Eicar.com Test File

Discussion in 'Prevx Releases' started by redwolfe_98, May 14, 2010.

Thread Status:
Not open for further replies.
  1. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i just tried using the eicar.com test file to test prevx but prevx didn't flag it.. in the past, it has flagged it..

    does prevx flag the eicar.com test file for anyone else?

    i am running prevx build 3.0.5.143
     
  2. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Did you try executing it?
     
  3. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    464
    Location:
    UK
    That's odd it detects it for me. I just did a right-click scan on the file. (also detected when i run it.)

    The string is:

    X5O!P%@AP[4\PZX54(P^)7CC)7}$~snip~ Removed some of the text just in case some web scanner flags Wilders :)
     
    Last edited by a moderator: May 15, 2010
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Prevx should flag eicar without a problem - could you let me know what version of Prevx you're using? The Facebook installer will hide malware detections to provide a most simplistic user experience (as it is focused on blocking threats from stealing user data rather than detecting low-risk malware itself).
     
  5. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    i can run eicar text file directly from the website without any warnings, either by clicking it directly or downloading and clicking run on IE8 pop up.

    i can also download and run .txt eicar (using right-click>save target as), run it directly from my desktop, without any warnings of a virus.
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Prevx won't scan text files but it should warn when the .com file is running from IE - could you also let me know what version of Prevx you're using (if it is the direct SafeOnline install or the "normal" Prevx version)?

    Thanks!
     
  7. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    Regarding the .com link, I get no popup from prevx although I get the feeling its blocked it, just no actual prevx warning.

    Only checked to see what the poster was saying, :)

    It wasn't earlier but could re-check later if you wish me to, latest 143 prevx 3.0 version (not PSO version) running w7x64
     
  8. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    well, for one thing, i have "ntvdm.exe" disabled from running, which is used by the eicar.com test file, so the eicar.com file wound not run anyway on my computer.. STILL, even though i have "ntvdm.exe" blocked from running, in the past, when i would use the eicar.com test file, to test prevx, prevx STILL would flag it when i tried to execute it, even though "ntvdm.exe" was blocked from running..

    incidentally, prevx flags the eicar.com test file when i right-click and scan it, manually..

    so...i tested prevx with the "trojansimulator", which is available from "misec":

    http://www.trojanhunter.com/trojansimulator/

    again, NOTHING from prevx when i ran the "trojansimulator".. when i ran the trojansimulator, prevx did not flag anything..

    prevx would flag the tserv.exe file when i would right-click and scan it, and it would flag the tserv.exe process and the trojansimulator regkey when running a manual scan, but prevx's "guard" did nothing to block the "infection"..

    so, for whatever reason, prevx is not doing anything for me except using up some resources unnecessarily, since the guard is not blocking "malware" from running..

    the prevx processes are running and, as far as i can tell, all the prevx drivers are "running"..

    i will try doing some more testing..
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @redwolfe_98

    Interesting behaviour o_O might try it.

    Good heads up :thumb:
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I have no problem with them!

    TH
     

    Attached Files:

    Last edited: May 18, 2010
  11. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Can I suggest that you try a clean install of Prevx and try again? Uninstall Prevx via Add/Remove then reboot and download a fresh copy from here http://info.prevx.com/downloadcsi.asp install and after the learning scan install your license and reboot again and then test it!

    HTH,

    TH
     
    Last edited: May 18, 2010
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Disabling ntvdm will definitely change how the blocking of eicar will take place. However, Prevx should definitely be blocking trojan simulator - could you please let me know exactly what version of Prevx you're using (if it is the SafeOnline version in particular) and what your heuristic settings are and if you have a license key?

    Thank you!
     
  13. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    prevxhelp, i was running prevx 3.0.5.143, with the "trial version" of "safeonline" disabled, in the program..

    i think the problem was that i had too many security-programs running on my computer.. i am running "antivir 10", the "kerio 2.15 firewall", "system safety monitor" and "regdefend", from "ghost security"..and i had prevx running along with those.. i also had "spyware doctor 7" installed, but not running in realtime, though some of its drivers would still run..

    i tried disabling "sysem safety monitor" and "regdefend" and tested again and prevx would flag the "tserv.exe" trojansimulator file, then..

    i tried uninstalling "spyware doctor 7" and tested again, but that didn't help..

    so, between the new "prevx" which needlessly has "safeonline" built into it (needless because there is the "safeonline" program which is prevx+safeonline), the new "antivir 10", and the new "spyware doctor 7", things were not working for me.. my guess is that the new "antivir 10" is causing the problem.. again, apparently there were just too many security-programs running on my computer, causing a problem.. i have seen this problem before, where i had too many security-programs running, causing one of them to not function the way that it was supposed to..

    so, i had to dump something and i dumped "spyware doctor 7" and "prevx".. (again, i did not have "spyware doctor" running in realtime.. i have used "spyware doctor" mostly to take advantage of the activex-killbits that SD's "immunizer" gives you)..

    i have been running a similar setup for a number of years without any problems, but, apparently, with the updates to the various programs, it is not working for me now..

    i wish prevx would not incorporate "safeonline" into the prevx program.. it is not necessary when there is the "safeonline" program which is prevx+safeonline.. that might make a difference.. i am considering installing an old version of prevx which does not have "safeonline" incorporated into it and see if the works for me.. i might also try installing the old "antivir 9" program and see if that makes a difference.. i am sure that it would..

    thank for the help.. this is not a prevx problem unless having "safeonline" needlessly incorporated into the prevx program contributes to the problem.. with "safeonline" incorporated into "prevx", there are some extra drivers, associated with "safeonline", that are running, which might contribute to the problem.. it is not possible to disable those drivers.. i have tried it and the result was that i was locked out of my computer.. incidentally, i tried disabling the one "spyware doctor" driver that was running and that too locked my out of my computer, with BSOD's..

    while i am here i will mention one other thing.. when prevx is running, it adds about 8 seconds to the time that it takes for my computer to shut down.. i wish it didn't do that..
     
    Last edited: May 19, 2010
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    You can install Prevx without SafeOnline with the instructions in this thread: https://www.wilderssecurity.com/showthread.php?t=268613 but we doubt that SafeOnline would cause any compatibility problems here - it is more likely a case of one of the other security programs also blocking the file.

    You may want to try lowering the self protection settings but there is nothing in Prevx which would perform on-shutdown scanning or anything that should slow it down.
     
  15. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    nah, no pop up for me Joe.

    clicking the .com and clicking run within IE8 gives no pop up from Prevx regarding a detection.

    It is blocking it, as i get the usual 'Windows cannot access the specific path or file' pop up, but no detection warning from Prevx im afraid.

    win7x64, 143, normal Prevx 3.0 version.
     
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Hi Guys now that I Have a Duel Boot of Windows 7 32bit & 64bit and I have tried under both and all was Blocked even in x64 using both IE8 32bit & 64bit Browsers I have NOD32 disabled and Just Prevx and it Blocked all test but not the Text file one as Joe said it would not! I even tried "trojansimulator" and that was blocked under both.

    TH
     
    Last edited: May 19, 2010
  17. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    Prevxhelp, i did some more testing.. :) first, i did a clean reinstall of the prevx program, build 3.0.5.143, and rebooted..

    when i tested to see if prevx would flag the "trojansimulator" files, when i "moused over" the files, it flagged them..

    HOWEVER, i tested again by TEMPORARILY DISABLING prevx's realtime-protection, while re-extracting the "trojansimulator" files, and then re-enabling prevx's realtime-protection, after the "trojansimulator" files had been re-extracted, and prevx would NOT flag the "trojansimulator" files after its realtime-protection had been temporarily disabled and then re-enabled..

    so, that was the problem.. when i would test prevx, i would temporarily disable prevx's realtime-protection, while extracting the test-files, and then i would re-enable prevx's realtime-protection, for testing.. prevx's realtime-protection would not flag the test-files after having been temporarily disabled and, then, re-enabled..

    another possibility is that, once prevx had scanned the files once, the first time that they were detected, the files were ignored, after that..
     
    Last edited: May 20, 2010
  18. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    Interesting reading.
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That's quite interesting and could potentially explain the issues. When under "Install Mode" (or disabled intentionally by the user), Prevx treats newly introduced files differently. I'll do some digging here to hopefully get this behavior corrected in the next release.

    Thanks for the detailed assistance :thumb:
     
  20. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    Well, I don't disable anything and the .com eicar link does not give me a prevx infected pop up
     
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Quote redwolfe_98

    when i tested to see if prevx would flag the "trojansimulator" files, when i "moused over" the files, it flagged them..

    I was interested in the mousing over aspect, so i opened up one of my nasties folder to try it. I tried on some REAL rootkits and got the same result. What i found was the Prevx tray icon turned RED as soon as i hovered over one of the files

    fl.gif

    This could easily be missed by some people, so i think it might be better if we were alerted in a more abrubt way. For example by the Prevx gui auto opening up with the alert as well, as it does when clicked :thumb:

    ts.gif
     
  22. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    464
    Location:
    UK
    I would like a more noticeable icon change too. I'm red/green colour blind and can't see any colour change at all.

    Interesting thread this. Can I read into this there is a bug with disabling and re-enabling protection.
     
  23. PC__Gamer

    PC__Gamer Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    526
    lol doesn't really explain why I don't get a prevx pop up on eicar, but I hear you loud and clear.

    I've been big on requesting the old icons, it was prevx's signature to me and it was removed in 3.0

    I'm not alone in this request, so let's bring it back :)

    kaspersky shouldnt change its K, avira its umbrella, gdatas G, mcaffes M, AVGs coloured square,

    ... You get the point, and the blobs were Prevx's signature to me. :)

    Yeah? Lol
     
  24. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Have you got an image of one of those old icons for us to see?
    I briefly used Prevx 2.0, but I can't recall how the icon looked. :)
     
  25. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you let me know what your heuristic settings are and could you possibly try sending a scan log to report@prevxresearch.com? Prevx won't necessarily scan files every time on mouse-over but it should block eicar if it tries to execute if your PC is set up to correctly load 16bit files. (However, *soapboxing :D* eicar is not representative of any of today's malware so it is largely a waste of time in terms of testing AV detections.)
     
Thread Status:
Not open for further replies.