Whic AV's pass all the Eicar antivirus test exept for eicar.com.txt?

Discussion in 'other anti-virus software' started by Sling Shot, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. Sling Shot

    Sling Shot Guest

    I just tested McAfee version 8.0, and it passed the eicar.com test, but it did not catch the zipped or double zipped. I was able to download both of the zip files, and then I was able to save them. When both of the zipped files were unzipped, they were detected.

    What AV scanners will pass all the Eicar tests? Does the text detection really matter?
     
  2. mieksio

    mieksio Guest

    etrust 6.2
     
  3. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    F-secure for Workstations 5.41
     
  4. ^Ale

    ^Ale Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    187
    Location:
    Italy
    BitDefender St. Ed. v. 7.2
     
  5. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    gdata pro 14
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Honestly it needs to pass only EICAR.COM
    I already explained many times regarding compressed (archived) versions of EICAR. The same applies to real viruses.
     
  7. Sling Shot

    Sling Shot Guest

    Why would Eicar suggest that good scanners would detect the single zipped, and that the better ones would even detect the double zipped?
     
  8. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Because scanning archives in real-time is waste of CPU time and memory.
    Files inside archives are in benign form anyway(very similar state to quaratined files),and when you access them directly inside archive or extract them they will be extracted to selected loaction ot into TEMP folder and then scanned by On-Access (Realtime) part of the antivirus. Packers (UPX,ASPack,ASProtect...) are totaly different stuff and shouldn't be messed with classic archives (ZIP,RAR,ACE,CAB...).
     
  9. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    Hey RejZoR-
    I agree with you that it's a waste of resources to scan inside of typical archived files. But what about self-extracting archives? Is there any danger in those?
     
  10. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Its the same. SFX (SelF eXtract) archives are the same thing,because compression does the same thing as quarantine. the extract part just replaces some external utility like WinRAR or WinZIP. In the end its purpose is the same,extracting the files. And again,they are scanned when they are extracted/executed.
     
  11. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    Thanks, that makes so much sense that it should've been obvious. I can be a little slow on Mondays though... :)
     
  12. Mannaggia

    Mannaggia Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    234
    Location:
    Northern California
    Panda Platinum 7 and Trend Micro Antivirus pass all the Eicar tests.
     
  13. liang_mike

    liang_mike Registered Member

    Joined:
    Mar 12, 2004
    Posts:
    91
    Location:
    Canada
    Yup, I agree with you.
     
  14. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    I agree to RejZor's comment on the relevancy of detecting the compressed samples of eicar.

    Being quite a popular AV test nowadays, isnt it possible that an AV vendor can just add a signature for these compressed samples anyways. Thus nullifying the result of whether it really has the ability to scan through multiple zipped files.

    It seems most AVs have zip/rar support now anyways.

    To me the eicar test seems to be best used for troubleshooting and seeing if your AV is working, not a test on its scanning ability etc.
     
  15. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    KAV 4.5 personal passes all tests. KAV 5.0 personal does not. 4.5 is much superior AV and it is a shame it is considered an archived AV because I'd like to purchase it but I don't want to purchase an "old" version. I don't agree that right click detection after downloading but before unzipping is a waste of resources. It is a waste of my time to have to unzip in order to find a virus! I have a fast new box with plenty of RAM and it is by no means a waste of resources! I would not consider it a waste of resources on my older W98SE box either. I want it found on right click. NOD32 makes you unzip also and I don't like that and that is one reason I decided to trial KAV and then learned 5.0 is lousy but 4.5 is outstanding. Further, I do not want to risk sending a virus to someone because I forward a zipped file that I downloaded and haven't yet unzipped and so don't know is infected.
     
  16. VikingStorm

    VikingStorm Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    387
    And most AVs actually will detect those samples if they are tweaked to do so. (For instance, in this case, McAfee has archive scanning off by default)
     
  17. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Command antivirus also passes the eicar test's
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    F-Prot as well.
     
  19. Graystoke

    Graystoke Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    1,502
    Location:
    The San Joaquin Valley, California

    I totally 100% agree.
     
  20. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Huh!

    Right click on eicar_com.zip works for me without unzipping.

    ---
    Scan performed at: 7/19/2004 21:25:23 PM
    Scanning Log
    NOD32 version 1.817 (20040719) NT
    Command line: C:\3COM\eicar_com.zip
    Operating memory - is OK

    date: 19.7.2004 time: 21:25:28
    Scanned disks, directories and files: C:\3COM\eicar_com.zip
    C:\3COM\eicar_com.zip »ZIP »eicar.com - Eicar test file
    number of files scanned: 1
    number of viruses found: 1
    time of completion: 21:25:28 total scanning time: 0 sec (00:00:00)
    ----

    Also eicarcom2.zip.

    ----
    Scan performed at: 7/19/2004 21:37:17 PM
    Scanning Log
    NOD32 version 1.817 (20040719) NT
    Command line: D:\Documents and Settings\Administrator\My Documents\eicarcom2.zip
    Operating memory - is OK

    date: 19.7.2004 time: 21:37:22
    Scanned disks, directories and files: D:\Documents and Settings\Administrator\My Documents\eicarcom2.zip
    D:\Documents and Settings\Administrator\My Documents\eicarcom2.zip »ZIP »eicar_com.zip »ZIP »eicar.com - Eicar test file
    number of files scanned: 1
    number of viruses found: 1
    time of completion: 21:37:22 total scanning time: 0 sec (00:00:00)

    ---
     
    Last edited: Jul 19, 2004
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    NOD works for me in this manner also. Right click scan.

    F-Prot will detect this file at www.eicar.org when you try to download it.
    Even the double zipped version.

    I imagine the new version of NOD will do likewise.
     
  22. Pigman

    Pigman Registered Member

    Joined:
    May 15, 2004
    Posts:
    381
    NOD32 detects eicar.com when I try to download it.
     
  23. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    hello sling shot
    my norton av passed all the tests
    Rita
     
  24. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    EICAR is merely suggesting that an AV should detect what is zipped or double zipped, I don't believe they are suggesting that AVs like NOD are inferior because they don't detect it as it is being downloaded, in fact they suggest that AFTER the file is downloaded you should run your chosen scanner on the file. As for the text file if you read their instructions it is not for testing your AV it is for people that have trouble downloading the other versions for whatever reason and you are supposed to rename the file to eicar.com (after downloading it) at which point your AV software should detect it. The AV's that detect the .txt version in my opinion are giving a false positive as text displayed on a web page is harmless, as are text files. Basically it comes down to different schools of thought on virus detection, some feel it is a waste of resources to scan data as it is being downloaded and do it once the file is saved or as the file is being saved, others would rather not download an infected file in the first place. Just my two cents on the subject.
     
  25. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Actually the concept is totally diferent. Here is the example of avast!'s interior of archive scanning.

    On-Access -> Off by default (in Pro can be turned on and changed,in Home not)
    On-Demand -> Off by default (can be enabled in Pro and Home)
    Explorer Extension -> On by default for all possible archives in Pro and Home
    Internet Mail -> On by default for both Pro and Home (it can only be chnaged in Pro)
    Instant Messaging -> On by default for both (can be only turned of and changed in Pro)

    This explains alot about avast!'s multilayer defence. On-Access by itself doesn't scan archives due to previously explaind thing (my posts above in this thread),but on other hand Internet Mail and Instant Messaging provider scan inside compressed archives,so there is no chance that you could forward an infected attachement or send the archive via Instant Messager ala MSN Messanger or mIRC. Explorer Extension is set extra tight (scans all archives,all files without exception on thorough mode which means it scans entire file from beginning to the end and without virus targeting),so you can fast and thoroughly check files.
     
Loading...
Thread Status:
Not open for further replies.