McAfee failed Eicarcom2.zip

Discussion in 'other anti-virus software' started by peakaboo, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Not a big deal but surprised me that McAfee failed Eicarcom2.zip.

    http://www.eicar.org/download/eicarcom2.zip

    This is the one where eicar.com is zipped and then this zip is zipped.

    I quess McAfee will unpack once but when it runs into a second zip it says nomas

    Can anyone confirm this result for McAfee or is it just me?

    [hr]

    I ran another AV against this and it was able to catch Eicarcom2.zip and all other Eicar examples on their page:

    http://www.eicar.org/anti_virus_test_file.htm

    I'm deciding whether to completely dump Mcafee now, since my upgrade from 4160 scan engine to 4320 has a trial time limit (Console & Autodat updates no longer function, but right click Vscan works fine except as noted above.) I may just keep Mcafee around as an on demand Vscan backup.
     
  2. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    I dont run Mcafee but I fail to see the threat of a virus that is zipped up twice? To run (if it was real) this virus it would need you to uncompress the file twice ,at which Mcafee would've jumped in long ago.

    To add these very deep scanning abilities could well hinder further development of the programme.
     
  3. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Appreciate your reply.

    As I said no big deal.

    I'm sure others who are more devious can figure a way to use a virus w/in an archive packed in an archive coupled with a Windows vulnerability and a process killer...

    still like to know if anyone else using older or latest McAfee can confirm - just curious

    [hr]

    Also Tinribs, did your AV catch Eicarcom2.zip on scan? If not what AV are you using - if you want to PM me feel free.
     
  4. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    I use McAfee VS 7.1 Enterprise, it was detected after it was d/led into the internet temp folder (with that silly IE d/ling before you picking an option deal). So no problems here...
     
  5. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    thanks VikingStorm

    sounds like your result was pretty good - since your Mcafee 7 had to unpack 2 archives to get to eicar.com and it did it real time in cache prior to your d/l option...
     
  6. Mack Jones

    Mack Jones Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    174
    Location:
    France
  7. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Hi Peakaboo. My Mcafee found it. I'm running a download manager and McAfee set to scan after a download. I'm using McAfee 7.03 scan engine 4.3.20.
     

    Attached Files:

  8. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Thanks all.

    Well, I don't know why my version can't catch it, maybe due to the expiration of the trial on that new engine I upgraded to.

    Right click VirusScan still enabled but system scan is disabled due to end of trial. Maybe the power lies in the stuff which is disabled.
     

    Attached Files:

  9. bob_man_uk

    bob_man_uk Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    91
    Location:
    United Kingdom
    my MCAFEE product (V7 enterprise) doesnt pick it up at download but if I tried to open the zip it said I couldnt and brings up the box saying that it had found a virus.
     
  10. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    bob_man_uk,

    Thanks for this info.

    If you get a chance dl eicarcom2.zip save it to a separate folder and right click the folder and select "Scan for Viruses"

    see my gif above, scan and make sure "All files" is checked & "Compressed files" is checked.

    Let me know if VirusScan catches this.
     
  11. bob_man_uk

    bob_man_uk Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    91
    Location:
    United Kingdom
    yes it does
     
  12. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Thank You for verifying.

    maybe the problem is my 4320 engine... will check this out later.

    seems more like an unpacking issue though, but maybe that is engine dependent also
     
  13. bob_man_uk

    bob_man_uk Registered Member

    Joined:
    Jan 21, 2004
    Posts:
    91
    Location:
    United Kingdom
    my engine is 4320 with the most up to date dat (Currently 4346) so i dunno whats up
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    For what it is worth, F-Prot for Windows will detect this file when you try to download it before it is on your hard drive.
     
  15. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Just saw this thread: screenshot is what happened here in Opera when I clicked on your link to the double-zipped eicar.
     

    Attached Files:

  16. peakaboo

    peakaboo Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    377
    Interesting I just tried this test on a non timed out version of McAfee scan engine 4320 dat file was 4345 with the following result:

    right click VirusScan (on demand scan) on folder with Eicarcom2.zip does not detect the eicar.com.

    However using McAfee VirusScan Central console and scanning I get a detection, however when I go to delete it, it is unsuccessful (eventhough it says it is deleted). Trying again using quarantine same thing happens - successful quarantine message given, but checking with explorer I see the eicar.com still zipped. I wound up deleting using explorer.

    This may dove tail into the latest VB100 bulletin and a weakness observed there:

    http://www.wilderssecurity.com/showthread.php?t=26251;start=msg152429#msg152429

    Sophos: No Support for On-Access scanning same happens to NAI including some archiv format problems


    [hr]

    thanks to all for your input

    I maybe dumping this version of McAfee soon.
     
Loading...
Similar Threads
  1. Ibrad
    Replies:
    24
    Views:
    2,405
Thread Status:
Not open for further replies.