eicar test file

Discussion in 'ESET NOD32 Antivirus' started by markcc, Jun 10, 2008.

Thread Status:
Not open for further replies.
  1. markcc

    markcc Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    185
    Location:
    Michigan, usa
    I have NOD32 current version installed. If I e-mail myself the eicar test file, NOD does not show it as a virus. The e-mail scanner is working because it shows the file has been scanned. The other anti virus programs I've used show as a virus as the e-mail is sent & received. Do I not have something set right?
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Which particular test file from this page did you attach to your e-mail ?
     
  3. markcc

    markcc Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    185
    Location:
    Michigan, usa
    The 68 character line about 1/2 down the page.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Did you actually attach the file? Couldn't it be that you merely copied its content to the email body?
     
  5. markcc

    markcc Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    185
    Location:
    Michigan, usa
    I copied the text string into Outlook & sent the e-mail to myself. No reaction from NOD. If I click on the eicar.com.txt file NOD picks up right away as a virus.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Of course, antivirus programs should not react to that string only. It must be sent as an attachment, that's how all AV vendors agreed on:

    Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:
    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
     
  7. markcc

    markcc Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    185
    Location:
    Michigan, usa
    Marcos, I guess I'm confused (Not unusual for me!) If I open Outlook & copy that string & send it to myself using Avast, Kaspersky or GData it flags it as a virus. It does not with NOD. Am I missing something here?
     
  8. markcc

    markcc Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    185
    Location:
    Michigan, usa
    I copied the string into the body of Outlook
     
  9. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    For example...if I copy-paste EICAR 68 characters in text editor and try to save as .txt file I have NOD32 warning...but when I copy-paste in the message body and try to send email then no warning at all and mail was sent (with other AV I've tried I can't send email)...btw I can't check if NOD32 detect it when receive because my ISP block that email.
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you merely copy the string into the email body it won't be detected because only a file with that specific string that is exactly 68 bytes long is supposed to be detected per the eicar standard as all AV vendors have agreed on. If this condition is not fulfilled there's no reason to detect it. By simply copying the string into the email body you break this condition.
     
  11. markcc

    markcc Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    185
    Location:
    Michigan, usa
    Thank you for your answer

    Mark
     
Thread Status:
Not open for further replies.