Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: asafdem on October 05, 2003, 04:03:52 PM
-
Sick and tired of: "Test your AV software using EICAR test string", I did some real-life testing of my own and here the resullts:
[size=0] FILE RAV (Online scan) PANDA (Online scan) AVAST 4 pro
\EICAR.COM EICAR_Test_File Eicar.Mod EICAR TEST
\EICAR.RAR EICAR_Test_File Eicar.Mod -
\BABA.ZIP Baba.353.A Univ.EH Baba-353
\CASINO.ZIP NGV.gen Ngv.1600.b.drp -
\D-DANCE.ZIP Devil's_Dance.941.A Devils -
\ENIGMA.ZIP Old_Yankee.1755.A Enigma OId Yankee
\FDT.ZIP Necropolis.1963.A Necropolis.1963 -
\GARANT.ZIP Major.1644.A Major.1644 Major-1644
\HAIKU.ZIP I_Worm:Haiku W32/Haiku Win32:Haiku
\KENNEDY.ZIP Danish_tiny.333.A Kennedy -
\MANTA.ZIP VCS.1077 VCS -
\NATAS.ZIP Natas.4744 Natas.4744 -
\ONEHALF.ZIP One_Half.3544.A One -
\PIXEL.ZIP Pixel.740.A Univ PixeI-740
\TORERO.ZIP Torero.1429 Torero -
\Ambulance.786.zip Ambulance.796.A Ambulance.796.A -
\HYDRA0.ZIP Pixel.Hydra.736.A Univ -
\AntiAVP.959.zip AIDS.COM AntiAVP.959 -
\CIH_14.ZIP Win95/CIH.1003 W95/CIH Win95:CIH 1.x
\AntiAVP.1235.zip AntiAVP.1235 Astra_II -
\Leprosy.370.zip Leprosy.666.A Leprosy -
\NINJA.ZIP Ninja.1616 Ninja.2090 Ninja-1852
\Oops.368.zip Ooops.368 Ooops.368 -
\SIERRA.ZIP Stoned.I.C.dr NYB.E.Drp NYB-A
\Win.Lamer.zip Win/Winlamer.1734 Winsurf.Skim.1454 Win:Lame
\XPEH.4768.zip Yankee_Doodle.XPEH.4928 Micropox -
\I-Worm.Sircam.exe Worm.Sircam.exe W32/Sircam Win32:Sircam-C [Wrm]
\I-Worm.Happy99.exe Win32/Ska.A@m W32/Happy Win32:Ska
\I-Worm.Opasoft.exe Win32/Opaserv.A.worm W32/Opaserv Win32:Opas [Wrm]
\I-Worm.Klez.a.SCR Win32/Klez.E@mm W32/Klez.F Win32:KIez-E [Wrm]
\I-Worm.Numda.d.exe Win32/Nimda.D@mm W32/Nimda Win32:Nimda [Wrm]
[/size]
So Avast missed 15 out of 31! :'(
-
Some comments/questions on it. Did you let Avast scan inside Archives? because it should find the eicar inside the RAR without problems and it finds the oops.368 without problems too.(infection: Ooops-368) So check if you activate Archivscanning.
It finds the natas also and i think the others too. Unpack and scan them again. You will find it out by your own. The samples you use(exept the last few) are d*mn old. I do not think that they are still able to infeced under newer Windows versions anymore!?
-
Almost all viruses Avast! 4 has found, were within zip files, so I guess that means that I selected archives option. And I did it again, just to be sure. (see attached "options and results.gif"). "Old samples" sounds like a lame excuse.
Summary: 15 misses, 1 false positive. ( Too bad, I was looking for something to replace resource hungry NAV 200x :'()
-
Aure. (see attached "options and results.gif"). "Old samples" sounds like a lame excuse.
Have searched for these old ones and if you will unpack them Avast will find them too. I do not know, but avast has some problems to identify some old PK-Zip Headers. But i do not know why it do not find the Eicar inside of the Rar Archive.
Avast finds the following with follow names:
[RAV]
i:\temp\3544.EXE | Infected: One_Half.3544.A
i:\temp\370.COM | Infected: Leprosy.370
i:\temp\4744A.COM | Infected: Natas.4744
i:\temp\4744A.EXE | Infected: Natas.4744
i:\temp\4928.COM | Infected: Yankee_Doodle.XPEH.4928
i:\temp\ANTI1235.COM | Infected: AntiAVP.1235
i:\temp\HYDRA0.COM | Infected: Pixel.Hydra.736.A
i:\temp\MANTA.COM | Infected: VCS.1077
i:\temp\ONEH3544.EXE | Infected: One_Half.3544.A
i:\temp\ONEHALF.BIN | Infected: OneHalf
i:\temp\OOPS.COM | Infected: Ooops.368
i:\temp\TORERO.COM | Infected: Torero.1427
i:\temp\UNKNOWN.COM | Infected: VCS.1077
[AVAST]
I:\temp\3544.EXE [L] One half-3544/3577 (0)
I:\temp\370.COM [L] Leprosy-37X (0)
I:\temp\4744A.COM [L] Natas-4744 (0)
I:\temp\4744A.EXE [L] Natas-4744 (0)
I:\temp\4928.COM [L] Yankee Doodle (0)
I:\temp\ANTI1235.COM [L] AntiAVP-1235 (0)
I:\temp\HYDRA0.COM [L] Pixel-Hydra-736-B (0)
I:\temp\MANTA.COM [L] VCS 1.0 (0)
I:\temp\ONEH3544.EXE [L] One half-3544/3577 (0)
I:\temp\OOPS.COM [L] Ooops-368 (0)
I:\temp\TORERO.COM [L] Torero-1427 (0)
I:\temp\UNKNOWN.COM [L] VCS 1.0 (0)
-
It appears that you have to set scan level to thorough. Once I did that I got:
[size=0]
\EICAR.COM Infection: EICAR Test-NOT virus!!
\EICAR.RAR\EICAR.COM Infection: EICAR Test-NOT virus!!
\CPAV.EXE Infection: Emmie-3097
\BABA.ZIP\BABA.EXE Infection: Baba-353
\D-DANCE.ZIP\D-DANCE.COM Infection: DeviI's Dance-941
\ENIGMA.ZIP\ENIGMA.EXE Infection: OId Yankee
\FDT.ZIP\FDT.COM Infection: Necropolis-1963
\GARANT.ZIP\GARANT.EXE Infection: Major-1644
\HAIKU.ZIP\Haiku.exe Infection: Win32:Haiku
\KENNEDY.ZIP\KENNEDY.COM Infection: Danish Tiny-Kennedy-333
\MANTA.ZIP\MANTA.COM Infection: VCS 1.0
\NATAS.ZIP\NATAS.COM Infection: Natas-4744
\ONEHALF.ZIP\ONEHALF.COM Infection: One half-3544/3577
\PIXEL.ZIP\PIXEL.EXE Infection: PixeI-740
\TORERO.ZIP\TORERO.COM Infection: Torero-1429
\Ambulance.786.zip\ambulanc.com Infection: Ambulance-795
\HYDRA0.ZIP\HYDRA0.COM Infection: PixeI-Hydra-736-B
\AntiAVP.959.zip\AVP-AIDS.COM Infection: AntiAVP-959
\CIH 14.ZIP\CIH 14.EXE Infection: Win95:CIH 1.x
\AntiAVP.1235.zip\ANTICARO.COM Infection: AntiAVP-1235
\Leprosy.370.zip\LEPROSY.COM Infection: Leprosy
\NINJA.ZIP\NINJA.EXE Infection: Ninja-1852
\Oops.368.zip\oops.com Infection: Ooops-368
\SIERRA.ZIP\FIoppy.exe Infection: NYB-A
\Win.Lamer.zip\WINLAME2.EXE Infection: Win:Lame
\XPEH.4768.zip\XPEN4928.COM Infection: Yankee Doodle
\I-Worm.Sircam.exe\I-Worm.Sircam.exe Infection: Win32:Sircam-B
\I-Worm.Sircam.exe Infection: Win32:Sircam-C [Wrm]
\I-Worm.Happy99.exe Infection: Win32:Ska
\I-Worm.Opasoft.exe Infection: Win32:Opas [Wrm]
\I-Worm.KIez.a.SCR Infection: Win32:KIez-E [Wrm]
\I-Worm.Numda.d.exe Infection: Win32:Nimda [Wrm]
[/size]
Conclusion: 30 found (Win32:Sircam-B & Win32:Sircam-C [Wrm] within same file!), 1 missed (CASINO.COM->(PKLite) - NGV.gen ), 1 false. ???
Comments?
-
How about setting the Thorough scan, instead of Standard? Does it change anything? It is indeed very strange that Eicar has not been found within a RAR archive - RAR archives definitelly are supported.
Since you labeled the column as "Avast 4 Pro" - what are the results when you create your own task in the Enhanced User Interface and set the appropriate Packer options?
Probably a stupid question, but just for sure: weren't you running another resident antivirus protection in background?
-
Seems you were faster with posting the answer before I even sent the quesion :)
As for the Sircam-B & Sircam-C thing: Sircam-C is probably a packed version of Sircam-B (btw, the Sircam-B name is really without the [Wrm] tag?). When Sircam has been added to the virus database, avast! did not feature UPX/AsPack unpacking (or whatever Sircam-B is packed with) - so, the signature for the packed version has been added. Now, when it's able to unpack the packed executable, it finds even the "inner" file, which is Sircam-B.
I think it's not a problem... the signatures for the packed versions make it possible to identify the virus even with an older version of avast, or with archive-scanning turned off.
-
1 missed (CASINO.COM->(PKLite) - NGV.gen ), 1 false. ???
Unpack the PKLITE and Avast reports nuke-1680. But i thought Avast is able to unpack PK-lite by itself?
-
Igor
Did you read the very first line in my previous post? ::)
-
Igor
Thank you for clarification.
-
Yes, I did, but only afterwards - since you posted it while I was writing the followup :)
-
Igor
(btw, the Sircam-B name is really without the [Wrm] tag?)
Yes it is. From Avast! 4 log:
[size=0]\I-Worm.Sircam.exe\I-Worm.Sircam.exe [L] Win32:Sircam-B (0)
\I-Worm.Sircam.exe [L] Win32:Sircam-C [Wrm] (0)
[/size]
;)
-
As you have discovered, setting Avast to scan inside archives and setting it to Thorough (sensitivity at high) allows Avast to detect 99% of all viruses.
NOW, if you also make sure that the Heuristic feature is selected for the respective On line Access Protection modules, and you have a nice secure setup.
ANY anti-virus software will overlook some viruses is its' search engine sensitvity is lowered.
This "lowering" should only be used when a substantial number of "false positives" are registered, but only low enough to stop them.
Thank you for taking the time to share your test results with us.
:D
-
I'm still not clear if the user was using the Pro or Free versions? I thought the Free version didn't support RAR files.
-
The Home version does support RAR archives (and always has).
For a comparison table please refer to http://www.avast.com/i_idt_1018.html .
Vlk
-
techie101
NOW, if you also make sure that the Heuristic feature is selected for the respective On line Access Protection modules, and you have a nice secure setup.
I see heuristics only in Internet mail provider ( I don't use Outlook and I turned off p2p provider). Was that what you mean?
Thank you for taking the time to share your test results with us.
No problem. ;D
-
On the subject of false detection in cpav.exe again...
(from the Kaspersky Anti-Virus Personal / Personal Pro 4.5 USER GUIDE) ...The extracting tool...can also deal with some versions of immunizers, programs protecting executable files from viruses by attaching checking code blocks (CPAV and F-XLOCK) and enciphering programs (CryptCOM) to them.
I guess this (virus-like behaviour of CPAV.EXE) sheds some light on why Avast! 4 detects non-existent virus in CPAV.EXE It also shows that something can be done about it! ;)
-
Final analysis
-
The Home version does support RAR archives (and always has).
Vlk
Please, Vlk, can you confirm that Pro and Home versions use the same VPS (I mean, can detect the same virus)? I think they do but I am a little bit confused now... ::)
Btw, what is the behavior with CAB files?
-
The Home version does support RAR archives (and always has).
Vlk
Please, Vlk, can you confirm that Pro and Home versions use the same VPS (I mean, can detect the same virus)? I think they do but I am a little bit confused now... ::)
Btw, what is the behavior with CAB files?
http://www.avast.com/i_idt_1018.html (http://www.avast.com/i_idt_1018.html)
-
Technical, indeed, avast Home and Pro both use the same engine, same samples, same kernel.
The detection rates should therefore be the same as well.
Version 4.0 Home lacked support for CAB archives, but these were included in 4.1.
Vlk
-
So the results look good for Avast set on HIGH. :D
-
Technical, indeed, avast Home and Pro both use the same engine, same samples, same kernel.
The detection rates should therefore be the same as well.
Version 4.0 Home lacked support for CAB archives, but these were included in 4.1.
Vlk
That was what I was trying to remember. It was the CAB not RAR files the Home version used to leave out.
-
Technical, indeed, avast Home and Pro both use the same engine, same samples, same kernel.
The detection rates should therefore be the same as well.
Version 4.0 Home lacked support for CAB archives, but these were included in 4.1.
Vlk
Thanks Vlk. ;)
Sorry, minacross for my simple question. I just want a confirmation of this fact. Thanks for you post. ;)
-
Having a forum like this is a great way to make a good product even better. Still, in version 4.1.280 the same problems I pointed out earlier in this thread, remain:
1. False positive in CPAV.EXE
2. Missed virus in PKLite packed file which other products in the market are able to detect
3. "Double detection" of two worm wariants within the same file.
I hope, you people from Alwil, will fix those and other problems in an upcoming release. :)
-
Technical, indeed, avast Home and Pro both use the same engine, same samples, same kernel.
The detection rates should therefore be the same as well.
Version 4.0 Home lacked support for CAB archives, but these were included in 4.1.
Vlk
Thanks Vlk. ;)
Sorry, minacross for my simple question. I just want a confirmation of this fact. Thanks for you post. ;)
no problem.. ;D
you're most welcome Technical :)
-
look here http://www.avast.com/forum/index.php?board=2;action=display;threadid=1436
-
look here http://www.avast.com/forum/index.php?board=2;action=display;threadid=1436
This link send me in circle reference... ???
mantra, are you an avast! reverend or not? What is this title forum (disapointing...) :(
-
asafdem: I'm not sure if the detection of two variants within a single file will be "fixed". It is easily possible that a file is infected by a virus, then packed, and then infected by another virus. So, in general it's correct to announce both (all) the infections.
-
asafdem: I'm not sure if the detection of two variants within a single file will be "fixed". It is easily possible that a file is infected by a virus, then packed, and then infected by another virus. So, in general it's correct to announce both (all) the infections.
Thanks igor... A file double infected... I have never thought on this before...
Maybe is because I have no virus on my computer since a very long time ::)
-
igor
I'm not sure if the detection of two variants within a single file will be "fixed". It is easily possible that a file is infected by a virus, then packed, and then infected by another virus. So, in general it's correct to announce both (all) the infections.
Sounds very reasonable. But, just to make sure, how about, I send you the sample and when you have time, you take look at it and then say what's really the case? :)