you have cookies disabled.
Oh well. Thanks anyway.

I get this in Proxo's (+ Opera) log window. Ran it with IE, no proxy, and F-Prot 3.16a and got just a blank window and no alert.

Nick

I'll run a full scan now to see.

Just ran a full scan with all my security applications, nothing found at all. Clean. ;)

-{ Quote: "Then NOD32 is not looking at it as a virus.
But when you scan cookies folder you should find "Eicar" virus.
Unless Nod does not scan txt's or you have cookies disabled.
Oh well. Thanks anyway." }-


Checked all of my cookies and found no eicar of any kind.

F-Prot found this using a manual scan:

Nick

-{ Quote: "Just ran a full scan with all my security applications, nothing found at all. Clean. ;)" }-

That is way I needed more people to test my idea:)
Basically, when you go to that page your browser will receive a cookie.
This cookies has eicar test virus string as a value. Some AVs when they see this file being written to the hard drive will inform you about that.
It will not work if you use Firefox, or have cookies disabled, or your AV is not scanning TCP packets, or txt/cookie files.
Like I said this is not a big issue, (or in your case it's not an issue) but I had to check it.

Not sure exactly why but I got nothing in my scan either.

-{ Quote: "F-Prot found this using a manual scan:

Nick" }-

How did F-Prot do realtime? Or did you try that?

-{ Quote: "F-Prot found this using a manual scan:

Nick" }-

So it works:)
Now I have a question. Do you guys think that this could be called a "security hole" in IE? I know that it's only a cookie, can't be executed and so on, but still it could cause problems for some people. (OMG! My computer is infected - for example)

Interesting....what does all that mean ?

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*0

-{ Quote: "How did F-Prot do realtime? Or did you try that?" }-Hi Ron,

RealTime did not catch it.

Nick

(A) Yes

(B) XP IE KAV extendia single engine

I got a blank page with Firefox as I did with IE But with IE Extendia alerted me instantly of access attempted with an infected file ( EICAR -test file )

Mariusz
I closed firefox and opened the page with IE and ArcaVir 2005 immediatly reported a virus.

-{ Quote: "Interesting....what does all that mean ?

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*0" }-

Virus test file. I did not wanted to use string from a real virus so I had to use Eicar. YOu can read more about it here:
http://www.eicar.org/anti_virus_test_file.htm

-{ Quote: "Mariusz
I closed firefox and opened the page with IE and ArcaVir 2005 immediatly reported a virus." }-

:) I know. I tested it first with mks_vir.
Question remains: should this be reported somewhere or not? ;)

-{ Quote: ":) I know. I tested it first with mks_vir.
Question remains: should this be reported somewhere or not? ;)" }-

It would seem to me that it warrants attention to try and prevent future exploitation.

A. No virus reported.
B. opened in IE...XPSP2 Firewall.....Nav2003.....Cookies set to medium.....Nothing!....

You won't get any alert if you block stormbyte's cookies. The cookies will cause your antivirus to alert you if allow them in.

I got no alert on a) and a blank page on b) using IE 6.0

F-prot here also found the file on a manual scan. Not sure how totally valid this is. I have had F-Prot real time alert me on some cookies from some questionable sites, so I know it picks up real nasties.

-{ Quote: "A. No virus reported.
B. opened in IE...XPSP2 Firewall.....Nav2003.....Cookies set to medium.....Nothing!...." }-
No real-time alert by NAV and then ran a full sytem scan coming up clean.
Would SP2 be offering any extra protection?
Buck.

-{ Quote: "No real-time alert by NAV and then ran a full sytem scan coming up clean.
Would SP2 be offering any extra protection?
Buck." }-

I got a blank page, Norton didn't tell me anything in real time. Did a scan and found a file which was then deleted called Promt[1].html. Don't know if thats it.

Jimbob

It's kind of odd!!! My extendia avk pro detectes it always with all configurations, except when you turn "heuristics" off, should I be worried about the trial with "heuristics off", or is this test OK?

sorry wrong info.......My extendia avk detected something in all configurations except when "check while writing" was off......not while "heuristics" was off like I stated previously. Any advice on if this is bad performance on the part of my AV? Thanks, and also will this test hurt my computer? I know I should know this, but bear with me I'm totally new to this.

-{ Quote: " Any advice on if this is bad performance on the part of my AV? Thanks, and also will this test hurt my computer? I know I should know this, but bear with me I'm totally new to this." }-

Hi Steve, ;)

Not to worry ... It's only the Eicar Test file. Some AVs won't report at all, because it isn't a threat ... it's just a test file to simulate, there is nothing wrong with your AVs performance, it just either ignored, are isn't a part of their detection database. Their is a similar test file for Anti-trojans written by Magnus (Trojan Hunter) for the same purpose. I don't have the url handy, but it simulates a trojan to test your Anti-Trojan, the same as above applies regarding detection/performance.

HTH,

Steve

Edit Found the URL for Magnus' Trojan Simulator - http://www.misec.net/trojansimulator/