Looking For Anti-Virus Test

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
but it is not doing what I want it to do.

It does provoke my virus checker when I try to email it - and
even provokes Verizon's spam trap; both of which prevent me from
emailing it to somebody.

What I want is some means to make the virus checker on another
person's PC pop a warning - preferably in response to an email.

The idea being that I can send them the email, go over to their
PC,  point to the window that the virus checker pops, and say
"See - that's a virus alert.   Always press *that* button and
never, ever, under any circumstances press the other button."

I even tried burning the EICAR text file to a CD and copying it
from the CD to the user's desktop - but the virus checker did not
throw the warning (and neither did my own when I did the same
thing).   Same checker won't let an email go out with the file
attached, though.   Maybe I have some profile setting wrong
in the checker - that it's not flagging the copy attempt?

Anybody got a harmless technique for provoking a virus warning so
the user can see what their virus checker's warning window looks
like?
--
PeteCresswell

Re: Looking For Anti-Virus Test



wrote:

Quoted text here. Click to load it

Since Eicar is a text string edit it slightly and maybe rename it too.
Then once it's arrived at the target PC undo the changes and save the
file. The client's AV should then pop-up ( duering the save)  and you
can demonstrate how to deal with a malicoius threat.

Re: Looking For Anti-Virus Test



Per Little Charlie:
Quoted text here. Click to load it

I think I have it doped out.

- My virus checker doe not flag .txt files - no matter what.

- As soon as the text string is embedded in a .com file (or
  even when attempts to rename .txt ==> .com, the checker
  flags it.  Ditto .bat, .scr and, I would hope, all other
  executable suffixes.
--
PeteCresswell

Re: Looking For Anti-Virus Test



Quoted text here. Click to load it

No need to send it through e-mail for that - it's just an ASCII text
string (now new and improved with some additional whitespace) that also
works as a comfile.

Sadly, my AV alerts to it even as a text file (very annoying).



Re: Looking For Anti-Virus Test



Quoted text here. Click to load it

EICAR should be a comfile (or other executable file destined for the
loader chain). Is there any reason that you *have* to have it as an
e-mail attachment?

Depending on the OS involved, you might be able to send kakworm script
and get an alert. Kakworm used the long since patched
'scriptlet.typelib/eyedog' vulnerability and should not have teeth on
modern OSes - yet (I think) should still be detected by AV programs. The
problem with e-mailing files that are known to cause alerts is that they
often get stripped out in transit. You could then experiment with the
"break apart messages" setting and send two half-kakworm scripts and
recombine them after receipt.

hxxp://62nds.com/pg/e91g.php






Re: Looking For Anti-Virus Test



Per FromTheRafters:
Quoted text here. Click to load it

Only bc I thought it would most closely replicate the actual user
experience - since most of the time viruses seem to come in via
email attachments.   But it's not a religious issue and, as you
note below, getting it through various mail servers is a problem.

So I guess I'll just burn a .com version to CD.

Quoted text here. Click to load it
--
PeteCresswell

Re: Looking For Anti-Virus Test



(PeteCresswell) wrote:

Quoted text here. Click to load it

Just a thought, what if you send it as an zipped file?



Re: Looking For Anti-Virus Test



Per badgolferman:
Quoted text here. Click to load it

The virus checker I use (and the user uses) inspects zip file
contents too.
--
PeteCresswell

Re: Looking For Anti-Virus Test



wrote:

Quoted text here. Click to load it

Not if you add a password. ;-)

--

Dennis

Re: Looking For Anti-Virus Test



Per Dennis:
Quoted text here. Click to load it

Ouch!.... obvious now that you have said it...

Gotta give that a try.
--
PeteCresswell

Re: Looking For Anti-Virus Test



wrote:

Quoted text here. Click to load it

You've almost solved this problem already, even by the posts, but I
just found this ng and this is the first time I've had to put in my
two cents. :)

Maybe this is now subject to the problems you describe below, but here
is eicar in a variety of forms, at the bottom of the page.

http://eicar.org/anti_virus_test_file.htm

Just send him the url and have him dl some of them.

As to eicar.com.txt, I've long wondered what prevents someone from
dl'ing a file ending in txt and then a short command to rename the
file to be executable?

mm

Quoted text here. Click to load it


Re: Looking For Anti-Virus Test




Quoted text here. Click to load it

If you read the rest of the thread from the week old message you are
replying to, it was solved by sending password protected zip files.
I apologize if that comes across as condescending, but that is the
case with this thread.

Quoted text here. Click to load it

Renaming the file should cause it to be scanned, and caught by any
decent anti-virus program, and is by all I've tried.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Looking For Anti-Virus Test



Quoted text here. Click to load it

Still, if the OP was looking for a way to check his e-mail scanning
feature - none of those EICAR methods will work.

After all, that is not really the purpose of the EICAR program.



Re: Looking For Anti-Virus Test




[...]

Quoted text here. Click to load it

For some time I was trying to convince skeptics that *all* filetypes
should be scanned.

My concern was similar to yours (I think) - I was used to using "debug"
or "qbasic" and feeding them "program.txt" files.

Their unconcern was due to the fact that a program was needed to make
the textfile executable, and it would be *that* program that would need
to be detected (as a trojan perhaps).

Still, I thought, it is not a good idea to allow code such as this to
arrive on your computer's disk. I have since learned that there are so
many places on disk that code can hide (dormant) that it really does
make sense to target only those programs that are ready for execution
(executable).

Strictly speaking, EICAR should not be detectable in a zip file or a
text file. It should be detected if it is in executable form and alone
(possibly with a limited amount of whitespace68 to 128 bytes - it used
to be *only* 68 to 72 bytes) in a file. Your AV may detect EICAR.zip,
but it should do so when the unzipping isolates the string and places it
in a filetype that is indicative of an executable filetype.

[...]



Site Timeline