EICAR test file

Discussion in 'NOD32 version 2 Forum' started by Stijnson, Nov 13, 2007.

Thread Status:
Not open for further replies.
  1. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Yesterday I downloaded the Eicar test file, contained in a zip-file, and saved it to my desktop. I was actually expecting the real-time protection to kick in (AMON or IMON), but it didn't (perhaps this me misunderstanding the program, I thought IMON would check it because it was an Internet download). When I checked the zip-file on demand, NOD32 (as expected) warned me about an infected file inside the archive.

    However, the only option that I had was to copy it 'to quarantaine' and than close the alert window. Is this supposed to go like this? I thought NOD32 would clean or delete the file. Manually deleting the file worked also.

    Do I have to worry about the real-time protection as well?
    I hope that someone can help me out.

    EDIT: Perhaps a dumb question to add after all of this, but I have never had a 'viruswarning' with NOD32 before. Am I supposed to copy the file to quarantaine and can I take further action from there?
     
    Last edited: Nov 13, 2007
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Do you have NOD with Blackspears's settings?
    I'm on linux right now, so I can't test NOD atm, but later I will...
     
  3. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Yes, I have Blackspear's settings. I noticed that I couldn't the single .com-file ('file not found' error, but as I understand it this is Blackspear's settings kicking in -IMON preventing an infected download), but I was able to download the zip.
     
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Ok
    I'm in XP now and tested the EICAR file.
    Under the standart http protocole, IMON blocked all 4 files.
    Under the secure SSL https protocol, I could download the 4 files, but AMON deleted the ones that weren't zipped. IMON didn't block them.
    When unzipping, AMON did the job, I unzipped to a folder and the folder was empty (both times).
    When scanning the zip files with NOD32, the files where deleted (both times).
    When trying to execute from within WinRar, AMON blocked execution and deleted the files.

    So, IMHO, even though IMON failed on the files, and AMON let 2 of them be created, there's no way those files could be unzipped or executed, and they wouldn't resist a NOD32 scan.

    I hope this was helpful for you.
     
  5. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Hello Hurst, thanks for your reply. You are also using Blackspear's settings as I understand it? How did you configure AMON (what settings)?
    IMON did in fact prevent me from downloading the 4 files through the standard HTTP protocol (just as you described), so that's a first relieve.
    I have AMON set to 'Prohibit access and show alert window' and a check in the box next to 'copy to Quarantaine'. This setting doesn't enable me to do anything else, is that correct?
     
  6. ASpace

    ASpace Guest


    It won't let you run malicious file and won't let a newly created threat run by itself
     
  7. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    So manually deleting such a file would suffice?
     
  8. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    I have standard factory settings - straight off the shelf & all 4 'bit the dust' before the download commenced.
     
  9. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    That worked for me as well, the only thing I was having 'problems' with was the zip-file. Manually removing such a file would be enough then?
     
  10. ASpace

    ASpace Guest

    Yes and No .

    If you adjust your on-demand scanner settings (as I told you) to make nod32.exe NOD32 on-demand scanner can automatically delete the infected zip
     
  11. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes I have Blackspears's settings. AMON is configured exactly as indicated by Blackspear.
     
  12. maddawgz

    maddawgz Registered Member

    Joined:
    Aug 13, 2004
    Posts:
    1,276
    Location:
    Earth
    I'm using the suite 3 wouldnt even let me download the ZIp file full stop love this new suite,
     
Thread Status:
Not open for further replies.