Testing for alternate data stream scanning

  • Thread starter Thread starter Julian
  • Start date Start date
J

Julian

Would the following command file (mk_eicar_ads.cmd):

echo
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >
test.txt:eicar.com

(all one line!)

be a valid test to see if an anti-virus detects writing to an alternate
data stream? How many anti-virus products would alert on this?
 
From: "Julian" <[email protected]>

| Would the following command file (mk_eicar_ads.cmd):
|
| echo
| X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >
| test.txt:eicar.com
|
| (all one line!)
|
| be a valid test to see if an anti-virus detects writing to an alternate
| data stream? How many anti-virus products would alert on this?

All AV software *should* work with the EICAR.

http://www.eicar.org/anti_virus_test_file.htm
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Would the following command file (mk_eicar_ads.cmd):

echo
X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >
test.txt:eicar.com

(all one line!)

be a valid test to see if an anti-virus detects writing to an alternate
data stream? How many anti-virus products would alert on this?
Click to expand...

Close! The string you need is:

X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I see you'ved added an extra caret at (P^) but the extra percent !P%% is
unnecessary.

To test this, once written, you need to type:

more < test.txt:eicar.com > eicar.com

NAV 2002 notices this when using more, but not when writing the string.
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDhyrw7uRVdtPsXDkRAgKMAJ9zjrXotYgQQdqOBlQhRXHYQPiUtwCglcjs
pTGvIYD6t5dRWYkHfJuWQcc=
=81S1
-----END PGP SIGNATURE-----
 
David said:
From: "Julian" <[email protected]>

| Would the following command file (mk_eicar_ads.cmd):
|
| echo
| X5O!P%%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* >
| test.txt:eicar.com
|
| (all one line!)
|
| be a valid test to see if an anti-virus detects writing to an alternate
| data stream? How many anti-virus products would alert on this?

All AV software *should* work with the EICAR.

http://www.eicar.org/anti_virus_test_file.htm
Click to expand...

Yes, but will they detect it in an alternate data stream? Or are
alternative data streams not considered a valid location for the Eicar file?
 
Adam said:
Close! The string you need is:

X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I see you'ved added an extra caret at (P^) but the extra percent !P%% is
unnecessary.
Click to expand...

I don't think it is unnecessary, because I tested it first by echoing to
a regular eicar.com and then checking the result in notepad, and with
only one percent, there was no percent in the output file. I needed two,
to get the one that is supposed to be there.
To test this, once written, you need to type:

more < test.txt:eicar.com > eicar.com

NAV 2002 notices this when using more, but not when writing the string.
Click to expand...

That's presumably because at that point it's saving it to a regular .com
file. I was interested in whether any anti-virus would detect the Eicar
file when it is being written to an ADS, or while it is hidden there,
during an on-demand scan.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adam said:
Close! The string you need is:

X5O!P%@AP[4\PZX54(P^^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

I see you'ved added an extra caret at (P^) but the extra percent !P%% is
unnecessary.
Click to expand...


I don't think it is unnecessary, because I tested it first by echoing to
a regular eicar.com and then checking the result in notepad, and with
only one percent, there was no percent in the output file. I needed two,
to get the one that is supposed to be there.
Click to expand...

Hmm on my Win2k computer, the % come exactly as they're typed.
That's presumably because at that point it's saving it to a regular .com
file. I was interested in whether any anti-virus would detect the Eicar
file when it is being written to an ADS, or while it is hidden there,
during an on-demand scan.
Click to expand...

After creating the file with an ADS, a scan of it's parent directory came
up with nothing nor when echoing the string to a file. Good question btw :-)


Adam.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDh4PP7uRVdtPsXDkRArWHAJ9OP2n1M5SEu+uqK/QwHpUAHP1UsQCfUM0Y
M+b+rVT2idd7vJNHCty8oAY=
=DRmx
-----END PGP SIGNATURE-----
 
Maybe the escape character problem would go away if you redirected an
EICAR.COM file's contents to the ADS instead of from (rhrough) the
command line itself.

TYPE EICAR.COM>EICAR.TXT:EICAR.COM

Can't test it here - Win98.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Roger said:
Maybe the escape character problem would go away if you redirected an
EICAR.COM file's contents to the ADS instead of from (rhrough) the
command line itself.

TYPE EICAR.COM>EICAR.TXT:EICAR.COM

Can't test it here - Win98.
Click to expand...

Windows 9x don't support Alternative Data Streams so you're lucky this time :-)

Adam Piggott,
Proprietor,
Proactive Services (Computing)
http://www.proactiveservices.co.uk/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDib+K7uRVdtPsXDkRAqBjAJ97OmdBMGcOrWoS0EVCLXveI4oo+gCfUFzA
J5hD18Bm57dknmUQiyd9h/0=
=erP7
-----END PGP SIGNATURE-----
 
Back
Top