EICAR Test File

Discussion in 'NOD32 version 2 Forum' started by tony62, Oct 25, 2005.

Thread Status:
Not open for further replies.
  1. tony62

    tony62 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    214
    Location:
    UK
    Hi all,
    I recently purchased NOD32 and must say that i am pretty impressed with it so far:) I have implemented Blackspear's guide here since this is a shared PC. Anyway i decided to test NODs 'IMON' effectiveness today using this site eicar.org and happily enough it blocked the first file download link immediately. I then went on to create a .txt and .com file using the virus string and AMON picked up on these too. However when i pasted the exact same string into a Office Word Document(2003) it failed to detect upon creation, execution or even context menu scano_O
    Should DMON detect this or not?
     
    tony62, Oct 25, 2005
    #1
  2. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    It probably has to do with the exact definition of the Eicar.com test file, as stated here: http://www.eicar.com/anti_virus_test_file.htm
    Since you pasted the string into a Word Document, the resulting .doc file no longer meets the definition of the Eicar.com test file. The same thing applies to a webpage that includes this string. Since the string is in the middle of the webpage, it does not meet the definition of the file. ;)

    Now, if you were somehow able to paste an eicar.txt file in a Word document as a separate object, that might be another story.
     
    alglove, Oct 25, 2005
    #2
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    No, the eicar test file must be in a pure text file, not in a Word or another document.

    Edited:
    OK, Alglove was faster than me :)
     
    Marcos, Oct 25, 2005
    #3
  4. tony62

    tony62 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    214
    Location:
    UK
    Yes that does seem to be the case, since the resulting .doc file ends up 19.5 KB opposed to 68 bytes.
    Thanks for your help;)
     
    tony62, Oct 25, 2005
    #4
  5. Happy Bytes

    Happy Bytes Guest

    Eicar is just a TESTVIRUS. Eicar was designed to test GENERAL functionality of AV Software and not for determining how good a software finds "embedded" viruses. There's even one rule - Eicar should be only detected if it has it's original filesize. This has basicly to do with a lot of readme.txt files from AV Software. Lots of companies writing there about EICAR and also quoting the ASC-II eicar text. It would be a false positive to detect such files!

    If you want to know more about EICAR and how this Testvirus works take a look to over here where i explained it in the AV-Comparatives Forum:
    http://www.av-comparatives.org/forum/viewtopic.php?t=150

    8^) H.B.
     
    Happy Bytes, Oct 26, 2005
    #5
  6. tony62

    tony62 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    214
    Location:
    UK
    This is exactly what i originally wanted 'test GENERAL functionality'.
    I disagree here, soley for it's test functionality. For example once a firewall has been setup correctly you will then wish to to test it using various 'Probing' sites. How else would one test Antivirus software?
    Very informative, thanks for link;)
     
    tony62, Oct 29, 2005
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...