Author Topic: Lockergnome  (Read 3179 times)

0 Members and 1 Guest are viewing this topic.

charlesroper

  • Guest
Lockergnome
« on: December 03, 2003, 08:36:27 PM »
On 1 December, Lockergnome (mistakenly) sent out an email newsletter that contained the EICAR test virus embedded in the text of the email.

See the explanation here: http://snurl.com/3912
See the newsletter, complete with EICAR string here: http://snurl.com/3918

What worries me is that Avast didn't pick it up the 'infected' message. Even saving the message to my desktop as a .msg file then manually scanning the file didn't yeald an alert. The Lockergnome explanation even goes so far as to say I should get a new virus scanner if the email got through. This, unfortunately, leaves me a little worried as to Avast's ability to scan for email viruses.

I did some more testing and copied the EICAR string out to a text file. When scanned with Avast, it finally got picked up so it obviously recognises it.

Why didn't it get picked up upon delivery? I have my email scanner setup properly (the little icon appears in the tasktray when mails are being delivered, and I've double checked by turning on detailed information ).

I'm using Outlook 2003 on WinXP, with all the latest patches and updates.

Thanks

-Charles

Pavel Baudis

  • Guest
Re:Lockergnome
« Reply #1 on: December 03, 2003, 10:42:42 PM »
What worries me is that Avast didn't pick it up the 'infected' message. Even saving the message to my desktop as a .msg file then manually scanning the file didn't yeald an alert.

But it is perfectly OK  :D !

If you check the EICAR file definition, you'll see that it should be detected only IF:

1) this string is on the begining of the file
2) if the file is 68 bytes long (or a little bit longer with white spaces on the end).

If some antivirus detects it in the Lockergnome message, it actually fails to meet the definition! You can cut the string however and paste it into some file - and it will be detected there by avast!

regards,
Pavel