KAV 5 doesn't detect any of the eicar test files

Discussion in 'other anti-virus software' started by owziee, Jul 30, 2004.

Thread Status:
Not open for further replies.
  1. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    Very weird... I have KAV 5 as on-demand scanner since I'm having NOD32 as my real-time AV. I downloaded all eicar antivirus test files to test and KAV 5 didn't detect any of them... Not even eicar.com!!!

    I scanned using right click on all files. What is going on here? KAV 5 seem to work fine and I've got the latest definitions and all, something is very strange.

    Anybody else having the same problem?
     
  2. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Try with some real sample (Kazaa),but EICAR should be detected at all times. Strange. Try reinstalling KAV o_O
     
  3. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    Looks like Kaspersky have removed detection for eicar.

    I found this info at their site:

    Kaspersky Anti-Virus software detects this file only if the file name EICAR.AVC is listed in the AVP.SET file. At user request, the EICAR.AVC file has been removed from the main Kaspersky Anti-Virus database.

    More info here: http://www.viruslist.com/eng/viruslist.html?id=61238

    Strange.
     
  4. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Why the hell is this good? Same idiotic users that requested to add firewall leak testers into defs!? Some things should be as they were meant to be! EICAR to test AV functionality and leak-tests to test firewalls. How the hell can i test firewall if the AV deletes it before i can run it? It just doesn't make sense. EICAR is harmless since it contains just specific patter that is cought by each and every AV out there so you can test if everything is working ok (you test it on disk,send it to yourself via mail,through MSN Messenger) and if its cought,AV is working properly. Plain and simple. How are those smart asses gonna test their AV now? Hm yeah... :rolleyes:
     
  5. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    I don't get why someone would request that eicar not be detected... (especially by default)
     
  6. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Not only is it the smart ass users, Kaspersky TOOK the def out, I thought the EICAR testfile was supposed to be detected by all AVs in order to show the AV works and to familiarize the user with how his/her chosen AV works and alerts the user. So I guess Kaspersky wants it's user to be unfamiliar with how it's program works and responds to virii. Seems to be another indication( along with the ADS situation) of where KAV is headed. I suppose their users are supposed to download the latest netsky or maybe one of the bagles to see if their configuration works.
     
  7. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hello owziee

    Have just tried this, and my kav 5 detects them all. Perhaps a reinstall would do the trick ?
     
  8. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    Maybe you're right. But I did download some real viruses and KAV 5 detected them all.

    Can more people with KAV 5 also test the eicar files to confirm?
     
  9. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    What do you have the On Access and On Demand settings at? Set both to max then play around with it or try downloading again.

    KAV won't scan a zip until you try to decompress it if settings are at Recommended.
     
  10. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    Tested With KAV 5.0.142 using Standard and Extended Definition as of 30/07/2004
    eicar.com and eicar.com.txt: Detected by Real-Time Protection
    eicar_com.zip and eicarcom2.zip : Detected by On-Demand Scan only

    KAV On-Demand Scan is able to scan archive file but there is no option to enable it (log message say "has not been processed because of the current protection level")

    EDIT
    More test done using www.testvirus.org for testing Real-Time email scan
    Test 4,5,14,22 : Virus Detected (subject says <Message is infected>)
    Test 24,25 : No detection (normal because there is no virus in them)
    All other test : Virus Detected and eicar.com suppressed (subject marked with <Message has been disinfected>)

    PS: The eicar.com is suppressed inside the archive even the double zip one so the zip is still there but empty.

    Sisko
     
    Last edited: Jul 30, 2004
  11. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    Correct. Set it to max and it scans archives. Otherwise it won't.
     
  12. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    Must be old write-up.
    eicar.avc has always been included in avp.set at least since KAV 4.x/5.x lifespan.
     
  13. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    Well I think you're right and I do belive that I've found out what is preventing my KAV from detecting those eicar test files now.
    As I wrote earlier I have NOD32 as my real-time scanner and I think the troubles must have started when I installed the latest beta of NOD32. When I tried to download those eicar test files IMON catched them & that's good of course but since I wanted to download them and try with KAV 5 I disabled NOD32.

    What I've now noticed is that even if I shut down NOD32, IMON isn't completely shut down for some reason. I can download those eicar files but the zipped eicar archives are corrupted. So I did a scan with NOD32 on those files and NOD didn't find anything either. So apparently IMON have done something in the background.

    I got the idea while I was searching for real viruses and I had NOD completely disabled, suddenly the blocked by IMON screen appeared on a site for some reason and I thought it was strange since NOD32 wasn't even running.

    How those real viruses could get by IMON is another question though.
     
  14. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    I've just confirmed what I thought. I did set firefox to higher compatibility in IMON http scanner setup, then I downloaded the eicar files, after the downloads finished imon alarmed but I just closed it down instead of choosing terminate.

    I right-clicked on the file and scanned with KAV and BAAAM!! KAV detected the eicar anti-virus test file :)

    Well at least I can finally sleep tonight knowing that both of my AV's work as they should :)
     
  15. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    FYI latest version of KAV and NOD32 don't get along too well. Rather than pointing the finger @ an application, first thing to look at is apps that may potentially conflict.

    Having 2 AVs on the same rig is an interesting situtation. Between updates they might work fine, next thing you know after an update, they don't get along at all.
     
  16. Sisko

    Sisko Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    42
    Sorry I made a mistake. I was talking about the Real-Time Protection.

    Sisko
     
  17. looolman

    looolman Registered Member

    Joined:
    Jul 21, 2004
    Posts:
    2
    Maybe as NOD32 is your real time scanner it would have deleted the virus automatically so the file will become 0 byte and when you test it wit KAV it will not detect anything

    for better and more comprehensive antivirus test
    you can try antivirus tester ver 3 from here

    ftp://ftp.externet.hu/pub/mirror/sac/avir/avtst30.zip
    I think KAV will pass 1 of 4 test...
    but my favorite McAfee will pass 4 of 4 :)
     
Loading...
Thread Status:
Not open for further replies.