Obtaining a "Faux Virus"?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


I want to test the behavior of my anti-virus program (Avast).

To that end, I'd like to get hold of something that looks like a
virus (contains a known signature?) but doesn't act like a virus
(no damage if I accidentally let it loose on my PC or server).

With something like that, I could provoke the anti-virus
program's alerts, take screen snaps of them for user education,
and so-forth.

I could also see what happens when somebody ignores an alert on
their PC and tries to save an infected file to the server.

Anybody know of anything in this vein?

Or is there another way?
--
PeteCresswell

Re: Obtaining a "Faux Virus"?



(PeteCresswell) wrote:

Quoted text here. Click to load it

Google for:  eicar test file

--
   -bts
   -Friends don't let friends drive Windows

Re: Obtaining a "Faux Virus"?



Quoted text here. Click to load it

Paste this (without the parentheses), all by itself, in a text file
(using notepad).

(X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)

If your AV doesn't alert to it as a text file (some won't), rename it to
a com filetype.

Quoted text here. Click to load it

That string was designed for exactly that purpose.

Quoted text here. Click to load it

Yes, and most (if not all) AV programs will have the signature in their
database.

Quoted text here. Click to load it

There *is* another way, but it is not as safe. The EICAR string is more
than a string, it is actually a small program with self-modifying code.




Re: Obtaining a "Faux Virus"?



@news.eternal-september.org:

Quoted text here. Click to load it
to

Unless the EICAR file has been changed since it was originally released,
it's not self modifying code; it displays a message to the screen and
exits. It's slightly special codewise because it's creator was sure to
use only printable ascii characters. *grin*.


--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk

Re: Obtaining a "Faux Virus"?



"Dustin Cook" wrote:

Quoted text here. Click to load it

But in order to work it has to modify the last four characters (H+H*)
of the eicar string because the instructions 'int 20' and 'int 21' are
not printable ASCII. Here's the final part of the code where it occurs:

0114  2937  SUB [BX],SI  ; modify loc 0140
0116  43    INC BX
0117  43    INC BX
0118  2937  SUB [BX],SI  ; modify loc 0142
011A  7D24  JGE 0140     ; jumps to 0140
...
0140  CD21  INT 21       ; print message
0142  CD20  INT 20       ; exit



Re: Obtaining a "Faux Virus"?



Quoted text here. Click to load it


To the best of my knowledge, the only thing that has changed is in the
way that the scanners are supposed to detect it. It used to have to be
only the 68 (or 70 w/CRLF) bytes - they have since changed it to include
some amount of trailing whitespace for some reason.



Re: Obtaining a "Faux Virus"?



FromTheRafters wrote:
Quoted text here. Click to load it

http://tinyurl.com/ygckpgz

Re: Obtaining a "Faux Virus"?



ASCII wrote:

Quoted text here. Click to load it

Why use tinyurl for such a short real URL?

hXXp://vx.netlux.org/vx.php?id=sr00

Aah.  "vx"  <g>

--
   -bts
   -Friends don't let friends drive Windows

Re: Obtaining a "Faux Virus"?



Quoted text here. Click to load it

...and wasn't it Vecna that made a generator for creating FP detections?

(what a hoot)

Do AV programs "retire" old definitions for long ago patched exploit
based malware. I wouldn't expect them to, so having one land on your
harddrive as a file (or embedded in an e-mail to test your (yuck) e-mail
scanner) should pose no real risk, and yet actually test the AV to some
extent.



Re: Obtaining a "Faux Virus"?



Per FromTheRafters:
Quoted text here. Click to load it

That seems tb doing the trick.  Thanks.

FWIW, Avast's catching it and issuing notifications does not seem
tb that consistent - unless (not unlikely) I'm missing something.
--
PeteCresswell

Re: Obtaining a "Faux Virus"?



Quoted text here. Click to load it

I don't know what inconsistencies you are experiencing, but the EICAR
detection is very specific - can not (should not) be detected outside of
the specifications (see the eicar.com website).

I'm not too sure (haven't tried it) but it may be possible to save it as
an exe so that the OS's file browser causes an alert when it is accesed
for icon information (when you enter the directory it is in, or
otherwise attempt to display the icon). On your desktop, as a comfile,
the detection may be different than it is on your desktop as an
exefile - one would alert without the user clicking anything.

...but like I said, I haven't tried this.



Site Timeline