Looking For Anti-Virus Test

Discussion in 'Anti-Virus' started by (PeteCresswell), Aug 24, 2010.

  1. I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
    but it is not doing what I want it to do.

    It does provoke my virus checker when I try to email it - and
    even provokes Verizon's spam trap; both of which prevent me from
    emailing it to somebody.

    What I want is some means to make the virus checker on another
    person's PC pop a warning - preferably in response to an email.

    The idea being that I can send them the email, go over to their
    PC, point to the window that the virus checker pops, and say
    "See - that's a virus alert. Always press *that* button and
    never, ever, under any circumstances press the other button."

    I even tried burning the EICAR text file to a CD and copying it
    from the CD to the user's desktop - but the virus checker did not
    throw the warning (and neither did my own when I did the same
    thing). Same checker won't let an email go out with the file
    attached, though. Maybe I have some profile setting wrong
    in the checker - that it's not flagging the copy attempt?

    Anybody got a harmless technique for provoking a virus warning so
    the user can see what their virus checker's warning window looks
    like?
    --
    PeteCresswell
     
    (PeteCresswell), Aug 24, 2010
    #1
    1. Advertisements

  2. Per Little Charlie:
    >>Anybody got a harmless technique for provoking a virus warning so
    >>the user can see what their virus checker's warning window looks
    >>like?

    >
    >Since Eicar is a text string edit it slightly and maybe rename it too.
    >Then once it's arrived at the target PC undo the changes and save the
    >file. The client's AV should then pop-up ( duering the save) and you
    >can demonstrate how to deal with a malicoius threat.


    I think I have it doped out.

    - My virus checker doe not flag .txt files - no matter what.

    - As soon as the text string is embedded in a .com file (or
    even when attempts to rename .txt ==> .com, the checker
    flags it. Ditto .bat, .scr and, I would hope, all other
    executable suffixes.
    --
    PeteCresswell
     
    (PeteCresswell), Aug 24, 2010
    #2
    1. Advertisements

  3. "(PeteCresswell)" <> wrote in message
    news:...
    > I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
    > but it is not doing what I want it to do.
    >
    > It does provoke my virus checker when I try to email it - and
    > even provokes Verizon's spam trap; both of which prevent me from
    > emailing it to somebody.
    >
    > What I want is some means to make the virus checker on another
    > person's PC pop a warning - preferably in response to an email.
    >
    > The idea being that I can send them the email, go over to their
    > PC, point to the window that the virus checker pops, and say
    > "See - that's a virus alert. Always press *that* button and
    > never, ever, under any circumstances press the other button."
    >
    > I even tried burning the EICAR text file to a CD and copying it
    > from the CD to the user's desktop - but the virus checker did not
    > throw the warning (and neither did my own when I did the same
    > thing). Same checker won't let an email go out with the file
    > attached, though. Maybe I have some profile setting wrong
    > in the checker - that it's not flagging the copy attempt?
    >
    > Anybody got a harmless technique for provoking a virus warning so
    > the user can see what their virus checker's warning window looks
    > like?


    EICAR should be a comfile (or other executable file destined for the
    loader chain). Is there any reason that you *have* to have it as an
    e-mail attachment?

    Depending on the OS involved, you might be able to send kakworm script
    and get an alert. Kakworm used the long since patched
    'scriptlet.typelib/eyedog' vulnerability and should not have teeth on
    modern OSes - yet (I think) should still be detected by AV programs. The
    problem with e-mailing files that are known to cause alerts is that they
    often get stripped out in transit. You could then experiment with the
    "break apart messages" setting and send two half-kakworm scripts and
    recombine them after receipt.

    hxxp://62nds.com/pg/e91g.php
     
    FromTheRafters, Aug 25, 2010
    #3
  4. "Little Charlie" <> wrote in message
    news:...
    > On Tue, 24 Aug 2010 11:21:15 -0400, "(PeteCresswell)" <>
    > wrote:
    >
    >>I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
    >>but it is not doing what I want it to do.
    >>
    >>It does provoke my virus checker when I try to email it - and
    >>even provokes Verizon's spam trap; both of which prevent me from
    >>emailing it to somebody.
    >>
    >>What I want is some means to make the virus checker on another
    >>person's PC pop a warning - preferably in response to an email.
    >>
    >>The idea being that I can send them the email, go over to their
    >>PC, point to the window that the virus checker pops, and say
    >>"See - that's a virus alert. Always press *that* button and
    >>never, ever, under any circumstances press the other button."
    >>
    >>I even tried burning the EICAR text file to a CD and copying it
    >>from the CD to the user's desktop - but the virus checker did not
    >>throw the warning (and neither did my own when I did the same
    >>thing). Same checker won't let an email go out with the file
    >>attached, though. Maybe I have some profile setting wrong
    >>in the checker - that it's not flagging the copy attempt?
    >>
    >>Anybody got a harmless technique for provoking a virus warning so
    >>the user can see what their virus checker's warning window looks
    >>like?

    >
    > Since Eicar is a text string edit it slightly and maybe rename it too.
    > Then once it's arrived at the target PC undo the changes and save the
    > file. The client's AV should then pop-up ( duering the save) and you
    > can demonstrate how to deal with a malicoius threat.


    No need to send it through e-mail for that - it's just an ASCII text
    string (now new and improved with some additional whitespace) that also
    works as a comfile.

    Sadly, my AV alerts to it even as a text file (very annoying).
     
    FromTheRafters, Aug 25, 2010
    #4
  5. Per FromTheRafters:
    >EICAR should be a comfile (or other executable file destined for the
    >loader chain). Is there any reason that you *have* to have it as an
    >e-mail attachment?


    Only bc I thought it would most closely replicate the actual user
    experience - since most of the time viruses seem to come in via
    email attachments. But it's not a religious issue and, as you
    note below, getting it through various mail servers is a problem.

    So I guess I'll just burn a .com version to CD.

    >Depending on the OS involved, you might be able to send kakworm script
    >and get an alert. Kakworm used the long since patched
    >'scriptlet.typelib/eyedog' vulnerability and should not have teeth on
    >modern OSes - yet (I think) should still be detected by AV programs. The
    >problem with e-mailing files that are known to cause alerts is that they
    >often get stripped out in transit. You could then experiment with the
    >"break apart messages" setting and send two half-kakworm scripts and
    >recombine them after receipt.

    --
    PeteCresswell
     
    (PeteCresswell), Aug 25, 2010
    #5
  6. (PeteCresswell)

    badgolferman Guest

    (PeteCresswell) wrote:

    >I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
    >but it is not doing what I want it to do.
    >
    >It does provoke my virus checker when I try to email it - and
    >even provokes Verizon's spam trap; both of which prevent me from
    >emailing it to somebody.
    >
    >What I want is some means to make the virus checker on another
    >person's PC pop a warning - preferably in response to an email.
    >
    >The idea being that I can send them the email, go over to their
    >PC, point to the window that the virus checker pops, and say
    >"See - that's a virus alert. Always press that button and
    >never, ever, under any circumstances press the other button."
    >
    >I even tried burning the EICAR text file to a CD and copying it
    >from the CD to the user's desktop - but the virus checker did not
    >throw the warning (and neither did my own when I did the same
    >thing). Same checker won't let an email go out with the file
    >attached, though. Maybe I have some profile setting wrong
    >in the checker - that it's not flagging the copy attempt?
    >
    >Anybody got a harmless technique for provoking a virus warning so
    >the user can see what their virus checker's warning window looks
    >like?


    Just a thought, what if you send it as an zipped file?
     
    badgolferman, Aug 25, 2010
    #6
  7. Per badgolferman:
    >?
    >
    >Just a thought, what if you send it as an zipped file?


    The virus checker I use (and the user uses) inspects zip file
    contents too.
    --
    PeteCresswell
     
    (PeteCresswell), Aug 26, 2010
    #7
  8. (PeteCresswell)

    Dennis Guest

    On Wed, 25 Aug 2010 20:45:45 -0400, "(PeteCresswell)" <>
    wrote:

    >>Just a thought, what if you send it as an zipped file?

    >
    >The virus checker I use (and the user uses) inspects zip file
    >contents too.


    Not if you add a password. ;-)

    --

    Dennis
     
    Dennis, Aug 26, 2010
    #8
  9. Per Dennis:
    >>The virus checker I use (and the user uses) inspects zip file
    >>contents too.

    >
    >Not if you add a password. ;-)


    Ouch!.... obvious now that you have said it...

    Gotta give that a try.
    --
    PeteCresswell
     
    (PeteCresswell), Aug 26, 2010
    #9
  10. (PeteCresswell)

    mm Guest

    On Tue, 24 Aug 2010 11:21:15 -0400, "(PeteCresswell)" <>
    wrote:

    >I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
    >but it is not doing what I want it to do.


    You've almost solved this problem already, even by the posts, but I
    just found this ng and this is the first time I've had to put in my
    two cents. :)

    Maybe this is now subject to the problems you describe below, but here
    is eicar in a variety of forms, at the bottom of the page.

    http://eicar.org/anti_virus_test_file.htm

    Just send him the url and have him dl some of them.

    As to eicar.com.txt, I've long wondered what prevents someone from
    dl'ing a file ending in txt and then a short command to rename the
    file to be executable?

    mm

    >It does provoke my virus checker when I try to email it - and
    >even provokes Verizon's spam trap; both of which prevent me from
    >emailing it to somebody.
    >
    >What I want is some means to make the virus checker on another
    >person's PC pop a warning - preferably in response to an email.
    >
    >The idea being that I can send them the email, go over to their
    >PC, point to the window that the virus checker pops, and say
    >"See - that's a virus alert. Always press *that* button and
    >never, ever, under any circumstances press the other button."
    >
    >I even tried burning the EICAR text file to a CD and copying it
    >from the CD to the user's desktop - but the virus checker did not
    >throw the warning (and neither did my own when I did the same
    >thing). Same checker won't let an email go out with the file
    >attached, though. Maybe I have some profile setting wrong
    >in the checker - that it's not flagging the copy attempt?
    >
    >Anybody got a harmless technique for provoking a virus warning so
    >the user can see what their virus checker's warning window looks
    >like?
     
    mm, Sep 5, 2010
    #10
  11. On Sun, 05 Sep 2010 02:56:54 -0400, mm <> wrote:

    >> I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
    >> but it is not doing what I want it to do.

    > You've almost solved this problem already, even by the posts, but I
    > just found this ng and this is the first time I've had to put in my
    > two cents. :)


    If you read the rest of the thread from the week old message you are
    replying to, it was solved by sending password protected zip files.
    I apologize if that comes across as condescending, but that is the
    case with this thread.

    > As to eicar.com.txt, I've long wondered what prevents someone from
    > dl'ing a file ending in txt and then a short command to rename the
    > file to be executable?


    Renaming the file should cause it to be scanned, and caught by any
    decent anti-virus program, and is by all I've tried.

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)
     
    David W. Hodgins, Sep 5, 2010
    #11
  12. "mm" <> wrote in message
    news:...

    [...]

    > As to eicar.com.txt, I've long wondered what prevents someone from
    > dl'ing a file ending in txt and then a short command to rename the
    > file to be executable?


    For some time I was trying to convince skeptics that *all* filetypes
    should be scanned.

    My concern was similar to yours (I think) - I was used to using "debug"
    or "qbasic" and feeding them "program.txt" files.

    Their unconcern was due to the fact that a program was needed to make
    the textfile executable, and it would be *that* program that would need
    to be detected (as a trojan perhaps).

    Still, I thought, it is not a good idea to allow code such as this to
    arrive on your computer's disk. I have since learned that there are so
    many places on disk that code can hide (dormant) that it really does
    make sense to target only those programs that are ready for execution
    (executable).

    Strictly speaking, EICAR should not be detectable in a zip file or a
    text file. It should be detected if it is in executable form and alone
    (possibly with a limited amount of whitespace68 to 128 bytes - it used
    to be *only* 68 to 72 bytes) in a file. Your AV may detect EICAR.zip,
    but it should do so when the unzipping isolates the string and places it
    in a filetype that is indicative of an executable filetype.

    [...]
     
    FromTheRafters, Sep 5, 2010
    #12
  13. "David W. Hodgins" <> wrote in message
    news:blush:...
    > On Sun, 05 Sep 2010 02:56:54 -0400, mm <>
    > wrote:
    >
    >>> I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
    >>> but it is not doing what I want it to do.

    >> You've almost solved this problem already, even by the posts, but I
    >> just found this ng and this is the first time I've had to put in my
    >> two cents. :)

    >
    > If you read the rest of the thread from the week old message you are
    > replying to, it was solved by sending password protected zip files.
    > I apologize if that comes across as condescending, but that is the
    > case with this thread.
    >
    >> As to eicar.com.txt, I've long wondered what prevents someone from
    >> dl'ing a file ending in txt and then a short command to rename the
    >> file to be executable?

    >
    > Renaming the file should cause it to be scanned, and caught by any
    > decent anti-virus program, and is by all I've tried.


    Still, if the OP was looking for a way to check his e-mail scanning
    feature - none of those EICAR methods will work.

    After all, that is not really the purpose of the EICAR program.
     
    FromTheRafters, Sep 5, 2010
    #13
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. .
    Replies:
    6
    Views:
    1,021
    Dark vader
    Aug 12, 2003
  2. Jerry Robinson

    Anti Virus & Anti Spyware

    Jerry Robinson, Jan 2, 2005, in forum: Anti-Virus
    Replies:
    2
    Views:
    241
    NonDisputandum.com
    Jan 3, 2005
  3. Thomas G. Marshall

    Anti-virus + Anti-spyware: Latest software opinions

    Thomas G. Marshall, Jan 27, 2005, in forum: Anti-Virus
    Replies:
    44
    Views:
    1,035
    Melissa
    Jan 29, 2005
  4. genius boy
    Replies:
    3
    Views:
    254
  5. 1PW
    Replies:
    5
    Views:
    266
    Buffalo
    Apr 28, 2009
Loading...

Share This Page