Whic AV's pass all the Eicar antivirus test exept for eicar.com.txt?

I just tested McAfee version 8.0, and it passed the eicar.com test, but it did not catch the zipped or double zipped. I was able to download both of the zip files, and then I was able to save them. When both of the zipped files were unzipped, they were detected.

What AV scanners will pass all the Eicar tests? Does the text detection really matter?

 

etrust 6.2

 

F-secure for Workstations 5.41

 

BitDefender St. Ed. v. 7.2

 

gdata pro 14

 

Honestly it needs to pass only EICAR.COM
I already explained many times regarding compressed (archived) versions of EICAR. The same applies to real viruses.

 

Why would Eicar suggest that good scanners would detect the single zipped, and that the better ones would even detect the double zipped?

 

Because scanning archives in real-time is waste of CPU time and memory.
Files inside archives are in benign form anyway(very similar state to quaratined files),and when you access them directly inside archive or extract them they will be extracted to selected loaction ot into TEMP folder and then scanned by On-Access (Realtime) part of the antivirus. Packers (UPX,ASPack,ASProtect...) are totaly different stuff and shouldn't be messed with classic archives (ZIP,RAR,ACE,CAB...).

 

Hey RejZoR-
I agree with you that it's a waste of resources to scan inside of typical archived files. But what about self-extracting archives? Is there any danger in those?

 

Its the same. SFX (SelF eXtract) archives are the same thing,because compression does the same thing as quarantine. the extract part just replaces some external utility like WinRAR or WinZIP. In the end its purpose is the same,extracting the files. And again,they are scanned when they are extracted/executed.

 

Thanks, that makes so much sense that it should've been obvious. I can be a little slow on Mondays though...

 

Panda Platinum 7 and Trend Micro Antivirus pass all the Eicar tests.

 

Yup, I agree with you.

 

I agree to RejZor's comment on the relevancy of detecting the compressed samples of eicar.

Being quite a popular AV test nowadays, isnt it possible that an AV vendor can just add a signature for these compressed samples anyways. Thus nullifying the result of whether it really has the ability to scan through multiple zipped files.

It seems most AVs have zip/rar support now anyways.

To me the eicar test seems to be best used for troubleshooting and seeing if your AV is working, not a test on its scanning ability etc.

 

KAV 4.5 personal passes all tests. KAV 5.0 personal does not. 4.5 is much superior AV and it is a shame it is considered an archived AV because I'd like to purchase it but I don't want to purchase an "old" version. I don't agree that right click detection after downloading but before unzipping is a waste of resources. It is a waste of my time to have to unzip in order to find a virus! I have a fast new box with plenty of RAM and it is by no means a waste of resources! I would not consider it a waste of resources on my older W98SE box either. I want it found on right click. NOD32 makes you unzip also and I don't like that and that is one reason I decided to trial KAV and then learned 5.0 is lousy but 4.5 is outstanding. Further, I do not want to risk sending a virus to someone because I forward a zipped file that I downloaded and haven't yet unzipped and so don't know is infected.

 

And most AVs actually will detect those samples if they are tweaked to do so. (For instance, in this case, McAfee has archive scanning off by default)

 

Command antivirus also passes the eicar test's

 

I totally 100% agree.

 

Huh!

Right click on eicar_com.zip works for me without unzipping.

---
Scan performed at: 7/19/2004 21:25:23 PM
Scanning Log
NOD32 version 1.817 (20040719) NT
Command line: C:\3COM\eicar_com.zip
Operating memory - is OK

date: 19.7.2004 time: 21:25:28
Scanned disks, directories and files: C:\3COM\eicar_com.zip
C:\3COM\eicar_com.zip »ZIP »eicar.com - Eicar test file
number of files scanned: 1
number of viruses found: 1
time of completion: 21:25:28 total scanning time: 0 sec (00:00:00)
----

Also eicarcom2.zip.

----
Scan performed at: 7/19/2004 21:37:17 PM
Scanning Log
NOD32 version 1.817 (20040719) NT
Command line: D:\Documents and Settings\Administrator\My Documents\eicarcom2.zip
Operating memory - is OK

date: 19.7.2004 time: 21:37:22
Scanned disks, directories and files: D:\Documents and Settings\Administrator\My Documents\eicarcom2.zip
D:\Documents and Settings\Administrator\My Documents\eicarcom2.zip »ZIP »eicar_com.zip »ZIP »eicar.com - Eicar test file
number of files scanned: 1
number of viruses found: 1
time of completion: 21:37:22 total scanning time: 0 sec (00:00:00)

---

 

NOD32 detects eicar.com when I try to download it.

 

hello sling shot
my norton av passed all the tests
Rita

 

EICAR is merely suggesting that an AV should detect what is zipped or double zipped, I don't believe they are suggesting that AVs like NOD are inferior because they don't detect it as it is being downloaded, in fact they suggest that AFTER the file is downloaded you should run your chosen scanner on the file. As for the text file if you read their instructions it is not for testing your AV it is for people that have trouble downloading the other versions for whatever reason and you are supposed to rename the file to eicar.com (after downloading it) at which point your AV software should detect it. The AV's that detect the .txt version in my opinion are giving a false positive as text displayed on a web page is harmless, as are text files. Basically it comes down to different schools of thought on virus detection, some feel it is a waste of resources to scan data as it is being downloaded and do it once the file is saved or as the file is being saved, others would rather not download an infected file in the first place. Just my two cents on the subject.

 

Actually the concept is totally diferent. Here is the example of avast!'s interior of archive scanning.

On-Access -> Off by default (in Pro can be turned on and changed,in Home not)
On-Demand -> Off by default (can be enabled in Pro and Home)
Explorer Extension -> On by default for all possible archives in Pro and Home
Internet Mail -> On by default for both Pro and Home (it can only be chnaged in Pro)
Instant Messaging -> On by default for both (can be only turned of and changed in Pro)

This explains alot about avast!'s multilayer defence. On-Access by itself doesn't scan archives due to previously explaind thing (my posts above in this thread),but on other hand Internet Mail and Instant Messaging provider scan inside compressed archives,so there is no chance that you could forward an infected attachement or send the archive via Instant Messager ala MSN Messanger or mIRC. Explorer Extension is set extra tight (scans all archives,all files without exception on thorough mode which means it scans entire file from beginning to the end and without virus targeting),so you can fast and thoroughly check files.