AVG 7.1 Resident Shield doesn't detect eicar.com

[Cyco]

I recently installed AVG 7.1 on a trial basis and it has run without
problems except Resident Shield does not detect eicar.com when it is
opened (either by double-clicking on the file or using the "open"
command). A normal scan does detect the presence of eicar. This may
mean that Resident Shield will not detect any virus.

I have been in touch with AVG tech-support and have tried a number of
checks and possible solutions ranging from a complete reinstall to scans
with HijackThis. Problem persists.

If anyone has experienced this problem I would be grateful if you would
let me know what the likely causes might be.

I'm running the latest build of AVG 7.1 under Windows 98SE. Previously
I had Norton AV 2005 and Norton Firewall 2004 installed but have fully
uninstalled these programmes.

Thanks

 

[Sanjaya]

I recently installed AVG 7.1 on a trial basis and it has run without
problems except Resident Shield does not detect eicar.com when it is
opened (either by double-clicking on the file or using the "open"
command). A normal scan does detect the presence of eicar. This may
mean that Resident Shield will not detect any virus.

I have been in touch with AVG tech-support and have tried a number of
checks and possible solutions ranging from a complete reinstall to scans
with HijackThis. Problem persists.

If anyone has experienced this problem I would be grateful if you would
let me know what the likely causes might be.

I'm running the latest build of AVG 7.1 under Windows 98SE. Previously
I had Norton AV 2005 and Norton Firewall 2004 installed but have fully
uninstalled these programmes.

Thanks

Detected by AVG on my XP computer. Right click/open, double click, right click and scan file, right
click folder
it's in and scan folder.
Try a new copy of eicar.com from
http://www.eicar.org/anti_virus_test_file.htm

 

[Jake Dodd]

I recently installed AVG 7.1 on a trial basis and it has run without
problems except Resident Shield does not detect eicar.com when it is
opened (either by double-clicking on the file or using the "open"
command). A normal scan does detect the presence of eicar. This may
mean that Resident Shield will not detect any virus.

Yes, this is a good example of the worth of the EICAR test file. Failure
to detect the EICAR is indeed cause for worry.

What is the length of the EICAR file you are using?

Could you post the contents of the EICAR file here?

 

[cyci]

Detected by AVG on my XP computer. Right click/open, double click, right click and scan file, right
click folder
it's in and scan folder.
Try a new copy of eicar.com from
http://www.eicar.org/anti_virus_test_file.htm

Thanks. Resident Shield doesn't seem to detect eicar under any of the
commands you list. Eicar simply opens up in a DOS window. I
downloaded a new copy of eicar.com from the above url. Still doesn't
work :-(

 

[Cyco]

Yes, this is a good example of the worth of the EICAR test file. Failure
to detect the EICAR is indeed cause for worry.

What is the length of the EICAR file you are using?

Could you post the contents of the EICAR file here?

Thanks for the reply. Here's the eicar string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

 

[Jake Dodd]

Yes, this is a good example of the worth of the EICAR test file. Failure
to detect the EICAR is indeed cause for worry.

What is the length of the EICAR file you are using?

Could you post the contents of the EICAR file here?

Thanks for the reply. Here's the eicar string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Good string, bad scanner. A scanner that supports the use of the EICAR string
should detect an executable file containing only this string (68 bytes) or one with
this string and a carriage return/line feed appended (70 bytes).

I only asked to avoid the possibility that a corrupted string was being used.

It appears that your resident shield is indeed not working (at least not for
comfiles) have you tried it with a .exe extension?

 

[Noel Paton]

I recently installed AVG 7.1 on a trial basis and it has run without
problems except Resident Shield does not detect eicar.com when it is opened
(either by double-clicking on the file or using the "open" command). A
normal scan does detect the presence of eicar. This may mean that Resident
Shield will not detect any virus.

I have been in touch with AVG tech-support and have tried a number of
checks and possible solutions ranging from a complete reinstall to scans
with HijackThis. Problem persists.

If anyone has experienced this problem I would be grateful if you would
let me know what the likely causes might be.

I'm running the latest build of AVG 7.1 under Windows 98SE. Previously I
had Norton AV 2005 and Norton Firewall 2004 installed but have fully
uninstalled these programmes.

You may already have a virus/spyware hijack

download the Stinger from here and run it in all accounts , while in Safe
Mode, to make sure that A-V-disabling
viruses are not present on your PC
http://vil.mcafeesecurity.com/vil/averttools.asp

- update your virus scanner and run a full system scan of all files.


--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[* * Chas]

Thanks for the reply. Here's the eicar string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Good string, bad scanner. A scanner that supports the use of the EICAR string
should detect an executable file containing only this string (68 bytes) or one with
this string and a carriage return/line feed appended (70 bytes).

I only asked to avoid the possibility that a corrupted string was being used.

It appears that your resident shield is indeed not working (at least not for
comfiles) have you tried it with a .exe extension?

I tried saving the string as Eicar.com and NOD32 immediately quarantined
it.

I keep Eicar.com a zipped version of Eicar.com and a doubled zipped
version on all of my systems to check out my on demand scans.

Chas.

 

[Cyco]

Good string, bad scanner. A scanner that supports the use of the EICAR string
should detect an executable file containing only this string (68 bytes) or one with
this string and a carriage return/line feed appended (70 bytes).

I only asked to avoid the possibility that a corrupted string was being used.

It appears that your resident shield is indeed not working (at least not for
comfiles) have you tried it with a .exe extension?

Thanks for the response. Yes, I've tried changing the extension and
setting Resident Shield to scan "all files". Still doesn't work.

 

[badgolferman]

Cyco, 3/13/2006, 5:04:11 AM,

Yes, this is a good example of the worth of the EICAR test file.
Failure to detect the EICAR is indeed cause for worry.

What is the length of the EICAR file you are using?

Could you post the contents of the EICAR file here?

Thanks for the reply. Here's the eicar string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Make sure there's not an extra space at the beginning of the string.

 

[Richard in AZ]

My copy of AVG 7 detected and quarantined it just fine.

: On Mon, 13 Mar 2006 10:01:59 -0500, "Jake Dodd" <[email protected]>
: wrote:
:
: >
: >Good string, bad scanner. A scanner that supports the use of the EICAR string
: >should detect an executable file containing only this string (68 bytes) or one with
: >this string and a carriage return/line feed appended (70 bytes).
: >
: >I only asked to avoid the possibility that a corrupted string was being used.
: >
: >It appears that your resident shield is indeed not working (at least not for
: >comfiles) have you tried it with a .exe extension?
: >
:
: Thanks for the response. Yes, I've tried changing the extension and
: setting Resident Shield to scan "all files". Still doesn't work.

 

[Jake Dodd]

Thanks for the response. Yes, I've tried changing the extension and
setting Resident Shield to scan "all files". Still doesn't work.

Then it is something you will definitely have to work out with AVG tech support.

I'm thinking the reinstallation route (that you already tried) was buggered
up by incomplete uninstallation or corrupted download, but there is no
way for me to help you.

Sorry, and good luck.

 

[Al Dykes]

My copy of AVG 7 detected and quarantined it just fine.

: On Mon, 13 Mar 2006 10:01:59 -0500, "Jake Dodd" <[email protected]>
: wrote:
:
: >
: >Good string, bad scanner. A scanner that supports the use of the EICAR string
: >should detect an executable file containing only this string (68 bytes) or one with
: >this string and a carriage return/line feed appended (70 bytes).
: >
: >I only asked to avoid the possibility that a corrupted string was being used.
: >
: >It appears that your resident shield is indeed not working (at least not for
: >comfiles) have you tried it with a .exe extension?
: >
:
: Thanks for the response. Yes, I've tried changing the extension and
: setting Resident Shield to scan "all files". Still doesn't work.

With default settings for AVG it didn't detect eicar when I downloaded
it but it did catch it in the daily full pass.

 

[Offbreed]

Cyco, 3/13/2006, 5:04:11 AM,

Thanks for the reply. Here's the eicar string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Make sure there's not an extra space at the beginning of the string.

How is that used? Paste to notepad and save?

 

[badgolferman]

Offbreed, 3/15/2006, 9:25:36 AM,

Cyco, 3/13/2006, 5:04:11 AM,

Thanks for the reply. Here's the eicar string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Make sure there's not an extra space at the beginning of the string.

How is that used? Paste to notepad and save?

Well, I copied and pasted the above string and it didn't work for me
either until I realized there was an extra space at the beginning.

 

[Jake Dodd]

Offbreed, 3/15/2006, 9:25:36 AM,

Cyco, 3/13/2006, 5:04:11 AM,

Thanks for the reply. Here's the eicar string:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Make sure there's not an extra space at the beginning of the string.

How is that used? Paste to notepad and save?

Yes, as a filetype associated by filename extension as worthy of scanning.
..com, .exe, .scr, .doc, among others depending on your AV program.

Well, I copied and pasted the above string and it didn't work for me
either until I realized there was an extra space at the beginning.

Yes, it needs to be only 68 bytes (or 70 bytes with cr/lf appended).

It was designed to be both a linear executable and an ASCII textual
string. (as well as being detected as a virus would be even though it
isn't really one).

 

[Noel Paton]

With default settings for AVG it didn't detect eicar when I downloaded
it but it did catch it in the daily full pass.

Mine (Pro - at pretty much default scan settings) caught it on the
download - and again as soon as I opened the folder I downloaded it to - and
again when I tried to run it (which was when I finally allowed it to kill
it)

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Cyco]

Many thanks for the responses to my posting. I eventually discovered
the source of the problem: a programme I have installed called Magic
Folders. AVG Resident Shield will not function at all while Magic
Folders is installed. I've tried moving eicar.com into a variety of
directories (none hidden) without success. Uninstall Magic Folders and
Resident Shield works fine.

I've been in touch with the developers of Magic Folders but they will
not assist with any Windows 98 related problem. AVG tech support
have been very helpful but so far have been unable to replicate the
problem. Anybody have any thoughts on this one (other than getting
rid of Magic Folders, that is !)


Thanks

 

[David W. Hodgins]

problem. Anybody have any thoughts on this one (other than getting
rid of Magic Folders, that is !)

Replace it with the free, open source program from
http://www.truecrypt.org/

As it's open source, and has been around for a while, you can
be sure there are no backdoors, etc.

Regards, Dave Hodgins

 

[Richard in AZ]

Link to truecrypt does not work

:
: > problem. Anybody have any thoughts on this one (other than getting
: > rid of Magic Folders, that is !)
:
: Replace it with the free, open source program from
: http://www.truecrypt.org/
:
: As it's open source, and has been around for a while, you can
: be sure there are no backdoors, etc.
:
: Regards, Dave Hodgins
:
: --
: Change nomail.afraid.org to ody.ca to reply by email.
: (nomail.afraid.org has been set up specifically for
: use in usenet. Feel free to use it yourself.)