dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3641
share rss forum feed

Graystoke

join:2006-03-24
Stockton, CA
Reviews:
·Comcast
·AT&T U-Verse

BullGuard And Eicar.org

I don't quite understand this. I installed BullGuard IS yesterday. I wanted to test it out using the eicar file. I went to eicar.org, clicked on the test links, and get this message....

eicar.com is not a valid Win32 application.

I get this also when I open the eicar zip test. I thought maybe this is the way BullGuard works. I decided to shut down the BullGuard real time protection to see what would happen. I get the same thing. Is this Win7 stopping the eicar file before BullGuard has a chance to do it's job? I've never had this happen with any other antivirus software.


norwegian
Premium
join:2005-02-15
Outback
This is the alert for me:

Also Win 7 and .com files might be worth looking at this question asked - »answers.microsoft.com/en-us/wind···32d3d998


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Graystoke
Maybe EICAR is a DOS program and unable to run on Windows 7

»answers.microsoft.com/en-us/wind···9479c73c

Graystoke

join:2006-03-24
Stockton, CA
@norwegian.......I got that same message also.

Thanks norwegian, and Name Game. Looks like that answers the question.

Bob4
Account deleted

join:2012-07-22
New Jersey

1 recommendation

I just take the 68 byte string and cut & paste it into Notepad, then save it as a text file. That should be pickup up by the antivirus program.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Graystoke
Can't you download the zipfile of EICAR? Most AV will catch it before it even downloads. I can't see why that would be different on a 64bit OS.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


norwegian
Premium
join:2005-02-15
Outback
reply to Bob4

You can download the .txt file too at the site.


norwegian
Premium
join:2005-02-15
Outback
reply to Mele20

The .com file for me is detected on download, without worrying about the .zip file.


norwegian
Premium
join:2005-02-15
Outback
reply to Graystoke
said by Graystoke:

@norwegian.......I got that same message also.

That is the alert from Windows with my A/V turned off. As mentioned above to Mele20 See Profile, my A/V detects it fine. I wonder why BullGuard isn't alerting to it then?

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to norwegian
said by norwegian:

The .com file for me is detected on download, without worrying about the .zip file.

It is for me also but I have XP Pro 32bit. I gather the problem here is Win 7 64bit.

Proxomitron renders the text file harmless and no download attempt occurs. I just get a new tab with the eicar string in plain text. I have to bypass Proxo if I want to download the text file (or try to download it as my AV catches it immediately. I remember though years ago that AV did not catch any of them during download but only later. Then eicar.com became detected during download by most AV but the .zip ones frequently had to be fully downloaded and unzipping begun before AV would detect. So, in the past, doing the .zip ones was a good idea when trialing a new AV).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to norwegian
Because EICAR.com is a DOS program and unable to run on Windows 7 so why would you expect an AV to Id it ? Also would happen if you downloaded the zip..which is OK..but then tried to open it...and that would not only be for win7 64 but also 32. If you really want to run it..read the link I posted and make those changes to your win7.

The caution would be

" Note: you cannot run XP Mode on Windows 7Home editions. If you are using Windows 7 Home Premium, you would need to use Virtual Box, DosBox or any other 3rd party virtualization program that works with Home Premium. Please visit forums dedicated to these programs for more information."


norwegian
Premium
join:2005-02-15
Outback
Ah, so Graystoke See Profile is running the program and nothing is detected because it isn't valid.

I get alerts a long time before that. Running the file would need me to turn off a lot of settings. All good.

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to Name Game
said by Name Game:


" Note: you cannot run XP Mode on Windows 7Home editions. If you are using Windows 7 Home Premium, you would need to use Virtual Box, DosBox or any other 3rd party virtualization program that works with Home Premium. Please visit forums dedicated to these programs for more information."

On this point, even on Win 7 x64 Ultimate, on right clicking the file, there is no option for XP mode or any other compatibility mode though either, even in properties. I thought that was allowable via the context menu in the upper versions of Win 7?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
Then try this since Eicar is an MS-dos program

Most existing 16-bit and MS-DOS-based programs were originally written for Windows 3.0 or Windows 3.1. Windows 7 runs these older programs using a virtual machine that mimics the 386-enhanced mode used by Windows 3.0 and Windows 3.1. Unlike on other recent releases of Windows, on Windows 7 each 16-bit and MS-DOS-based application runs as a thread within a single virtual machine. This means that if you run multiple 16-bit and MS-DOS-based applications, they all share a common memory space. Unfortunately, if one of these applications hangs or crashes, it usually means the others will as well.

You can help prevent one 16-bit or MS-DOS-based application from causing others to hang or crash by running it in a separate memory space. To do this, follow these steps:
1. Right-click the program’s shortcut icon and then click Properties. (If the program doesn’t have a shortcut, create one, and then open the shortcut’s Properties dialog box.)
2. On the Shortcut tab, click the Advanced button. This displays the Advanced Properties dialog box.
3. Select the Run In Separate Memory Space check box.
4. Click OK twice to close all open dialog boxes and save the changes.

NOTE: Running a program in a separate memory space uses additional memory. However, you’ll usually find that the program is more responsive. Another added benefit is that you are able to run multiple instances of the program—as long as all the instances are running in separate memory spaces.

»technet.microsoft.com/en-us/maga···590.aspx
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Graystoke
You might also be interested in this for future reference...
HOW TO: Identify a 16-bit Program in Windows XP
»support.microsoft.com/kb/320127


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Graystoke
Click for full size
Interesting note for Google Chrome users..even if you have WinXP..you will get two warnings from Google Chrome when .com file tries to download..first will be the screen shot above cautioning you...(see bottom left corner of the screenshot).. then even if you say contiune and do not discard you will get another warning telling you it could harm you PC. As a friend of mine said the other day .com use to be an executable program..now it is just a domain.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to norwegian
said by norwegian:

Ah, so Graystoke See Profile is running the program and nothing is detected because it isn't valid.

I get alerts a long time before that. Running the file would need me to turn off a lot of settings. All good.

No he is not running it. just like you he can't.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


norwegian
Premium
join:2005-02-15
Outback
Ok, you win the round, my shout.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
Click for full size
Was not a competition..but is time for another cuppa

redwolfe_98
Premium
join:2001-06-11
kudos:1

1 edit
reply to Graystoke
graystoke, i think that an antivirus program should flag the eicar.com test-file regardless of whether or not the file will run on a person's computer.. that has been my experience..


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
If you have win7 and an AV running..try it.

Guess you could even make it your self putting the info in a text file.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

»www.microsoft.com/security/porta···47519003


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Graystoke
You can also try trojan simulator
»www.trojanhunter.com/trojansimulator/


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Hadn't seen that one before. Interesting program/file.

Graystoke

join:2006-03-24
Stockton, CA
Reviews:
·Comcast
·AT&T U-Verse
reply to redwolfe_98
said by redwolfe_98:

graystoke, i think that an antivirus program should flag the eicar.com test-file regardless of whether or not the file will run on a person's computer.. that has been my experience..

That's what I thought, since other A/V's I've run do that. So, I uninstalled BullGuard, and installed a free one called Roboscan. It detects the eicar.com and eicar zips as soon as I click on the download button. I don't know why BG doesn't do that.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
Click for full size
Click for full size
Did you set up your bullguard..it is highly configurable..maybe not by default.

real-time protection
1 Scan all files option
2 Just Scan option during execution
3 File types you can choose option
4 Incoming / outgoing mail scan option
5 Web traffic scan option (checked is recommended)
6 Excluded from the scan file size option
7 You can choose the extensions excluded from scanning section
8 Excluded from scanning folders option
9 Option to be excluded from scanning operations
10 Archive for the scan, the scan package files and boot sector scan option (leave as it is.)
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to jaykaykay
said by jaykaykay:

Hadn't seen that one before. Interesting program/file.

It is a good one for testing..I stopped even recommending using eicar since many AV have to be setup to dectect spyware to id it today..I have used this one which to me makes more sense.

Why did you call it Spycar?
Spycar, the name, is in homage to the venerable EICAR anti-virus test file. This file was an historic project, created by CARO and published by EICAR. If your AV product does not alert you in the presence of the EICAR file, your anti-virus tool isn’t functioning properly (or, it was not designed to detect the EICAR file, a substantial unlikelihood for most modern anti-virus tools). In honor of the fine work of CARO and EICAR, we called our anti-spyware testing tool Spycar.

It is vital to note that the Spycar suite and the EICAR file are different types of things. Spycar is NOT an EICAR file for evaluating anti-spyware tools. The EICAR file can be used to verify that your anti-virus tool is alive and running. Spycar tests behavior-based alerting and blocking. Consider this analogy to illustrate the difference. You’ve got a smoke detector, and you want to see if it is working. The EICAR file is like the big red test button on the smoke detector. When you push the button, the smoke detector beeps, telling you that the battery is charged and everything seems to be working properly. Using Spycar, on the other hand, is more akin to blowing smoke into the smoke detector, then lighting a match by it, and so on. With Spycar, you are using a tool that mimics the behavior of a real fire (again, in a benign fashion) to see if your smoke detector is protecting you.

Is Spycar a Comprehensive Test of Anti-Spyware Tools?
No. Spycar models some behaviors of spyware tools to see if an anti-spyware tool detects and/or blocks it. But, spyware developers are very creative, adding new and clever behaviors all the time. Spycar tests for some of these common behaviors, but not all. Also, with its behavior-based modeling philosophy, Spycar does not evaluate the signature base, the user interface, and other vital aspects of an anti-spyware tool. Thus, Spycar alone cannot be used to determine how good or bad an anti-spyware product is. We’ve used it to find several gaps in anti-spyware product defenses, but Spycar is but one tool for analyzing one set of characteristics of anti-spyware products. A comprehensive review of anti-spwyare tools should utilize a whole toolbox, of which Spycar may be one element. Ed Skoudis and Tom Liston wrote an article for Information Security Magazine comparing various enterprise anti-spyware tools, and Spycar was a small subset of our more comprehensive tests. You can see that article here.

»www.spycar.org/Welcome%20to%20Spycar.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Graystoke

join:2006-03-24
Stockton, CA
reply to Name Game
@NameGame........I had my BG set up just like your pictures show.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
thanks..the inportant one for eicar as I recall..is to have bullguard set to "enable spyware detection" on that advanced tab.

Mcafee had a real crazy way of using eicar..
»kc.mcafee.com/corporate/index?pa···=KB54228

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game
Click for full size
said by Name Game:

You can also try trojan simulator
»www.trojanhunter.com/trojansimulator/

You can?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


norwegian
Premium
join:2005-02-15
Outback
When in doubt, check browser settings.

Well, found the page fine, but to download I had the same error as Mele20 See Profile. Did they stop distributing it?