Eicar and F-Prot 6.4

Discussion in 'other anti-virus software' started by Mele20, Dec 14, 2006.

Thread Status:
Not open for further replies.
  1. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Why do I have to click disinfect THREE TIMES before F-Prot will remove eicar? It doesn't matter if I wait up to one minute after clicking disinfect the first time...nothing happens. I click a second time and wait and nothing happens. Only after I click the third time and my screen jumps, blinks black for just a second does the eicar file finally disappear. I wouldn't know though from the F-Prot GUI that the file was removed as the GUI doesn't change ...even the close button looks just like it did the first two times I clicked on disinfect. So, I know it is deleted only because I see the file no longer in my downloaded programs folder.

    At first, I clicked disinfect and thought it was gone and clicked close and got another screen with the warning about the eicar virus so I learned by trial and error that I have to click on disinfect three times in a row before F-Prot removes the virus and it doesn't matter how long I wait after I click disinfect the first time. I have waited over one minute and I still have to click disinfect three times before it disinfects! That is a bit odd. Plus there is NO indication on the F-Prot screen that disinfection has been successful. That too is a bit odd. And the Close button doesn't change...the only way I know I can close the window is because I don't see the eicar file any longer. The Help file (which shows eicar as example) says nothing about having to try three times EVERY TIME to get the scanner to disinfect/delete an eicar file. So, I suppose this is not normal behavior for F-Prot?
     
  2. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    F-Prot AV doesn't do anything to the test file other than delete it, because there is nothing in the file but test code, and disinfection or repair would leave only a worthless 0 kb file.

    Dave
     
  3. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    This is apparently a bug in F-Prot. It doesn't have anything to do with the nature of eicar. The same thing would happen with a real virus. F-Prot, if set on ask before doing anything, gets hung when you click on disinfect. It takes three tries to get F-Prot to act. That is a bug and has been reproduced by support. I think support didn't post here about it but sent me a private message because Mike had asked that we not start anymore F-Prot questions here. (Mine was already started when he made that request).
     
  4. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    I don't mind posting here as well. But it is much more easier for us to keep track of questions and problems if they are posted in our support forum. That doesn't mean that you cannot ask questions about F-Prot here. The idea behind this support forum is not to move discussions from F-Prot away from here, but to coordinate it better with our support guys. There's no way that you can register and post in every other public forum where people might post questions because you don't have a support forum.
     
  5. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Ok and now back to your question. The funny thing is there is not even a need to offer Disinfect as option. That should be grayed out for EICAR. Reason is being that the Eicar Files ARE the FULL "VIRUS CODE" itself. There is nothing what you could clean.

    Code:
    :0100 58             POP     AX
    :0101 35|4F|21       XOR     AX,214F
    :0104 50             PUSH    AX
    :0105 25|40|41      AND     AX,4140
    :0108 50             PUSH    AX
    :0109 5B             POP     BX       ; BX contains 0140h
    
    :010A 34|5C       XOR     AL,5C
    :010C 50            PUSH    AX
    :010D 5A            POP     DX       ; DX contains 011Ch Note: Textstring Address
    
    :010E 58             POP     AX
    :010F 35|34|28    XOR     AX,2834
    :0112 50             PUSH    AX
    :0113 5E             POP     SI
    :0114 29|37        SUB     [BX],SI  ; changes bytes at 140 & 141 into IRQ Call PrintString
    
    :0116 43            INC     BX
    :0117 43            INC     BX
    :0118 29|37        SUB    [BX],SI  ; changes bytes at 142 & 143 into IRQ Call Exit
    
    :011A 7D|24       JGE     0140     ; Jumps last two IRQ instructions
    
    :011C  45 49 43 41 52 2D 53 54 41  EICAR-STA
    :0125  4E 44 41 52 44 2D 41 4E 54  NDARD-ANT   YOUR DATA  STRING
    :012E  49 56 49 52 55 53 2D 54 45  IVIRUS-TE     which is displayed
    :0137  53 54 2D 46 49 4C 45 21 24  ST-FILE!$       by EICAR.
    
    
    :0140 CD|21          INT     21       ; DOS Function 9h: Display the string
    :0142 CD|20          INT     20       ; Program Termination EXIT 
    
    Here we go

    The two red lines are the important lines - they change the 'trash opcode' at the end of eicar into the 2 IRQ (Interupt commands).

    :0114 29|37 SUB [BX],SI ; changes bytes at 140 & 141 into IRQ Call PrintString

    and

    :0118 29|37 SUB [BX],SI ; changes bytes at 142 & 143 into IRQ Call Exit

    That is because the opcode of INT ( CD ) is a non-printable character.
    And Eicar is supposed only to use PRINTABLE ASC-II characters to allow a copy+paste functionality. That said: If you disassemble EICAR you will NOT see the last 2 INT opcodes.
    However, INT 20 is not a common way to exit a dos program, normaly you should do this via function 41h and INT 21.

    As you see there is NOTHING what you could disinfect. And Eicar doesn't infect any other files that you have to remove the eicar code from infected files. So offering "Disinfect" for a Standard Eicar Test File is WRONG. Or let's better say it CONFUSING. This would result in 0 Byte File.
     
  6. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    So, Inspector, you are saying that attempting to disinfect the test file would lead to the null string, and not the sting indicating a 0 kb text file. An interesting point!

    Dave
     
  7. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Usually if you attempt to disinfect a file with a parasitic virus infection and that fails you have to offer then the delete. (and it is supposed to fail because cleaning it to a 0 byte file is nonsense and as i said earlier eicar is not able to infect other files since it is only a harmless static non-malicious "virus code"))
     
Loading...
Thread Status:
Not open for further replies.