Obtaining a "Faux Virus"?

[(PeteCresswell)]

I want to test the behavior of my anti-virus program (Avast).

To that end, I'd like to get hold of something that looks like a
virus (contains a known signature?) but doesn't act like a virus
(no damage if I accidentally let it loose on my PC or server).

With something like that, I could provoke the anti-virus
program's alerts, take screen snaps of them for user education,
and so-forth.

I could also see what happens when somebody ignores an alert on
their PC and tries to save an infected file to the server.

Anybody know of anything in this vein?

Or is there another way?

 

[Beauregard T. Shagnasty]

I want to test the behavior of my anti-virus program (Avast).

To that end, I'd like to get hold of something that looks like a
virus (contains a known signature?) but doesn't act like a virus
(no damage if I accidentally let it loose on my PC or server).

Google for: eicar test file

 

[FromTheRafters]

I want to test the behavior of my anti-virus program (Avast).

To that end, I'd like to get hold of something that looks like a
virus (contains a known signature?) but doesn't act like a virus
(no damage if I accidentally let it loose on my PC or server).

Paste this (without the parentheses), all by itself, in a text file
(using notepad).

(X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)

If your AV doesn't alert to it as a text file (some won't), rename it to
a com filetype.

With something like that, I could provoke the anti-virus
program's alerts, take screen snaps of them for user education,
and so-forth.

That string was designed for exactly that purpose.

I could also see what happens when somebody ignores an alert on
their PC and tries to save an infected file to the server.

Yes, and most (if not all) AV programs will have the signature in their
database.

Anybody know of anything in this vein?

Or is there another way?

There *is* another way, but it is not as safe. The EICAR string is more
than a string, it is actually a small program with self-modifying code.

 

[Dustin Cook]

I want to test the behavior of my anti-virus program (Avast).

To that end, I'd like to get hold of something that looks like a
virus (contains a known signature?) but doesn't act like a virus
(no damage if I accidentally let it loose on my PC or server).

Paste this (without the parentheses), all by itself, in a text file
(using notepad).

(X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)

If your AV doesn't alert to it as a text file (some won't), rename it to
a com filetype.

With something like that, I could provoke the anti-virus
program's alerts, take screen snaps of them for user education,
and so-forth.

That string was designed for exactly that purpose.

I could also see what happens when somebody ignores an alert on
their PC and tries to save an infected file to the server.

Yes, and most (if not all) AV programs will have the signature in their
database.

Anybody know of anything in this vein?

Or is there another way?

There *is* another way, but it is not as safe. The EICAR string is more
than a string, it is actually a small program with self-modifying code.

Unless the EICAR file has been changed since it was originally released,
it's not self modifying code; it displays a message to the screen and
exits. It's slightly special codewise because it's creator was sure to
use only printable ascii characters. *grin*.

 

[ASCII]

There *is* another way,

http://tinyurl.com/ygckpgz

 

[(PeteCresswell)]

Per FromTheRafters:

Paste this (without the parentheses), all by itself, in a text file
(using notepad).

(X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)

If your AV doesn't alert to it as a text file (some won't), rename it to
a com filetype.

That seems tb doing the trick. Thanks.

FWIW, Avast's catching it and issuing notifications does not seem
tb that consistent - unless (not unlikely) I'm missing something.

 

[FromTheRafters]

@news.eternal-september.org:

Unless the EICAR file has been changed since it was originally
released,
it's not self modifying code; it displays a message to the screen and
exits. It's slightly special codewise because it's creator was sure to
use only printable ascii characters. *grin*.

To the best of my knowledge, the only thing that has changed is in the
way that the scanners are supposed to detect it. It used to have to be
only the 68 (or 70 w/CRLF) bytes - they have since changed it to include
some amount of trailing whitespace for some reason.

 

[FromTheRafters]

http://tinyurl.com/ygckpgz

....and wasn't it Vecna that made a generator for creating FP detections?

(what a hoot)

Do AV programs "retire" old definitions for long ago patched exploit
based malware. I wouldn't expect them to, so having one land on your
harddrive as a file (or embedded in an e-mail to test your (yuck) e-mail
scanner) should pose no real risk, and yet actually test the AV to some
extent.

 

[FromTheRafters]

Per FromTheRafters:

Paste this (without the parentheses), all by itself, in a text file
(using notepad).

(X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)

If your AV doesn't alert to it as a text file (some won't), rename it
to
a com filetype.

That seems tb doing the trick. Thanks.

FWIW, Avast's catching it and issuing notifications does not seem
tb that consistent - unless (not unlikely) I'm missing something.

I don't know what inconsistencies you are experiencing, but the EICAR
detection is very specific - can not (should not) be detected outside of
the specifications (see the eicar.com website).

I'm not too sure (haven't tried it) but it may be possible to save it as
an exe so that the OS's file browser causes an alert when it is accesed
for icon information (when you enter the directory it is in, or
otherwise attempt to display the icon). On your desktop, as a comfile,
the detection may be different than it is on your desktop as an
exefile - one would alert without the user clicking anything.

....but like I said, I haven't tried this.