Antivirus self-defence question

Discussion in 'other anti-malware software' started by Zimzi, Dec 25, 2008.

Thread Status:
Not open for further replies.
  1. Zimzi

    Zimzi Registered Member

    Joined:
    Jul 10, 2005
    Posts:
    289
    Want to put some questions regarding things I am doing all night long (it's not what some of you just meant :D ).

    I take Shotdown Simulator which Matousec using for Firewall Chalenge and test it on three clasicall antivirus (Avira Free, Avast Free and Kaspersky Antivirus 2009).

    I was very suprised that only Avira was able to prevent creating of Eicar test file after shotdown simulation was done. Avast and even Kaspersky just failed.

    Does it mean that some malicious software can simulate system shotdown and drop some nasties after antivirus was closed? What is real possibility for such situation?
     
  2. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    I'm not familiar with this test (do you mean shutdown simulator?) but familiar enough with Avast, and have a basic working knowledge of the eicar files.
    Which eicar file was used following the use of the simulator? I'm quite curious about this.
    And no need to apologize for your English, although the sentiment is appreciated. Your English is vastly superior to my anything-else-ish!
     
    Last edited: Dec 25, 2008
  3. Zimzi

    Zimzi Registered Member

    Joined:
    Jul 10, 2005
    Posts:
    289
    Obviously there is need to apologize for my English ("Shutdown Simulator", not "Shotdown" as I wrote) :D

    I don't know which Eicar file System Shutdown Simulator uses but it was recognized by Avira as a Eicar test file. This file would have been recognized as a test file by Avast and Kaspersky too if they were not closed by Shutdown Simulator test which is his primary purpose.

    You can download test from ZeroDay Software which is maintained by one of the Wilders Security Forum members. As I already wrote this test is used by Matousec in Firewall Challenge testing.

    P.S. Is it possible to move this topic to "Other anti-virus software" forum becouse I opened the topic here by mistake?
     
  4. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Yes. The program simulates shuting down a computer by terminating your processes down to the most basic processes.

    Surprised that Avira was able to catch it; maybe it hung in memory or recovered.

    You can't really do anything, to the best of my knowledge. Even with restricted priv. the program works. Try using ThreatFire.
     
  5. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    It's possible that the version of the Eicar file used by the simulator is not one that triggers Avast (or Kaspersky - I don't know) to respond. The .txt version would be one of those, because with that extension the file won't "run", Avast doesn't detect it unless it's scanned manually. (Rename it from a .txt to a .bat, the virus alert goes off immediately.)
    This is just a guess on my part, I'm not prepared to run the simulator to investigate further.
     
Thread Status:
Not open for further replies.