dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3630
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
reply to redwolfe_98

Re: BullGuard And Eicar.org

If you have win7 and an AV running..try it.

Guess you could even make it your self putting the info in a text file.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

»www.microsoft.com/security/porta···47519003


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Graystoke
You can also try trojan simulator
»www.trojanhunter.com/trojansimulator/


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Hadn't seen that one before. Interesting program/file.

Graystoke

join:2006-03-24
Stockton, CA
Reviews:
·Comcast
·AT&T U-Verse
reply to redwolfe_98
said by redwolfe_98:

graystoke, i think that an antivirus program should flag the eicar.com test-file regardless of whether or not the file will run on a person's computer.. that has been my experience..

That's what I thought, since other A/V's I've run do that. So, I uninstalled BullGuard, and installed a free one called Roboscan. It detects the eicar.com and eicar zips as soon as I click on the download button. I don't know why BG doesn't do that.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
Click for full size
Click for full size
Did you set up your bullguard..it is highly configurable..maybe not by default.

real-time protection
1 Scan all files option
2 Just Scan option during execution
3 File types you can choose option
4 Incoming / outgoing mail scan option
5 Web traffic scan option (checked is recommended)
6 Excluded from the scan file size option
7 You can choose the extensions excluded from scanning section
8 Excluded from scanning folders option
9 Option to be excluded from scanning operations
10 Archive for the scan, the scan package files and boot sector scan option (leave as it is.)
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to jaykaykay
said by jaykaykay:

Hadn't seen that one before. Interesting program/file.

It is a good one for testing..I stopped even recommending using eicar since many AV have to be setup to dectect spyware to id it today..I have used this one which to me makes more sense.

Why did you call it Spycar?
Spycar, the name, is in homage to the venerable EICAR anti-virus test file. This file was an historic project, created by CARO and published by EICAR. If your AV product does not alert you in the presence of the EICAR file, your anti-virus tool isn’t functioning properly (or, it was not designed to detect the EICAR file, a substantial unlikelihood for most modern anti-virus tools). In honor of the fine work of CARO and EICAR, we called our anti-spyware testing tool Spycar.

It is vital to note that the Spycar suite and the EICAR file are different types of things. Spycar is NOT an EICAR file for evaluating anti-spyware tools. The EICAR file can be used to verify that your anti-virus tool is alive and running. Spycar tests behavior-based alerting and blocking. Consider this analogy to illustrate the difference. You’ve got a smoke detector, and you want to see if it is working. The EICAR file is like the big red test button on the smoke detector. When you push the button, the smoke detector beeps, telling you that the battery is charged and everything seems to be working properly. Using Spycar, on the other hand, is more akin to blowing smoke into the smoke detector, then lighting a match by it, and so on. With Spycar, you are using a tool that mimics the behavior of a real fire (again, in a benign fashion) to see if your smoke detector is protecting you.

Is Spycar a Comprehensive Test of Anti-Spyware Tools?
No. Spycar models some behaviors of spyware tools to see if an anti-spyware tool detects and/or blocks it. But, spyware developers are very creative, adding new and clever behaviors all the time. Spycar tests for some of these common behaviors, but not all. Also, with its behavior-based modeling philosophy, Spycar does not evaluate the signature base, the user interface, and other vital aspects of an anti-spyware tool. Thus, Spycar alone cannot be used to determine how good or bad an anti-spyware product is. We’ve used it to find several gaps in anti-spyware product defenses, but Spycar is but one tool for analyzing one set of characteristics of anti-spyware products. A comprehensive review of anti-spwyare tools should utilize a whole toolbox, of which Spycar may be one element. Ed Skoudis and Tom Liston wrote an article for Information Security Magazine comparing various enterprise anti-spyware tools, and Spycar was a small subset of our more comprehensive tests. You can see that article here.

»www.spycar.org/Welcome%20to%20Spycar.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Graystoke

join:2006-03-24
Stockton, CA
reply to Name Game
@NameGame........I had my BG set up just like your pictures show.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

2 edits
thanks..the inportant one for eicar as I recall..is to have bullguard set to "enable spyware detection" on that advanced tab.

Mcafee had a real crazy way of using eicar..
»kc.mcafee.com/corporate/index?pa···=KB54228

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game
Click for full size
said by Name Game:

You can also try trojan simulator
»www.trojanhunter.com/trojansimulator/

You can?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


norwegian
Premium
join:2005-02-15
Outback
When in doubt, check browser settings.

Well, found the page fine, but to download I had the same error as Mele20 See Profile. Did they stop distributing it?

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game
This »kc.mcafee.com/corporate/index?pa···=KB52865 says you can just go to EICAR website just as you do with any AV and try to download eicar.com. (I read your link which is referring to McAfee corporate AV and wondered how an average home user would be expected to do all that just to test their McAfee that came on their new Dell). McAfee doesn't claim that Windows 7 64bit users can't test at EICAR website).

ALL AV agreed long ago to detect EICAR. If Bullguard doesn't then it is set up wrong. That is the purpose of the EICAR file...to let the user know if they have the AV configured incorrectly or their installation is corrupted.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


norwegian
Premium
join:2005-02-15
Outback
Looks like end of life:

»www.misec.net/forum/board/Trojan···22779282

1st Dec 2011

Today, we removed Trojan Simulator from our servers. Trojan Simulator was written many years ago as a tool to test the effectiveness of malware scanners against trojan-type window executbles against a harmless trojan simulator file.

The reason for the removal of Trojan Simulator is that lately site classification tools have been reporting trojanhunter.com as being "infected" by Trojan Simulator, even though it in itself is a harmless application. The reason for this is of course that most anti-virus and anti-malware scanners detect Trojan Simulator.

This can cause users to become unduly alarmed if their "site quality" reporting tool incorrectly flags trojanhunter.com as being "infected with malware" because of the presence of the Trojan Simulator zip file.

The Trojan Simulator section of the forum will be open for a little while more and then closed and removed.


--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

I downloaded the file when I made that post..other did too cause they told me..looks like Magnus pulled it..you could always try the one andreas made »Trojan signature quality of certain AV products...


norwegian
Premium
join:2005-02-15
Outback

1 recommendation

Still works too.

Gees there's some names there we miss.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

If you want trojansimulator by Magnus you can get it here

download it from the Softpedia Mirror (RO) [ZIP]

»www.softpedia.com/progDownload/T···347.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20
Many peps at home use the enterprise..they get it 'comp' from their workplace.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
I know that but what does that have to do with the issue? McAfee doesn't claim that the enterprise version can't use EICAR because it doesn't work on 64bit Windows. BTW, the enterprise version is far better than the commerical one. I used to beta test for McAfee enterprise and it was good...commerical, home user one was garbage and still is.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to norwegian
said by norwegian:

Still works too.

Gees there's some names there we miss.

Yeah, that thread was a trip down memory lane!
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20
eicar will not even run on 64bit windows..if you can get it to run let me know.


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 edit
reply to Graystoke
(I have not read most of this thread ...)

quote:
"eicar.com" is not an executable file, in any manner.
It is not supposed to be.

I'm wrong on this, it is.

The only reason for the .com extension is because an A/V should be scanning .com files & if it scans .com files, then this file, "eicar.com" will also be scanned & so should be detected.

You could also name the file "eicar.txt" & that would work fine too - but you A/V would not scan it by default. Though tell your A/V to scan all files, regardless of type, then "eicar.txt" would be detected as expected.

quote:
> Because EICAR.com is a DOS program

It is not. It is simply a textual file with a .com extension.

And again .


therube

join:2004-11-11
Randallstown, MD
reply to Graystoke
Perhaps you need to check the box, "Only scan files loaded for execution"?

Since your system cannot "load" .com files, Bullguard has not attempted to detect it.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to therube
The EICAR test file is designed for users and administrators who want to check the proper operation of their anti-virus software without using actual viruses. Since it is never a good idea to test with real viruses, anti-virus researchers designed a completely harmless test file that most anti-virus products detect as if it were a virus. The EICAR test file is completely benign and contains no viral code.

The most common uses for the EICAR test file are:

Confirms the anti-virus application is installed correctly
Demonstrate what happens when a virus is found
Check internal procedures and reactions when a virus is found
For users who would like to check the correct operation of their F-Secure Anti-Virus products, they can download the EICAR test file from the following links:
(Netscape Users: Right-click and select "Save Link As")

Click here for EICAR (COM-format) - HTTP
Click here for EICAR (ZIP-format) - HTTP
Or you may create the EICAR test by following the instructions below:

Launch your text editor to create a file with the following single line in it
(You may cut and paste the line below):
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Save the file to any name with COM extension, for example EICAR.COM. Make sure you save the file in standard MS-DOS ASCII format. Now you can use this file to demonstrate what happens when a virus is found.
Naturally, the file is not a virus. When executed, EICAR.COM will display the text 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!' and exit.


EICAR is the European Institute of Computer Anti-virus Research.

»www.f-secure.com/virus-info/eica···le.shtml
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


norwegian
Premium
join:2005-02-15
Outback

1 edit
reply to therube
Oh bugga....the word document (2007) didn't get detected!

The .com and .txt files were full blown red alerts either way...I'll be submissive enough to ask why wasn't the word document, what was so different to the .txt file, or the .com file?

Note for test:
.txt and .docx files were created from the string according to the standard off a simple copy/paste/save function with no change to the "new file" name at all.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to therube
It has been my experience when people start setting their AV to even scan when downloading rather than realtime scan if the thing then executes and ends up to be a badboy..that it slows down many machines and they get so many false postives no matter what the product...and they go bonkers..but that is just my opinion.

claudiubotez

join:2009-06-28
reply to Name Game
"The EICAR test file is designed for users and administrators who want to check the proper operation of their anti-virus software without using actual viruses..."

Hi Name Game,

I've never understood the "relevance" of such test; as long as this is an "Expected" test for any AV , the developers will take care that ,at least Eicar, should be detected.

So, how can you check "the proper operation of their anti-virus software without using actual viruses..."..... using Eicar????

thanks,
Claudiu


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
OK, you got me, I'm not Name Game See Profile, but here's the answer to your question
»www.eicar.org/86-0-Intended-use.html


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to claudiubotez
Click for full size
I have no idea..I am still crash testing skateboards for the next gus macker.


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
reply to Name Game
Nice, long EULA!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game
said by Name Game:

eicar will not even run on 64bit windows..if you can get it to run let me know.

You persist in missing the point. It doesn't need to run! It is a TEST to see if your antivirus program works correctly. 99.9% of AV will detect it as it downloads so what it running have to do with the issue here?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to claudiubotez
said by claudiubotez:

"The EICAR test file is designed for users and administrators who want to check the proper operation of their anti-virus software without using actual viruses..."

Hi Name Game,

I've never understood the "relevance" of such test; as long as this is an "Expected" test for any AV , the developers will take care that ,at least Eicar, should be detected.

So, how can you check "the proper operation of their anti-virus software without using actual viruses..."..... using Eicar????

thanks,
Claudiu

EICAR is to be used to see if you have properly configured your AV and/or to see if your installation of your AV is corrupted. These days, all AV should be able to detect eicar.com as it STARTS to download, and block the download, and that is without any fancy settings on your AV...even my 2008 version of Avira free blocks it almost instantly. I recall though when Avira could not detect eicar.com until fully downloaded and scanned by the on demand scanner or an attempt was made to execute the downloaded file (then the real time scanner would stop it). I recall similar behavior years ago with some other AV. I also recall many discussions in vendors' forums about whether or not the AV in question should, or should not, detect in real time at the moment downloading was started. Eventually, all began to do this mainly because users wanted that. Users are impressed by the wrong things (particularly naive users which are the majority) and they get scared if malware is not detected until it tries to execute. But it doesn't matter when it is detected just that it is detected at some point before it actually executes.

But today, especially if you use a Mozilla based browser, your AV automatically scans all downloads in real time and blocks if malicious be it EICAR or a real trojan.

Because eicar.com is usually detected by the real time scanner almost instantly (in fact some AV detect it the moment the eicar webpage is opened before any attempt at downloading is made), I have always ALSO downloaded the two zip files and then right click scanned so I can see if my on demand scanner is working correctly and configured properly.

The point of EICAR is NOT to see if your AV detects more trojans than some other AV. If that is what you want to do then you will have to test it against new trojans that you have access to.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson