EICAR Test File Test!! Is Your Antivirus Web Protection Any Good??

NOD32 3.0.556 caught this one immediately: stopped the .zip file download after sending the file to quarantine.

 

Posting of Jotti and/or Virustotal screenshots was prohibited when product fans/advocates/bashers started to use them as supposedly "objective" measures of intrinsic product performance neglecting, of course, that they constituted a very fluid dynamic snapshot in time which was often outdated within minutes to hours of the posting, often provided no definitive checks and balances to validate the specific file as an actual threat (versus a non-functional piece of digital flotsam), did not definitively mimic the performance of all products installed on a standalone Windows based PC, and yielded escalating and completely unproductive image flamewars. I hope everyone understands that if this thread goes down that road, it will be closed and/or pulled offline. For now, I'll leave the image as is, although please be congnizant of a few facts:

• The original mention and screenshot come from the McAfee Avert Labs Blog. See Rich Text Malware for the original source. The specific image shown is not due to Symantec. It also dates from May 2007. Read the original analysis to understand the scope of the comments made.
• Be aware what any Eicar test results do and do not tell you about a product, as well as other interdependencies
• The purpose of this text fragment is to provide facile feedback as to whether a product is working or not at a very basic level. This thread is already heading in directions that are really beyond the designed scope of this tool

Blue

 

That would be almost useless as all AV would add signature detection against it some hours after it's released.

 

I'm surprised ibk doesn't do a packer test, he
must own them all

maybe in the future or as one of those side-tests that he sometimes likes to do

You never know

 

This is nothing new, I remember reading this technique (embedded OLE objects) in an "underground" forum a couple of years ago.

The following is taken from a message sent by Vesselin Bontchev to ntbugtraq in 2003 (ESATF stands for Eicar Standard Antivirus Test File). My conclusion: either AVERT or Vesselin Bontchev must be wrong, and I don't think it's Bontchev.


(1) The above 68 characters *MUST* be at the beginning of the file. If they
aren't there, it's not the ESATF - it's that simple. Any anti-virus product
that detects as "the ESATF" something which is not it is wrong. For
instance, any product that detects it in this message is wrong. This
message, despite that it contains these 68 characters, is not the ESATF,
since they are not at its very beginning. Keep that in mind when examining
the various examples you gave. Had you paid attention to this requirement
in the first place, you wouldn't have bothered writing half of your paper.

(2) The only characters that can follow the above 68 characters are SPACE,
TAB, CR, LF, and EOF (Ctrl-Z). The total size of the file MUST NOT exceed
128 bytes. Any file that does not match this condition simply isn't "the
ESATF".

> Every AV should react when facing ESATF. It's a now well known industry-
> standard test file and all credible running AV must "detect" it. Actually,
> it should behave "as if" ESATF was a virus: appropriate warning message
> (some display something like "File infected with EICAR-Test-File" but
> they ought to be less stressful; ESATF isn't a virus and AVs shouldn't
> frighten novices) locking access to the file, putting in quarantine,

Don't know about the other products, but ours (F-PROT) even *disinfects* it
as a virus. It treats it as a simple overwriting COM infector. Keep that in
mind - it is important when addressing some other of your points.

> Okay, some will say "Hey dude, ESATF is not designed to test and stress
> AVs algorithms, but to check if AVs are working...". I know that, but

Precisely. It's not even designed to test their virus detection abilities
and MUST NOT be used for such purposes. The ability of an anti-virus
product to detect the ESATF is completely unrelated to its ability to
detect other viruses. Just because a product detects the ESATF does not
necessarily mean that it also detects viruses and how well. It only tells
us that the product is active and working.

This is another important point, because in your experiments you have used
the ESATF (and various modifications of it) for such purposes as to test
the abilities of the heuristics to detect new variants, to discover
(unsuccessfully) what detection techniques are used, etc. This is WRONG and
MISLEADING. The ESATF is simply NOT SUITABLE for such purposes. And test
results obtained in this aspect are wrong, misleading, incompetent.

 

That is very interesting and I vaguely recall reading something like that in the past.

I agree it is highly unlikely (actually almost impossible) that Bontchev would be wrong about something like this. At the same though, Symantec is no slouch either when it comes to AV experts. I'd love to see the two debate this.

 

They are not contradictory - so what's the problem?

 

Not contradictory ? You must be kidding...

• Virus total uses the "on demand" component of various antiviruses
• After scanning its "embedded Eicar" with VirusTotl, the AVERT guy concluded his post by "In layman’s terms, one could take an already detected malware and embed it inside a rich text file and half the antivirus software on the market would not detect this type of threat."
• In the wordpad document, the 68 bytes that constiture the ESATF are not at the beginning of the file

End of the demonstration (no need to mention that the size of the file exceeds 128 bytes, that it contains many characters that differ from SPACE,
TAB, CR, LF, and EOF and that the 68 bytes of ESAFT cannot be directly found inside it, he ?).

 

AVG free stopped that file cold also in Firefox.

Nice to see it is doing its job also.

 

Probably some antivirus intentionally don't detect a modified EICAR test file.

From http://www.allbusiness.com/technology/computer-software/967064-1.html

 

Of course I don't consider the embedded Eicar detectable directly

Embedding Eicar into RTF is just packing it into an archive. So, if the antivirus supports unpacking this particular type of archive, it detects the embedded file. If it doesn't, Eicar is not detected; there's nothing mysterious about it.

 

AE is not an AV but it still stopped this test dead in it's track's.

 

Personally, I think the Eicar test file is dumb, especially because the only way to "test" this file, is based off of how A/V's work where they only test each file against the signatures and if the file happens to be a match, then the file is deemed a virus and then the appropiate action is taken. Thing that sucks is that some A/V's don't even detect something as simple as this test virus! If your A/V isn't even detecting a test virus, then how could you trust it to detect real viruses (or atleast most of the real viruses)? Thats what turned me off of A/V's, they just seemed to be doing half the job. It's like, either your A/V happens to detect the file, or it doesn't, where as using something like Sandboxie, you can download and/or execute the file as many times as you wish, cause in the end, you know the file is going to be gone since it's trapped inside a sandbox the whole time and when you delete that sandbox, then it's gone for good.

 

By the way, to all members pls use Opera or Internet Explorer on this test. Most AV have a difficuly with Firefox.

 

eh, firefox is fine.

 

Firefox/Avast/Eicar (and now Kaspersky test) fine here, also.

 

The following was posted by NiteHawk on the Avira forum. He explained why Avira's (non web) guard won't pass the 2nd test if Firefox is used.

"There are some - e.g. Firefox - that do not store the eicar.com.txt page into the disk cache, but instead 'stream' it directly from the internet. Since no disk operation is involved in this case, the guard can't get active"

 

I guess it's related to file parsing, not unpacking. Proper file parsing is as important as good unpacking.

 

If the browser is able to display the string in the second test then the antivirus actually failed even if it was detected in the cache. If it were an actual exploit it is likely that the browser will execute it anyway.

 

That's just terminology - I consider "parsing" and "unpacking" being mostly the same thing in this context (i.e. when I say that the antivirus "unpacks" something, it doesn't mean the file has really to be compressed - most usual compressed formats as ZIP or RAR have an option to "store" the files only anyway). So yes, you can call it parsing, extraction...

 

It has nothing to do with Fx. All browsers using Avira will display the text string. Actually, I don't know if Safari will...I just got it yesterday...Let me see...Yep, it also displays the string.

 

I mean it won't warn about the string (it doesn't for me). Neither did avast without the webguard or avg.
Do you get a guard popup with the text string in Firefox?

 

When I click on the .txt using Firefox, the page with the string opens, but there is no pop up warning from my AV. When using IE, there is a pop up warning. I've tried it with every AV/suite I've used, including Avira, NOD, KAV, and now Bitdefender, and always the same results. I'm going to check over at the Mozilla forum, and see what I can find out.

 

Same thing happened to me too. I totally agree with you on that.