EICAR Test File

Discussion in 'NOD32 version 2 Forum' started by tony62, Oct 25, 2005.

Thread Status:
Not open for further replies.
  1. tony62

    tony62 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    214
    Location:
    UK
    Hi all,
    I recently purchased NOD32 and must say that i am pretty impressed with it so far:) I have implemented Blackspear's guide here since this is a shared PC. Anyway i decided to test NODs 'IMON' effectiveness today using this site eicar.org and happily enough it blocked the first file download link immediately. I then went on to create a .txt and .com file using the virus string and AMON picked up on these too. However when i pasted the exact same string into a Office Word Document(2003) it failed to detect upon creation, execution or even context menu scano_O
    Should DMON detect this or not?
     
  2. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    It probably has to do with the exact definition of the Eicar.com test file, as stated here: http://www.eicar.com/anti_virus_test_file.htm
    Since you pasted the string into a Word Document, the resulting .doc file no longer meets the definition of the Eicar.com test file. The same thing applies to a webpage that includes this string. Since the string is in the middle of the webpage, it does not meet the definition of the file. ;)

    Now, if you were somehow able to paste an eicar.txt file in a Word document as a separate object, that might be another story.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    No, the eicar test file must be in a pure text file, not in a Word or another document.

    Edited:
    OK, Alglove was faster than me :)
     
  4. tony62

    tony62 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    214
    Location:
    UK
    Yes that does seem to be the case, since the resulting .doc file ends up 19.5 KB opposed to 68 bytes.
    Thanks for your help;)
     
  5. Happy Bytes

    Happy Bytes Guest

    Eicar is just a TESTVIRUS. Eicar was designed to test GENERAL functionality of AV Software and not for determining how good a software finds "embedded" viruses. There's even one rule - Eicar should be only detected if it has it's original filesize. This has basicly to do with a lot of readme.txt files from AV Software. Lots of companies writing there about EICAR and also quoting the ASC-II eicar text. It would be a false positive to detect such files!

    If you want to know more about EICAR and how this Testvirus works take a look to over here where i explained it in the AV-Comparatives Forum:
    http://www.av-comparatives.org/forum/viewtopic.php?t=150

    8^) H.B.
     
  6. tony62

    tony62 Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    214
    Location:
    UK
    This is exactly what i originally wanted 'test GENERAL functionality'.
    I disagree here, soley for it's test functionality. For example once a firewall has been setup correctly you will then wish to to test it using various 'Probing' sites. How else would one test Antivirus software?
    Very informative, thanks for link;)
     
Thread Status:
Not open for further replies.