VBA32 and eicar

Is anyone else having trouble getting VBA32s monitor to recognize any test files at http://www.eicar.org/anti_virus_test_file.htm I can't seem to get the monitor to do anything, either prompting before download or prompt on execution. The on-demand scanner catched them all...just not the on-access. Has anyone gotten it to work?

 

Eicar.com is the important one that ALL AV's should detect.

Using Firefox, eicar.com was allowed to be downloaded to my desktop but immediately the RTM found it.

 

Using IE, eicar.com was also picked up by the on-access monitor.

 

The second file, eicar.com.txt is allowed to simply just open, whereas the other 2 zipped files, eicar com.zip and eicarcom2.zip are allowed to be downloaded and saved to disk.

Assuming that the RTM of VBA32 does not scan archives this is normal behaviour. The eicar.com file inside the 2 zipped files is then detected upon extraction.

BTW, I thought you had returned to Dr Web?

__________________

 

Funny thing is I thought I did to. There are features in VBA32 that I like; such as quarantine, the ability to save copy of dealt with files, and the ability to password protect settings. These are things that unfortunetly Webby doesn't have. And, after reading this it sounds like VBA32 isn't as bad as the test would indicate. I don't know....I do hope I get this whole thing figured out because I'm getting tired of trying to find the "perfect" AV.

Blackcat-- What are your settigns for VBA32s monitor? I can't seem to get even the .com file detected. Which is very bad.

 

Here you go. RTM settings. Further in Actions, ASK for infected, Heuristic analysis set to Maximum and default settings for Report.

If you are not seeing any response, maybe time for a fresh install?

 

This is really wierd. The monitor for VBA32 doesn't seem to working; it does scan file because some internet (html) are listed under 'statistics.' But it doesn't catch anything. I did a fresh install of VBA32 and deleted the old folder. I've tried downloading the test file, in both Opera and IE6, and I was able to do so. Not only that but I download the zip file and I was able to extract it without a peep from VBA32. That's not good. I have everything set up as per the screenshot. Any ideas?

 

Something is wrong with your setup somewhere if VBA32 cannot detect the main eicar file in real-time. ALL AV's should be able to detect at least the first file, eicar.com. Have you tried using the ALL file setting?

Hopefully likuidkewl will drop by

Just tested again and statistics window shown below

Have you been using different AV's on the same computer recently? Maybe you have not completely uninstalled a previous AV which may be conflicting with VBA32?

I would uninstall VBA32 again, run a good registry cleaner, clear your browser's cache and install again.

You are using the Eicar files from the main site?

 

This is really starting to aggravate me. I uninstalled VBA32, rebooted, deleted the folder, cleaned the registry with RegHealer, searched for and deleted every instance of VBA32 in the registry using Regseeker, and used CCleaner for general cleanup. Then I installed VBA32 again and rebooted. This time I was told almost right away that PeerGuardian (pg.exe) was suspicious, which I was never alerted to before (I thought it was a fixed false positive). There are 8 instances where pg.exe has been blocked. But the monitor is still not able to detect the eicar test file. According to VBAs monitor statistics, it's not even being scanned. I'm not sure what else to do. I have VBA32 3.11, and have used VBA32 3.11.1 beta. Neither worked properly. The VBA32 loader services is marked as automatic and is started. I do have windows scripting host disabled (via xp antispy). Could that be the reason for this error?

 

Is it detected via an on demand scan? What other apps you have running?

 

Yes everything is detected via on-demand scan and throught a context menu scan. I hve processguard but it is disabled for VBAs installation

 

This seems to be a problem with the eicar test sample, I have uploaded a trojan to a website with exe, com, and zip extensions, VBA32 picks it up in the temp folder before it can be saved, and is detected upon opening of the zip file.
So I have no idea what the deal is with the eicar virus.

 

likuidkew- Thanks for those files. I have mixed results with them; I have alerted on the first two but I was not alerted with the zip file. Even after the zip was downloaded I was able to extract them and I was not notified.

Has anyone else been having this issue with the test file? Can someone try it right now and let me know if VBAs monitor stops it?

 

VBA32 has fixed every one of my false positives I sent it...which is great! But I'm still having a problem with the test file. It's still not being detected through the VBA32 monitor, which is detected by the on-demand scanner. Could someone else try that site?

 

OK most recently: This is with VBA32 to scan only new files.

• 1. Download the file directly from the internet, PASSED
• 2. Look at the Text of the test file, FAILED
• 2a. Download and save the txt, FAILED
• 3. Download the zip, FAILED and allowed to execute....
• 4. Double zip, downloaded and extracted 2nd zip, but upon copying to the desktop was deleted. PASSED
• 5-9 SSL was the same

These are some confusing results....
Why would it be caught as new and deleted, but allowed to be copied from a zip file?

Keep in mind as stated, these are ALL picked up via on demand scan.
I have a test file, that I use for similiar purposes and VBA32 picks it up every time.

@Siarheika- any insight into this?

I am using 7zip instead of any "main stream" compression utilities. FYI.

 

I don't know about anyone else but, if I have "process only new files" checkmarked VBA32 isn't catching the eicar.com file when I download it. If I uncheck it, VBA32 jumps into action.

 

This is true forgot I changed that, will fix my post above to reflect as such.

 

Confirmed. However, this only works with the .com file, not with the .txt or zip files. They are still able to be downloaded and extracted without any noise from VBA32.

 

I figured that the realtime scanner would have picked up the eicar.com file once extracted from the zip file. It seems to only pick it up if I manually scan it or execute it.

 

Ok, something is very inconsistent here… Sometimes VBA32 will detect the eicar.com file when I extract it from the second zip file and sometimes it won’t. Also, I am getting the same results executing the .com file. Sometime it will detect/delete it and twice it didn’t say anything.

 

I think my search is over. As much as I want to give VBA32 a chance, and as much as I keep wanting to use it as my main AV, I just can't. VBAs monitor is just not good enough for me. That and the fact that there is no scheduling feature is a major con for it; if the on-access scanner doesn't detect it, and there is no way to schedule an on-demand scan, than how do you know your system has never been infected? Nope, sorry I can't take that chance. I'll stick with Dr Web.

 

Update;

1. Using the "process only new files" setting, the first eicar.com file is caught EVERY time!

2. The second file, eicar.com.txt is not detected ( no surprise ).

3. The two zipped files, eicar com.zip and eicarcom2.zip, when extracted causes the RTM to jump in BUT only every OTHER time e.g detected/missed/detected/missed/

So overall we are all seeing some inconsistencies with the RTM and the eicar files. I have pointed support to this thread so let's hope they pass by.

 

Not the greatest of tests, but the RTM picks up the eicar file and the 3 other "Worm" tests every time in AntiVirus Tester 3.0

 

Yes, the results seem to be different for different people. I know that the RTM did not work for me on the test files at all; com or zips (even when extracted). And I have my setup the same as your screenshot. I too alerted support to this issue. Oh well, on to better things I guess.

 

I wonder if having other AV's installed on the same sytem disturbs VBA32? I know it can be very sensitive to other AV's when installing!

You will be okay with DW