Antivirus self-defence question

Want to put some questions regarding things I am doing all night long (it's not what some of you just meant ).

I take Shotdown Simulator which Matousec using for Firewall Chalenge and test it on three clasicall antivirus (Avira Free, Avast Free and Kaspersky Antivirus 2009).

I was very suprised that only Avira was able to prevent creating of Eicar test file after shotdown simulation was done. Avast and even Kaspersky just failed.

Does it mean that some malicious software can simulate system shotdown and drop some nasties after antivirus was closed? What is real possibility for such situation?

 

I'm not familiar with this test (do you mean shutdown simulator?) but familiar enough with Avast, and have a basic working knowledge of the eicar files.
Which eicar file was used following the use of the simulator? I'm quite curious about this.
And no need to apologize for your English, although the sentiment is appreciated. Your English is vastly superior to my anything-else-ish!

 

Obviously there is need to apologize for my English ("Shutdown Simulator", not "Shotdown" as I wrote)

I don't know which Eicar file System Shutdown Simulator uses but it was recognized by Avira as a Eicar test file. This file would have been recognized as a test file by Avast and Kaspersky too if they were not closed by Shutdown Simulator test which is his primary purpose.

You can download test from ZeroDay Software which is maintained by one of the Wilders Security Forum members. As I already wrote this test is used by Matousec in Firewall Challenge testing.

P.S. Is it possible to move this topic to "Other anti-virus software" forum becouse I opened the topic here by mistake?

 

Yes. The program simulates shuting down a computer by terminating your processes down to the most basic processes.

Surprised that Avira was able to catch it; maybe it hung in memory or recovered.

You can't really do anything, to the best of my knowledge. Even with restricted priv. the program works. Try using ThreatFire.

 

It's possible that the version of the Eicar file used by the simulator is not one that triggers Avast (or Kaspersky - I don't know) to respond. The .txt version would be one of those, because with that extension the file won't "run", Avast doesn't detect it unless it's scanned manually. (Rename it from a .txt to a .bat, the virus alert goes off immediately.)
This is just a guess on my part, I'm not prepared to run the simulator to investigate further.