Eicar test

[JoeBlack40]

I don't know,but Prevx Safeonline(the facebook version),doesn't suppose to warn or to block eicar test?I use it with Avira free,i disabled avira's guard and Prevx doesn't alert me in any way.Is this normal?

[PrevxHelp]

Quote:

Originally Posted by JoeBlack40

I don't know,but Prevx Safeonline(the facebook version),doesn't suppose to warn or to block eicar test?I use it with Avira free,i disabled avira's guard and Prevx doesn't alert me in any way.Is this normal?

This is the correct behavior - with SafeOnline, Prevx de-emphasizes the need for antimalware protection when dealing with your browser. Therefore, we don't bother the user with unimportant threats which are detected. You can move out of this "non-technical-user" mode by raising the heuristic settings in the Settings > Heuristics Settings page within the SafeOnline/Prevx 3.0 interface.

Let me know if you have any questions!

[JoeBlack40]

Thank you.I raised the heuristics to high,but still nothing.But i think it's not a big deal after all.Because the purpose of Prevx safeonline is to guard the browser,not necesary the downloads imo.

[redwolfe_98]

"prevx" will flag the "eicar.com" test file if you download it and then try to execute it.. incidentally, i would say that that is normal for antimalware programs, other than antivirus programs, not to flag a file until you try to execute it..

another test-file that you can use with "prevx" is the "trojan simulator".. you can download the "trojan simulator" from here:

http://www.misec.net/trojansimulator/

interestingly, prevx will flag the "trojan simulator" files by just "mousing over them", which is kind of surprising, but it does not flag the "eicar.com" test file until you try to execute it..

using the "eicar.com" test-file is kind of a problem for me because i have "ntvdm.exe" disabled on my computer.. the eicar.com test-file causes "ntvdm.exe" to run, when it is executed.. with "ntvdm.exe" disabled, if i try to execute the "eicar.com" test-file, i will get an error-message, on my computer.. however, i just tested, and, when i try to execute the "eicar.com" test-file, "prevx" flags it, even though it won't run properly, on my computer (when it is allowed to run)..

i suspect that a lot of people have "ntvdm.exe" disabled, on their computer, due to the announcement of a new vulnerability, in windows, and microsoft's providing a fix for the problem, which disables "ntvdm.exe".. here is a link to one of MS's articles about the vulnerability:

http://www.microsoft.com/technet/sec...ry/979682.mspx

[JoeBlack40]

Ok,redwolfe_98,you're right,Prevx did flagged it,but only when i was trying to execute the eicar file.BUT...
A question for Prevx moderator...see the screenshot...what options(i see none) do i have to remove the threat,even if it says that is free to cleanup?
If i click view options,a web page is opening and ask me to upgrade for cleaning..

[Dark Star 72]

Joe,
Just tried to download the "eicar.com" file and Prevx flagged it and stopped it as soon as I clicked on the download area on the actual Eicar site, it never actually got to be downloaded to the desktop. In the past this same Eicar file has always downloaded to the desktop and Prevx has only flagged it on execution, has something changed in the way Prevx now detects?
I tried to download it a second time with the same result. Strange thing is that the alerts I got did not mention the Eicar file at all, see my screenshot. Have also included a screenshot of the Detection Overrides, note that the file names are different for the same Eicar file/download
Is this normal?
Am using SafeOnline 3.0.5.67beta.

[JoeBlack40]

Dark Star,
As i said,Prevx didn't alert me at all,only when i was opening the file.To be honest,i'm really confused now that i have read about you're problem.
Let's wait the reply from Prevx moderator.

[PrevxHelp]

Quote:

Originally Posted by JoeBlack40

Ok,redwolfe_98,you're right,Prevx did flagged it,but only when i was trying to execute the eicar file.BUT...
A question for Prevx moderator...see the screenshot...what options(i see none) do i have to remove the threat,even if it says that is free to cleanup?
If i click view options,a web page is opening and ask me to upgrade for cleaning..

Could you try running another scan and then trying to click View Options after? I suspect this might be an issue identifying free-to-clean infections under the Facebook version, but you can always just delete the eicar file manually if wanted

[PrevxHelp]

Quote:

Originally Posted by Dark Star 72

Joe,
Just tried to download the "eicar.com" file and Prevx flagged it and stopped it as soon as I clicked on the download area on the actual Eicar site, it never actually got to be downloaded to the desktop. In the past this same Eicar file has always downloaded to the desktop and Prevx has only flagged it on execution, has something changed in the way Prevx now detects?
I tried to download it a second time with the same result. Strange thing is that the alerts I got did not mention the Eicar file at all, see my screenshot. Have also included a screenshot of the Detection Overrides, note that the file names are different for the same Eicar file/download
Is this normal?
Am using SafeOnline 3.0.5.67beta.

Here it looks like Prevx is catching it before the system renames the file. Honestly, eicar is probably the worst type of test file that can be used... but it is the most popular one. Antivirus programs have to have specific code in place just to handle eicar tests because the execution of eicar does not fall through normal code execution paths - as redwolfe_98 pointed out, it uses the ntvdm emulator and while threats from 16bit code were pervasive ~25 years ago, we are currently in 2010

It would be best to use the Trojan Simulator or other test links as eicar is handled significantly different from normal programs which is likely why you're experiencing some different results than would normally happen when downloading files to test with Prevx.

[xXDarkStalkerxX]

Quote:

Originally Posted by PrevxHelp

Could you try running another scan and then trying to click View Options after? I suspect this might be an issue identifying free-to-clean infections under the Facebook version, but you can always just delete the eicar file manually if wanted

This behavior is present in my Facebook version too.

[JoeBlack40]

Quote:

Originally Posted by PrevxHelp

Could you try running another scan and then trying to click View Options after? I suspect this might be an issue identifying free-to-clean infections under the Facebook version, but you can always just delete the eicar file manually if wanted

Thank you for your help,but...i know it's a free program and i really appreciate the effort and the good will of Prevx's team...again,but....a program that is not able to do was is suppose to do...no alert,and manual cleaning...hmmm...if i will use again Prevx safeonline,i will do it only for a little browser protection,and thats it.Not as a second protection,no way.

[PrevxHelp]

Quote:

Originally Posted by JoeBlack40

Thank you for your help,but...i know it's a free program and i really appreciate the effort and the good will of Prevx's team...again,but....a program that is not able to do was is suppose to do...no alert,and manual cleaning...hmmm...if i will use again Prevx safeonline,i will do it only for a little browser protection,and thats it.Not as a second protection,no way.

There may be a misconception about what SafeOnline's goal is. The real intention is to keep the user safe when banking or working with personal information online. In order to do so to a mass-public, we've intentionally hidden most of the functionality of Prevx as it is not necessary to remove threats when in SafeOnline mode because it will provide protection regardless of what threats exist on your PC.

Therefore, we've de-emphasized the cleanup and scanning routines and while you still can use them, they aren't necessary.

That being said, however, in the SafeOnline version, there is an issue identifying free-to-clean infections which will prevent you from being able to go through the cleanup process as you have pointed out here. This will be corrected in the next release, but in the meantime, you can just manually delete any free-to-clean detected files if you want them to be removed from the scan results.

I hope that helps clear up our intentions! Let me know if you have any questions

[JoeBlack40]

Ok,i fully understand.Thank you again.