funsec mailing list archives
Re: Overloading AV software, was Question about Viruses
From: Drsolly <drsollyp () drsolly com>
Date: Fri, 7 Jul 2006 20:50:00 +0100 (BST)
I guess thats why the eicar site says: ------------------------- The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. To keep things simple the file uses only upper case letters, digits and punctuation marks, and does not include spaces. ------------------------- Pretty specific. This seems kind of silly to me, as any variation of code before the detection bit would result in the detection bit being in a different location, and therefore result in the virus not being detected, correct?
Correct. That's the way that the Eicar test file is *supposed* to be. By the way, please don't call the Eicar test file a virus, because it isn't. It's a test file, that AV vendors might or might not decide to detect and report. It's use is to verify that your AV is installed correctly and is active, without you needing to use a real virus for that test. But if your AV doesn't detect the EICAR test file, that doesn't leave you at risk from a nasty, provided you do have some alternative way to check that you have it installed correctly, and active.
Is this a leftover of the "Signature Wars" where people were trying to sell their AV by saying "mine detects 60,000 viriuses", 'well mine detects 80,000', etc, etc.?
I never noticed such a war - maybe the marketroids did that. Certainly, Findvirus, when you run it, tells you how many things it's scanning for. That seemed like something people would like to know. But I notice that the figure is up to 200,000 now.
So, your idea won't work.I guess thats a good thing :-( -JP<X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*>
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses <...> (Jul 07)
- RE: Question about Viruses Larry Seltzer (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- RE: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- RE: Overloading AV software, was Question about Viruses Richard M. Smith (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Overloading AV software, was Question about Viruses Drsolly (Jul 07)
- Re: Overloading AV software, was Question about Viruses Dude VanWinkle (Jul 07)
- Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Valdis . Kletnieks (Jul 07)
- Re: Re: Question about Viruses Peter Kosinar (Jul 07)
- Re: Re: Question about Viruses Drsolly (Jul 07)
- RE: Question about Viruses Larry Seltzer (Jul 07)
- Re: Question about Viruses <...> (Jul 07)
- Re: Re: Question about Viruses Dude VanWinkle (Jul 08)
- Re: Re: Question about Viruses Peter Kosinar (Jul 08)
- Re: Re: Question about Viruses Drsolly (Jul 08)