McAfee failed Eicarcom2.zip

peakaboo · #1 March 28th, 2004, 02:59 PM

Not a big deal but surprised me that McAfee failed Eicarcom2.zip.

http://www.eicar.org/download/eicarcom2.zip

This is the one where eicar.com is zipped and then this zip is zipped.

I quess McAfee will unpack once but when it runs into a second zip it says nomas

Can anyone confirm this result for McAfee or is it just me?

[hr]

I ran another AV against this and it was able to catch Eicarcom2.zip and all other Eicar examples on their page:

http://www.eicar.org/anti_virus_test_file.htm

I'm deciding whether to completely dump Mcafee now, since my upgrade from 4160 scan engine to 4320 has a trial time limit (Console & Autodat updates no longer function, but right click Vscan works fine except as noted above.) I may just keep Mcafee around as an on demand Vscan backup.

Tinribs · #2 March 28th, 2004, 04:20 PM

I dont run Mcafee but I fail to see the threat of a virus that is zipped up twice? To run (if it was real) this virus it would need you to uncompress the file twice ,at which Mcafee would've jumped in long ago.

To add these very deep scanning abilities could well hinder further development of the programme.

peakaboo · #3 March 28th, 2004, 04:37 PM

Appreciate your reply.

As I said no big deal.

I'm sure others who are more devious can figure a way to use a virus w/in an archive packed in an archive coupled with a Windows vulnerability and a process killer...

still like to know if anyone else using older or latest McAfee can confirm - just curious

[hr]

Also Tinribs, did your AV catch Eicarcom2.zip on scan? If not what AV are you using - if you want to PM me feel free.

VikingStorm · #4 March 28th, 2004, 08:45 PM

I use McAfee VS 7.1 Enterprise, it was detected after it was d/led into the internet temp folder (with that silly IE d/ling before you picking an option deal). So no problems here...

peakaboo · #5 March 28th, 2004, 09:33 PM

thanks VikingStorm

sounds like your result was pretty good - since your Mcafee 7 had to unpack 2 archives to get to eicar.com and it did it real time in cache prior to your d/l option...

Mack Jones · #6 March 29th, 2004, 05:11 AM

McAfee 4.51 detected the files right after the DL box, and before it reaches my TEMP forlder.

http://nick.vallet.free.fr/samples/on-access.png

Please check if you scan "All Files" and "Compressed files" on-access.

http://nick.vallet.free.fr/samples/Config.png

notageek · #7 March 29th, 2004, 09:12 AM

Hi Peakaboo. My Mcafee found it. I'm running a download manager and McAfee set to scan after a download. I'm using McAfee 7.03 scan engine 4.3.20.

peakaboo · #8 March 29th, 2004, 11:10 AM

Thanks all.

Well, I don't know why my version can't catch it, maybe due to the expiration of the trial on that new engine I upgraded to.

Right click VirusScan still enabled but system scan is disabled due to end of trial. Maybe the power lies in the stuff which is disabled.

bob_man_uk · #9 March 30th, 2004, 07:51 AM

my MCAFEE product (V7 enterprise) doesnt pick it up at download but if I tried to open the zip it said I couldnt and brings up the box saying that it had found a virus.

peakaboo · #10 March 30th, 2004, 11:45 AM

Quote:

quoting: bob_man_uk link=board=24;threadid=26044;start=0#msg152284 date=1080651096]
my MCAFEE product (V7 enterprise) doesnt pick it up at download but if I tried to open the zip it said I couldnt and brings up the box saying that it had found a virus.

bob_man_uk,

Thanks for this info.

If you get a chance dl eicarcom2.zip save it to a separate folder and right click the folder and select "Scan for Viruses"

see my gif above, scan and make sure "All files" is checked & "Compressed files" is checked.

Let me know if VirusScan catches this.

bob_man_uk · #11 April 1st, 2004, 07:55 AM

yes it does

peakaboo · #12 April 1st, 2004, 11:21 AM

Thank You for verifying.

maybe the problem is my 4320 engine... will check this out later.

seems more like an unpacking issue though, but maybe that is engine dependent also

bob_man_uk · #13 April 1st, 2004, 11:52 AM

my engine is 4320 with the most up to date dat (Currently 4346) so i dunno whats up

ronjor · #14 April 1st, 2004, 12:06 PM

For what it is worth, F-Prot for Windows will detect this file when you try to download it before it is on your hard drive.

Randy_Bell · #15 April 1st, 2004, 12:31 PM

Just saw this thread: screenshot is what happened here in Opera when I clicked on your link to the double-zipped eicar.

peakaboo · #16 April 1st, 2004, 04:06 PM

Quote:

quoting: bob_man_uk link=board=24;threadid=26044;start=0#msg153728 date=1080838351]
my engine is 4320 with the most up to date dat (Currently 4346) so i dunno whats up

Interesting I just tried this test on a non timed out version of McAfee scan engine 4320 dat file was 4345 with the following result:

right click VirusScan (on demand scan) on folder with Eicarcom2.zip does not detect the eicar.com.

However using McAfee VirusScan Central console and scanning I get a detection, however when I go to delete it, it is unsuccessful (eventhough it says it is deleted). Trying again using quarantine same thing happens - successful quarantine message given, but checking with explorer I see the eicar.com still zipped. I wound up deleting using explorer.

This may dove tail into the latest VB100 bulletin and a weakness observed there:

http://www.wilderssecurity.com/showthread.php?t=26251;start=msg152429#msg152429

Sophos: No Support for On-Access scanning same happens to NAI including some archiv format problems

[hr]

thanks to all for your input

I maybe dumping this version of McAfee soon.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search