Looking For Anti-Virus Test

(PeteCresswell) · Aug 24, 2010

I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
but it is not doing what I want it to do.

It does provoke my virus checker when I try to email it - and
even provokes Verizon's spam trap; both of which prevent me from
emailing it to somebody.

What I want is some means to make the virus checker on another
person's PC pop a warning - preferably in response to an email.

The idea being that I can send them the email, go over to their
PC, point to the window that the virus checker pops, and say
"See - that's a virus alert. Always press *that* button and
never, ever, under any circumstances press the other button."

I even tried burning the EICAR text file to a CD and copying it
from the CD to the user's desktop - but the virus checker did not
throw the warning (and neither did my own when I did the same
thing). Same checker won't let an email go out with the file
attached, though. Maybe I have some profile setting wrong
in the checker - that it's not flagging the copy attempt?

Anybody got a harmless technique for provoking a virus warning so
the user can see what their virus checker's warning window looks
like?

(PeteCresswell) · Aug 24, 2010

Per Little Charlie:

Since Eicar is a text string edit it slightly and maybe rename it too.
Then once it's arrived at the target PC undo the changes and save the
file. The client's AV should then pop-up ( duering the save) and you
can demonstrate how to deal with a malicoius threat.

I think I have it doped out.

- My virus checker doe not flag .txt files - no matter what.

- As soon as the text string is embedded in a .com file (or
even when attempts to rename .txt ==> .com, the checker
flags it. Ditto .bat, .scr and, I would hope, all other
executable suffixes.

FromTheRafters · Aug 25, 2010

(PeteCresswell) said:
I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
but it is not doing what I want it to do.

It does provoke my virus checker when I try to email it - and
even provokes Verizon's spam trap; both of which prevent me from
emailing it to somebody.

What I want is some means to make the virus checker on another
person's PC pop a warning - preferably in response to an email.

The idea being that I can send them the email, go over to their
PC, point to the window that the virus checker pops, and say
"See - that's a virus alert. Always press *that* button and
never, ever, under any circumstances press the other button."

I even tried burning the EICAR text file to a CD and copying it
from the CD to the user's desktop - but the virus checker did not
throw the warning (and neither did my own when I did the same
thing). Same checker won't let an email go out with the file
attached, though. Maybe I have some profile setting wrong
in the checker - that it's not flagging the copy attempt?

Anybody got a harmless technique for provoking a virus warning so
the user can see what their virus checker's warning window looks
like?

EICAR should be a comfile (or other executable file destined for the
loader chain). Is there any reason that you *have* to have it as an
e-mail attachment?

Depending on the OS involved, you might be able to send kakworm script
and get an alert. Kakworm used the long since patched
'scriptlet.typelib/eyedog' vulnerability and should not have teeth on
modern OSes - yet (I think) should still be detected by AV programs. The
problem with e-mailing files that are known to cause alerts is that they
often get stripped out in transit. You could then experiment with the
"break apart messages" setting and send two half-kakworm scripts and
recombine them after receipt.

hxxp://62nds.com/pg/e91g.php

FromTheRafters · Aug 25, 2010

Little Charlie said:
Since Eicar is a text string edit it slightly and maybe rename it too.
Then once it's arrived at the target PC undo the changes and save the
file. The client's AV should then pop-up ( duering the save) and you
can demonstrate how to deal with a malicoius threat.

No need to send it through e-mail for that - it's just an ASCII text
string (now new and improved with some additional whitespace) that also
works as a comfile.

Sadly, my AV alerts to it even as a text file (very annoying).

(PeteCresswell) · Aug 25, 2010

Per FromTheRafters:

EICAR should be a comfile (or other executable file destined for the
loader chain). Is there any reason that you *have* to have it as an
e-mail attachment?

Only bc I thought it would most closely replicate the actual user
experience - since most of the time viruses seem to come in via
email attachments. But it's not a religious issue and, as you
note below, getting it through various mail servers is a problem.

So I guess I'll just burn a .com version to CD.

badgolferman · Aug 25, 2010

(PeteCresswell) said:
I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
but it is not doing what I want it to do.

It does provoke my virus checker when I try to email it - and
even provokes Verizon's spam trap; both of which prevent me from
emailing it to somebody.

What I want is some means to make the virus checker on another
person's PC pop a warning - preferably in response to an email.

The idea being that I can send them the email, go over to their
PC, point to the window that the virus checker pops, and say
"See - that's a virus alert. Always press that button and
never, ever, under any circumstances press the other button."

I even tried burning the EICAR text file to a CD and copying it
from the CD to the user's desktop - but the virus checker did not
throw the warning (and neither did my own when I did the same
thing). Same checker won't let an email go out with the file
attached, though. Maybe I have some profile setting wrong
in the checker - that it's not flagging the copy attempt?

Anybody got a harmless technique for provoking a virus warning so
the user can see what their virus checker's warning window looks
like?

Just a thought, what if you send it as an zipped file?

(PeteCresswell) · Aug 26, 2010

Per badgolferman:

?

Just a thought, what if you send it as an zipped file?

The virus checker I use (and the user uses) inspects zip file
contents too.

Dennis · Aug 26, 2010

The virus checker I use (and the user uses) inspects zip file
contents too.

Not if you add a password. ;-)

(PeteCresswell) · Aug 26, 2010

Per Dennis:

Not if you add a password. ;-)

Ouch!.... obvious now that you have said it...

Gotta give that a try.

mm · Sep 5, 2010

I've fooled around with the "EICAR-STANDARD-ANTIVIRUS-TEST-FILE",
but it is not doing what I want it to do.

You've almost solved this problem already, even by the posts, but I
just found this ng and this is the first time I've had to put in my
two cents.

Maybe this is now subject to the problems you describe below, but here
is eicar in a variety of forms, at the bottom of the page.

http://eicar.org/anti_virus_test_file.htm

Just send him the url and have him dl some of them.

As to eicar.com.txt, I've long wondered what prevents someone from
dl'ing a file ending in txt and then a short command to rename the
file to be executable?

mm

David W. Hodgins · Sep 5, 2010

You've almost solved this problem already, even by the posts, but I
just found this ng and this is the first time I've had to put in my
two cents.

If you read the rest of the thread from the week old message you are
replying to, it was solved by sending password protected zip files.
I apologize if that comes across as condescending, but that is the
case with this thread.

As to eicar.com.txt, I've long wondered what prevents someone from
dl'ing a file ending in txt and then a short command to rename the
file to be executable?

Renaming the file should cause it to be scanned, and caught by any
decent anti-virus program, and is by all I've tried.

Regards, Dave Hodgins

FromTheRafters · Sep 5, 2010

[...]

As to eicar.com.txt, I've long wondered what prevents someone from
dl'ing a file ending in txt and then a short command to rename the
file to be executable?

For some time I was trying to convince skeptics that *all* filetypes
should be scanned.

My concern was similar to yours (I think) - I was used to using "debug"
or "qbasic" and feeding them "program.txt" files.

Their unconcern was due to the fact that a program was needed to make
the textfile executable, and it would be *that* program that would need
to be detected (as a trojan perhaps).

Still, I thought, it is not a good idea to allow code such as this to
arrive on your computer's disk. I have since learned that there are so
many places on disk that code can hide (dormant) that it really does
make sense to target only those programs that are ready for execution
(executable).

Strictly speaking, EICAR should not be detectable in a zip file or a
text file. It should be detected if it is in executable form and alone
(possibly with a limited amount of whitespace68 to 128 bytes - it used
to be *only* 68 to 72 bytes) in a file. Your AV may detect EICAR.zip,
but it should do so when the unzipping isolates the string and places it
in a filetype that is indicative of an executable filetype.

[...]

FromTheRafters · Sep 5, 2010

David W. Hodgins said:
If you read the rest of the thread from the week old message you are
replying to, it was solved by sending password protected zip files.
I apologize if that comes across as condescending, but that is the
case with this thread.

Renaming the file should cause it to be scanned, and caught by any
decent anti-virus program, and is by all I've tried.

Still, if the OP was looking for a way to check his e-mail scanning
feature - none of those EICAR methods will work.

After all, that is not really the purpose of the EICAR program.