dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3585
share rss forum feed


therube

join:2004-11-11
Randallstown, MD
reply to Graystoke

Re: BullGuard And Eicar.org

Perhaps you need to check the box, "Only scan files loaded for execution"?

Since your system cannot "load" .com files, Bullguard has not attempted to detect it.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to therube

The EICAR test file is designed for users and administrators who want to check the proper operation of their anti-virus software without using actual viruses. Since it is never a good idea to test with real viruses, anti-virus researchers designed a completely harmless test file that most anti-virus products detect as if it were a virus. The EICAR test file is completely benign and contains no viral code.

The most common uses for the EICAR test file are:

Confirms the anti-virus application is installed correctly
Demonstrate what happens when a virus is found
Check internal procedures and reactions when a virus is found
For users who would like to check the correct operation of their F-Secure Anti-Virus products, they can download the EICAR test file from the following links:
(Netscape Users: Right-click and select "Save Link As")

Click here for EICAR (COM-format) - HTTP
Click here for EICAR (ZIP-format) - HTTP
Or you may create the EICAR test by following the instructions below:

Launch your text editor to create a file with the following single line in it
(You may cut and paste the line below):
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Save the file to any name with COM extension, for example EICAR.COM. Make sure you save the file in standard MS-DOS ASCII format. Now you can use this file to demonstrate what happens when a virus is found.
Naturally, the file is not a virus. When executed, EICAR.COM will display the text 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!' and exit.


EICAR is the European Institute of Computer Anti-virus Research.

»www.f-secure.com/virus-info/eica···le.shtml
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



norwegian
Premium
join:2005-02-15
Outback

1 edit
reply to therube

Oh bugga....the word document (2007) didn't get detected!

The .com and .txt files were full blown red alerts either way...I'll be submissive enough to ask why wasn't the word document, what was so different to the .txt file, or the .com file?

Note for test:
.txt and .docx files were created from the string according to the standard off a simple copy/paste/save function with no change to the "new file" name at all.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to therube

It has been my experience when people start setting their AV to even scan when downloading rather than realtime scan if the thing then executes and ends up to be a badboy..that it slows down many machines and they get so many false postives no matter what the product...and they go bonkers..but that is just my opinion.

claudiubotez

join:2009-06-28
reply to Name Game

"The EICAR test file is designed for users and administrators who want to check the proper operation of their anti-virus software without using actual viruses..."

Hi Name Game,

I've never understood the "relevance" of such test; as long as this is an "Expected" test for any AV , the developers will take care that ,at least Eicar, should be detected.

So, how can you check "the proper operation of their anti-virus software without using actual viruses..."..... using Eicar????

thanks,
Claudiu



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

OK, you got me, I'm not Name Game See Profile, but here's the answer to your question
»www.eicar.org/86-0-Intended-use.html



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to claudiubotez

Click for full size
I have no idea..I am still crash testing skateboards for the next gus macker.


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
reply to Name Game

Nice, long EULA!


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

said by Name Game:

eicar will not even run on 64bit windows..if you can get it to run let me know.

You persist in missing the point. It doesn't need to run! It is a TEST to see if your antivirus program works correctly. 99.9% of AV will detect it as it downloads so what it running have to do with the issue here?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to claudiubotez

said by claudiubotez:

"The EICAR test file is designed for users and administrators who want to check the proper operation of their anti-virus software without using actual viruses..."

Hi Name Game,

I've never understood the "relevance" of such test; as long as this is an "Expected" test for any AV , the developers will take care that ,at least Eicar, should be detected.

So, how can you check "the proper operation of their anti-virus software without using actual viruses..."..... using Eicar????

thanks,
Claudiu

EICAR is to be used to see if you have properly configured your AV and/or to see if your installation of your AV is corrupted. These days, all AV should be able to detect eicar.com as it STARTS to download, and block the download, and that is without any fancy settings on your AV...even my 2008 version of Avira free blocks it almost instantly. I recall though when Avira could not detect eicar.com until fully downloaded and scanned by the on demand scanner or an attempt was made to execute the downloaded file (then the real time scanner would stop it). I recall similar behavior years ago with some other AV. I also recall many discussions in vendors' forums about whether or not the AV in question should, or should not, detect in real time at the moment downloading was started. Eventually, all began to do this mainly because users wanted that. Users are impressed by the wrong things (particularly naive users which are the majority) and they get scared if malware is not detected until it tries to execute. But it doesn't matter when it is detected just that it is detected at some point before it actually executes.

But today, especially if you use a Mozilla based browser, your AV automatically scans all downloads in real time and blocks if malicious be it EICAR or a real trojan.

Because eicar.com is usually detected by the real time scanner almost instantly (in fact some AV detect it the moment the eicar webpage is opened before any attempt at downloading is made), I have always ALSO downloaded the two zip files and then right click scanned so I can see if my on demand scanner is working correctly and configured properly.

The point of EICAR is NOT to see if your AV detects more trojans than some other AV. If that is what you want to do then you will have to test it against new trojans that you have access to.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

False Positives up the ying yang..got that.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Eh?



norwegian
Premium
join:2005-02-15
Outback
reply to Mele20

said by Mele20:

But today, especially if you use a Mozilla based browser, your AV automatically scans all downloads in real time and blocks if malicious be it EICAR or a real trojan.
Because eicar.com is usually detected by the real time scanner almost instantly (in fact some AV detect it the moment the eicar webpage is opened before any attempt at downloading is made), I have always ALSO downloaded the two zip files and then right click scanned so I can see if my on demand scanner is working correctly and configured properly.

I'm not going to nit pick over this point, but you do understand a lot of free A/V's do not have a web/script engine. So how does it fail if it doesn't detect the file until the .com file is run, or the .txt file is scanned on your desktop?

And as pointed out in Win 7 and specifically x64 flavor to add to the complication, you can not test the running process to see if the A/V picks it up 'live'? You are still only really alerted to a dead .txt file which isn't a true test of anything, after all what is a dead file going to do to you unless you use social engineering and 'click' install.

My posts in the spam forum on detected malware was scanned by my mail engine initially for example. If it does the job and my file engine doesn't, does that mean it failed - I doubt it. But if I run it and my file or active protection failed I'd be upset. Each has it's own job, and for obvious to some, reasons too.

You can not run the .com file on Windows 7, so why the lack of understanding and finger pointing?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Where am I not understanding or finger pointing?

Avira 8 has no web engine ...I hate that crap. Avira detects before download can start/finish.

Why are you so against scanning the zip files?

Text file is the worthless one.. AV does not work on it for me because of Proxo which renders it harmless.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



norwegian
Premium
join:2005-02-15
Outback

I'm not against .zip files, and Proxo is not relative to the OP's question.

So anything relative to it would be classed as off-topic.
Browser protection is not relative to the question on .com files on Windows 7.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

I have NEVER said anything about browser protection. I am talking about whatever AV you use if you have Fx or SM. That is not browser protection...it is your AV scanning during Fx/SM download.

About 3/4ths of this thread is OT according to your definition. Did you notify the mods to remove all the posts?



norwegian
Premium
join:2005-02-15
Outback

said by Mele20:

I am talking about whatever AV you use if you have Fx or SM. That is not browser protection...it is your AV scanning during Fx/SM download.

I feel like I'm going around in circles - not all A/V's scan downloads as they happen regardless of Fx or SM, IE or any other browser. You are fooling yourself if you think every one does, a few free ones will scan via the file A/V and pick it up, that is a different process.

said by Mele20:

About 3/4ths of this thread is OT according to your definition. Did you notify the mods to remove all the posts?

Exactly.....but we are here to help the OP, not say "my setup" doesn't. If you want to test for the OP you have to foget your configuration and reset your system to his configuration to see if you can duplicate the event, beta testing you have to do this to further a bug. Telling them the bug in IE isn't reproduced on your system with Fx or SM is not helping.

We all have our views of helping, I thought you would understand what I was trying to clarify, oh well.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke