Re: Overloading AV software, was Question about Viruses

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 7/7/06, Drsolly <drsollyp () drsolly com> wrote:
> > I guess thats why the eicar site says:
> > -------------------------
> > The first 68 characters is the known string. It may be optionally
> > appended by any combination of whitespace characters with the total
> > file length not exceeding 128 characters. The only whitespace
> > characters allowed are the space character, tab, LF, CR, CTRL-Z. To
> > keep things simple the file uses only upper case letters, digits and
> > punctuation marks, and does not include spaces.
> >
> > -------------------------
> >
> > Pretty specific. This seems kind of silly to me, as any variation of
> > code before the detection bit would result in the detection bit being
> > in a different location, and therefore result in the virus not being
> > detected, correct?
>
> Correct. That's the way that the Eicar test file is *supposed* to be. By
> the way, please don't call the Eicar test file a virus,

I was actually referring to the code of a virus, not the eicar test file.

> > Is this a leftover of the "Signature Wars" where people were trying to
> > sell their AV by saying "mine detects 60,000 viriuses", 'well mine
> > detects 80,000', etc, etc.?
>
> I never noticed such a war - maybe the marketroids did that. Certainly,
> Findvirus, when you run it, tells you how many things it's scanning for.
> That seemed like something people would like to know. But I notice that
> the figure is up to 200,000 now.

well, I just ran a script to insert a newline character into all the
source code for viruses I downloaded from
http://www.totallygeek.com/vscdb/ so the number is now more like
400,000 :-)

-JP<who single-handledly doubled all known viruses in one day>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.