I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
but it is not doing what I want it to do.

It does provoke my virus checker when I try to email it - and
even provokes Verizon's spam trap; both of which prevent me from
emailing it to somebody.

What I want is some means to make the virus checker on another
person's PC pop a warning - preferably in response to an email.

The idea being that I can send them the email, go over to their
PC, point to the window that the virus checker pops, and say
"See - that's a virus alert. Always press *that* button and
never, ever, under any circumstances press the other button."

I even tried burning the EICAR text file to a CD and copying it
from the CD to the user's desktop - but the virus checker did not
throw the warning (and neither did my own when I did the same
thing). Same checker won't let an email go out with the file
attached, though. Maybe I have some profile setting wrong
in the checker - that it's not flagging the copy attempt?

Anybody got a harmless technique for provoking a virus warning so
the user can see what their virus checker's warning window looks
like?
--
PeteCresswell

Per Little Charlie:
>>Anybody got a harmless technique for provoking a virus warning so
>>the user can see what their virus checker's warning window looks
>>like?
>
>Since Eicar is a text string edit it slightly and maybe rename it too.
>Then once it's arrived at the target PC undo the changes and save the
>file. The client's AV should then pop-up ( duering the save) and you
>can demonstrate how to deal with a malicoius threat.

I think I have it doped out.

- My virus checker doe not flag .txt files - no matter what.

- As soon as the text string is embedded in a .com file (or
even when attempts to rename .txt ==> .com, the checker
flags it. Ditto .bat, .scr and, I would hope, all other
executable suffixes.
--
PeteCresswell

"(PeteCresswell)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
> but it is not doing what I want it to do.
>
> It does provoke my virus checker when I try to email it - and
> even provokes Verizon's spam trap; both of which prevent me from
> emailing it to somebody.
>
> What I want is some means to make the virus checker on another
> person's PC pop a warning - preferably in response to an email.
>
> The idea being that I can send them the email, go over to their
> PC, point to the window that the virus checker pops, and say
> "See - that's a virus alert. Always press *that* button and
> never, ever, under any circumstances press the other button."
>
> I even tried burning the EICAR text file to a CD and copying it
> from the CD to the user's desktop - but the virus checker did not
> throw the warning (and neither did my own when I did the same
> thing). Same checker won't let an email go out with the file
> attached, though. Maybe I have some profile setting wrong
> in the checker - that it's not flagging the copy attempt?
>
> Anybody got a harmless technique for provoking a virus warning so
> the user can see what their virus checker's warning window looks
> like?

EICAR should be a comfile (or other executable file destined for the
loader chain). Is there any reason that you *have* to have it as an
e-mail attachment?

Depending on the OS involved, you might be able to send kakworm script
and get an alert. Kakworm used the long since patched
'scriptlet.typelib/eyedog' vulnerability and should not have teeth on
modern OSes - yet (I think) should still be detected by AV programs. The
problem with e-mailing files that are known to cause alerts is that they
often get stripped out in transit. You could then experiment with the
"break apart messages" setting and send two half-kakworm scripts and
recombine them after receipt.

hxxp://62nds.com/pg/e91g.php

"Little Charlie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Tue, 24 Aug 2010 11:21:15 -0400, "(PeteCresswell)" <(E-Mail Removed)>
> wrote:
>
>>I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
>>but it is not doing what I want it to do.
>>
>>It does provoke my virus checker when I try to email it - and
>>even provokes Verizon's spam trap; both of which prevent me from
>>emailing it to somebody.
>>
>>What I want is some means to make the virus checker on another
>>person's PC pop a warning - preferably in response to an email.
>>
>>The idea being that I can send them the email, go over to their
>>PC, point to the window that the virus checker pops, and say
>>"See - that's a virus alert. Always press *that* button and
>>never, ever, under any circumstances press the other button."
>>
>>I even tried burning the EICAR text file to a CD and copying it
>>from the CD to the user's desktop - but the virus checker did not
>>throw the warning (and neither did my own when I did the same
>>thing). Same checker won't let an email go out with the file
>>attached, though. Maybe I have some profile setting wrong
>>in the checker - that it's not flagging the copy attempt?
>>
>>Anybody got a harmless technique for provoking a virus warning so
>>the user can see what their virus checker's warning window looks
>>like?
>
> Since Eicar is a text string edit it slightly and maybe rename it too.
> Then once it's arrived at the target PC undo the changes and save the
> file. The client's AV should then pop-up ( duering the save) and you
> can demonstrate how to deal with a malicoius threat.

No need to send it through e-mail for that - it's just an ASCII text
string (now new and improved with some additional whitespace) that also
works as a comfile.

Sadly, my AV alerts to it even as a text file (very annoying).

Per FromTheRafters:
>EICAR should be a comfile (or other executable file destined for the
>loader chain). Is there any reason that you *have* to have it as an
>e-mail attachment?

Only bc I thought it would most closely replicate the actual user
experience - since most of the time viruses seem to come in via
email attachments. But it's not a religious issue and, as you
note below, getting it through various mail servers is a problem.

So I guess I'll just burn a .com version to CD.

>Depending on the OS involved, you might be able to send kakworm script
>and get an alert. Kakworm used the long since patched
>'scriptlet.typelib/eyedog' vulnerability and should not have teeth on
>modern OSes - yet (I think) should still be detected by AV programs. The
>problem with e-mailing files that are known to cause alerts is that they
>often get stripped out in transit. You could then experiment with the
>"break apart messages" setting and send two half-kakworm scripts and
>recombine them after receipt.
--
PeteCresswell

(PeteCresswell) wrote:

>I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
>but it is not doing what I want it to do.
>
>It does provoke my virus checker when I try to email it - and
>even provokes Verizon's spam trap; both of which prevent me from
>emailing it to somebody.
>
>What I want is some means to make the virus checker on another
>person's PC pop a warning - preferably in response to an email.
>
>The idea being that I can send them the email, go over to their
>PC, point to the window that the virus checker pops, and say
>"See - that's a virus alert. Always press that button and
>never, ever, under any circumstances press the other button."
>
>I even tried burning the EICAR text file to a CD and copying it
>from the CD to the user's desktop - but the virus checker did not
>throw the warning (and neither did my own when I did the same
>thing). Same checker won't let an email go out with the file
>attached, though. Maybe I have some profile setting wrong
>in the checker - that it's not flagging the copy attempt?
>
>Anybody got a harmless technique for provoking a virus warning so
>the user can see what their virus checker's warning window looks
>like?

Just a thought, what if you send it as an zipped file?

Per badgolferman:
>?
>
>Just a thought, what if you send it as an zipped file?

The virus checker I use (and the user uses) inspects zip file
contents too.
--
PeteCresswell

On Wed, 25 Aug 2010 20:45:45 -0400, "(PeteCresswell)" <(E-Mail Removed)>
wrote:

>>Just a thought, what if you send it as an zipped file?
>
>The virus checker I use (and the user uses) inspects zip file
>contents too.

Not if you add a password. ;-)

--

Dennis

Per Dennis:
>>The virus checker I use (and the user uses) inspects zip file
>>contents too.
>
>Not if you add a password. ;-)

Ouch!.... obvious now that you have said it...

Gotta give that a try.
--
PeteCresswell

On Tue, 24 Aug 2010 11:21:15 -0400, "(PeteCresswell)" <(E-Mail Removed)>
wrote:

>I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
>but it is not doing what I want it to do.

You've almost solved this problem already, even by the posts, but I
just found this ng and this is the first time I've had to put in my
two cents.

Maybe this is now subject to the problems you describe below, but here
is eicar in a variety of forms, at the bottom of the page.

http://eicar.org/anti_virus_test_file.htm

Just send him the url and have him dl some of them.

As to eicar.com.txt, I've long wondered what prevents someone from
dl'ing a file ending in txt and then a short command to rename the
file to be executable?

mm

>It does provoke my virus checker when I try to email it - and
>even provokes Verizon's spam trap; both of which prevent me from
>emailing it to somebody.
>
>What I want is some means to make the virus checker on another
>person's PC pop a warning - preferably in response to an email.
>
>The idea being that I can send them the email, go over to their
>PC, point to the window that the virus checker pops, and say
>"See - that's a virus alert. Always press *that* button and
>never, ever, under any circumstances press the other button."
>
>I even tried burning the EICAR text file to a CD and copying it
>from the CD to the user's desktop - but the virus checker did not
>throw the warning (and neither did my own when I did the same
>thing). Same checker won't let an email go out with the file
>attached, though. Maybe I have some profile setting wrong
>in the checker - that it's not flagging the copy attempt?
>
>Anybody got a harmless technique for provoking a virus warning so
>the user can see what their virus checker's warning window looks
>like?