Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Does Your Antivirus Work Properly? How to Check It?


  • Please log in to reply
10 replies to this topic

#1 dmpservice

dmpservice

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 24 July 2014 - 12:43 AM

Does Your Antivirus Work Properly? How to Check It?



BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 12,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:49 AM

Posted 24 July 2014 - 03:52 AM

:welcome:  To BC.

 

 

You can download an EICAR test file from the EICAR website. However, you could also create your own EICAR test file by opening a text editor (such as Notepad), copy-pasting the following text into the file, and then saving it:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Your antivirus program should react as though you had just created an actual virus.


Edited by NickAu1, 24 July 2014 - 03:53 AM.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:49 PM

Posted 24 July 2014 - 07:20 AM

How To: Test your anti-virus software
Spycar: Testing your Anti-Virus and Anti-Ma;ware software
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 24 July 2014 - 12:38 PM

:welcome:  To BC.

 

 

You can download an EICAR test file from the EICAR website. However, you could also create your own EICAR test file by opening a text editor (such as Notepad), copy-pasting the following text into the file, and then saving it:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Your antivirus program should react as though you had just created an actual virus.

 

If you use the notepad method, make sure you don't add a newline (don't press RETURN/ENTER) after the *.


Edited by Didier Stevens, 24 July 2014 - 12:38 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 BCHelper

BCHelper

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 25 July 2014 - 05:38 AM

The most programs should detect it even if you press "ENTER" after the line.



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 25 July 2014 - 07:16 AM

The most programs should detect it even if you press "ENTER" after the line.


Yes, but not all, and that is precisely my point, we don't know what AV needs to be tested.

This is all in the specification: http://www.eicar.org/86-0-Intended-use.html

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 BCHelper

BCHelper

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 25 July 2014 - 07:19 AM

Yes, but it is a bad sign if this simple change of the file allows them to "fly below the radar". Elsewhere a malware author could just enter a new line and it will not be detected by the antivirus program ;)



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 25 July 2014 - 07:31 AM

VirusTotal results for

 

Yes, but it is a bad sign if this simple change of the file allows them to "fly below the radar". Elsewhere a malware author could just enter a new line and it will not be detected by the antivirus program ;)

 

I do not agree, it is not a bad sign. It is according to specifications. Vendors are allowed to a strict interpretation of the specification.

 

And the EICAR test file is not malware, it was not created by malware authors, it was created by my friend Eddy Willems. He's a respected board member of EICAR: European Institute for Computer Anti-Virus Research

Malware authors do not pursue AV evasion for the EICAR test files.

 

Here are the VT results for strict interpretation (68 bytes):

50/52: https://www.virustotal.com/en/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/analysis/

 

Here are the VT results for whitespace interpretation (70 bytes: 68 bytes + CR NL):

48/53: https://www.virustotal.com/en/file/8b3f191819931d1f2cef7289239b5f77c00b079847b9c2636e56854d1e5eff71/analysis/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 BCHelper

BCHelper

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 25 July 2014 - 07:38 AM

But all the bigger Antivirus Company still detects them ;)

 

Of course you can add an additional detection method just for eicar, but why not using the same way like a normal virus would be detected? :)



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:49 PM

Posted 25 July 2014 - 07:50 AM

But all the bigger Antivirus Company still detects them ;)

 

And that is precisely my point. The OP doesn't mention which AV product to test. So there's a small, but real probability that the OP is not referring to a bigger Antivirus Company.

 

I don't know of AV vendors that have an additional detection method for the EICAR test file. They just use a signature for the EICAR test file.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:49 PM

Posted 25 July 2014 - 08:12 AM

Of course you can add an additional detection method just for eicar, but why not using the same way like a normal virus would be detected?


Doing that would not be part of its intended use.

This test file has been provided to EICAR for distribution as the "EICAR Standard Anti-Virus Test File"...It is safe to pass around, because it is not a virus, and does not include any fragments of viral code. Most products react to it as if it were a virus (though they typically report it with an obvious name, such as "EICAR-AV-Test").


And the VT links provided by Didier Stevens show exactly that.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users