To that end, I'd like to get hold of something that looks like a
virus (contains a known signature?) but doesn't act like a virus
(no damage if I accidentally let it loose on my PC or server).
With something like that, I could provoke the anti-virus
program's alerts, take screen snaps of them for user education,
and so-forth.
I could also see what happens when somebody ignores an alert on
their PC and tries to save an infected file to the server.
Anybody know of anything in this vein?
Or is there another way?
--
PeteCresswell
> I want to test the behavior of my anti-virus program (Avast).
>
> To that end, I'd like to get hold of something that looks like a
> virus (contains a known signature?) but doesn't act like a virus
> (no damage if I accidentally let it loose on my PC or server).
Google for: eicar test file
--
-bts
-Friends don't let friends drive Windows
Paste this (without the parentheses), all by itself, in a text file
(using notepad).
(X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*)
If your AV doesn't alert to it as a text file (some won't), rename it to
a com filetype.
> With something like that, I could provoke the anti-virus
> program's alerts, take screen snaps of them for user education,
> and so-forth.
That string was designed for exactly that purpose.
> I could also see what happens when somebody ignores an alert on
> their PC and tries to save an infected file to the server.
Yes, and most (if not all) AV programs will have the signature in their
database.
> Anybody know of anything in this vein?
>
> Or is there another way?
There *is* another way, but it is not as safe. The EICAR string is more
than a string, it is actually a small program with self-modifying code.
Unless the EICAR file has been changed since it was originally released,
it's not self modifying code; it displays a message to the screen and
exits. It's slightly special codewise because it's creator was sure to
use only printable ascii characters. *grin*.
--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk
> FromTheRafters wrote:
>>There *is* another way,
>
> hXXp://tinyurl.com/ygckpgz
Why use tinyurl for such a short real URL?
hXXp://vx.netlux.org/vx.php?id=sr00
Aah. "vx" <g>
> "FromTheRafters" wrote:
>> The EICAR string is more than a string,
>> it is actually a small program with self-modifying code.
>
> Unless the EICAR file has been changed since it was originally released,
> it's not self modifying code; it displays a message to the screen and
> exits. It's slightly special codewise because it's creator was sure to
> use only printable ascii characters. *grin*.
But in order to work it has to modify the last four characters (H+H*)
of the eicar string because the instructions 'int 20' and 'int 21' are
not printable ASCII. Here's the final part of the code where it occurs:
0114 2937 SUB [BX],SI ; modify loc 0140
0116 43 INC BX
0117 43 INC BX
0118 2937 SUB [BX],SI ; modify loc 0142
011A 7D24 JGE 0140 ; jumps to 0140
...
0140 CD21 INT 21 ; print message
0142 CD20 INT 20 ; exit
You utter fucking IDIOT!
People with less intelligence than you are few and far between!
Rosenthal is one of them! You should quote the loonie fuckwit
every day because it''s the best chance you''ll ever get to make
Usenet think you're only nine-tenths retarded, you SPASTIC!
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it
That seems tb doing the trick. Thanks.
FWIW, Avast's catching it and issuing notifications does not seem
tb that consistent - unless (not unlikely) I'm missing something.
--
PeteCresswell
>> There *is* another way, but it is not as safe. The EICAR string is
>> more
>> than a string, it is actually a small program with self-modifying
>> code.
>
> Unless the EICAR file has been changed since it was originally
> released,
> it's not self modifying code; it displays a message to the screen and
> exits. It's slightly special codewise because it's creator was sure to
> use only printable ascii characters. *grin*.
To the best of my knowledge, the only thing that has changed is in the
way that the scanners are supposed to detect it. It used to have to be
only the 68 (or 70 w/CRLF) bytes - they have since changed it to include
some amount of trailing whitespace for some reason.
...and wasn't it Vecna that made a generator for creating FP detections?
(what a hoot)
Do AV programs "retire" old definitions for long ago patched exploit
based malware. I wouldn't expect them to, so having one land on your
harddrive as a file (or embedded in an e-mail to test your (yuck) e-mail
scanner) should pose no real risk, and yet actually test the AV to some
extent.
I don't know what inconsistencies you are experiencing, but the EICAR
detection is very specific - can not (should not) be detected outside of
the specifications (see the eicar.com website).
I'm not too sure (haven't tried it) but it may be possible to save it as
an exe so that the OS's file browser causes an alert when it is accesed
for icon information (when you enter the directory it is in, or
otherwise attempt to display the icon). On your desktop, as a comfile,
the detection may be different than it is on your desktop as an
exefile - one would alert without the user clicking anything.
...but like I said, I haven't tried this.
I'm replying to you because I haven't (yet) filtered out the
anon-remailers or whatever they call them.
Myself, I would not have any problem with VX websites. I would *not*
however recommend them to others. Part of what ASCII snipped was my "but
it is not as safe" statement.
yet another projectile vomit of puerile gobshite from a discarded
condom hatchling hiding behind the nym it pretends is not a nym.
ooze away and die, spermbreath.
BWAAAHAAHHAAAAHHAAAAAHHAAAAAA!!!!!!!!
Toxic Thrush Boy wants to play with the big kids again!
Did your ever tell your felch pal ASCII why your foreskin
always smells like sardines?
Dickhead!