Author Topic: EICAR tests and Avast  (Read 336 times)

0 Members and 1 Guest are viewing this topic.

Offline Sanya7

  • Newbie
  • *
  • Posts: 4
EICAR tests and Avast
« on: November 08, 2018, 06:29:12 PM »
Dear all,

Our company is running a trial of Avast Business Pro and I have so far enjoyed its user-friendly interface, remote monitoring and scanning and the option to customise the active components. I have to admit this is our second trial - we've previously tested Avast Business Pro Plus (taking advantage of the webcam-shield and VPN), but management insisted that we try both products and evaluate the value-for-money at the end of the test-period [I am already sold on the PLUS solution] : )

Now, to the point. As much of an advocate for Avast I am, and as patient with small bugs and delays, there is something that I've just discovered and it it has been bugging me for the whole afternoon now. I decided to run the EICAR Anti-Virus Test developed by the European Institute for Computer Antivirus Research and test it against the modified (hardened) settings I've applied earlier in the day to our devices. We passed 17 out of 18 tests and failed the Password ZIP test file :

EICAR Infected ZIP file
This is a simple ZIP password protected test file that containing the EICAR test file as well as a screenshot from fortinet.com, taken in the last few minutes to show sample freshness.


I know that malicious files cannot cause harm if still compressed, and will need to be extracted and executed before they can infect the system. HOWEVER, I'd much rather see 18/18  ;D . Is there anything I can do with the Business Console template settings to address this? I know that Norton fails the same test and that Bitdefender apparently passes it, which made me a notch more irritated.  ???

Any advise will be appreciated.

Regards,

Sanya
 
« Last Edit: November 08, 2018, 06:31:02 PM by Sanya7 »

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34963
Re: EICAR tests and Avast
« Reply #1 on: November 08, 2018, 07:03:19 PM »
Quote
This is a simple ZIP password protected test
To my knowledge, no AV can scan a password protected archive because it does not know the password so cant unpack and scan


Quote
Bitdefender apparently passes it, which made me a notch more irritated
How does bitdefender handle it?  does it detect anything (malware name) or have they just added block for password protected zip ?


as soon as a password protected zip is extracted by the one who has the password the content is scanned by realtime protection


« Last Edit: November 08, 2018, 07:07:26 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Sanya7

  • Newbie
  • *
  • Posts: 4
Re: EICAR tests and Avast
« Reply #2 on: November 09, 2018, 10:32:00 AM »
Dear Pondus,

Thank you for your reply.

I am aware that compressed or encrypted files cannot be read by antivirus systems while being transmitted. To mitigate this risk, antivirus agents are installed on systems so that when the files are uncompressed they are then scanned by the safety net of real-time protection. However, if the test is there, it must have been put for a reason, and I keep getting "Fail" mark on it.  :o :-\
 
I did a bit of digging and discovered a forum post from 2004:

Kaspersky Labs, presents a brand new technology protecting against Internet worms spreading in password protected ZIP compressed files.

Malicious programs that spread in protected ZIP files are particularly difficult to detect. Firstly, a password scanning module is necessary to scan these archives. Secondly, scanning ZIP files requires additional system resources and can significantly impair system performance.

Kaspersky Labs has responded with a completely new technology to deflect malicious programs spreading in password protected ZIP files: a technique which guarantees reliability and speed. Kaspersky® Anti-Virus can now detect protected ZIP archives, scan the email body for the password and then unpack and check the attachment for viruses.
"This new technology protects users from new generation worms, specifically worms that hide in password protected ZIP files. 5 worms using this technique appeared within only 4 days - a new trend has been set in the computer underground", commented Eugene Kaspersky, head of anti-virus research at Kaspersky Labs.

Currently, Kaspersky® Anti-Virus is the only antivirus offering effective protection against malicious programs spreading via password protected ZIP files.


So did they discover fire?  ???

I understand no actual harm can be caused as long as the malicious file is within the zip and upon extraction, it will be captured by Avast and put in quarantine or whatever automated action has been pre-set. It is the beauty of seeing 18/18 passes that I'm after.  ;D

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34963
Re: EICAR tests and Avast
« Reply #3 on: November 09, 2018, 11:53:11 AM »
if AV can unpack password protected archives then where is the security? 

also note that zip algorithm has changed since 2004

I know gmail will not let you send .exe files even if you zip or zip and password protect, it can not unpack and scan but still able to see that the zip containe a .exe file, but if you use 7zip that also encrypt the content then you can send with Gmail ... at least that is how it was



Bitdefender info  >>  https://www.bitdefender.com/support/scanning-password-protected-items-with-bitdefender-2017-1904.html

Quote
NOTE: Regardless of this, should the contents of the password protected files be extracted, Bitdefender's real-time protection would automatically scan them to keep your computer protected.







« Last Edit: November 09, 2018, 11:55:56 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11590
    • AVAST Software
Re: EICAR tests and Avast
« Reply #4 on: November 09, 2018, 04:01:58 PM »
I remember the malware campaigns the Kaspersky post refers to, long time ago... yes, back then there were big email campaigns where malware authors started to use password-protected archives and wrote the password in the email body. Kaspersky added code to extract the email body and try its words as the archive password. So... the malware authors started to send the passwords as images. Kaspersky added a simple OCR, trying to get the password even out of the image. Distorted images appeared after that I believe...
In between, Avast (and most likely not just Avast) detected those attachments without looking for the passwords, without trying to unpack them - because the files were quite specific and could be detected as such.

In very specific cases, Avast internally unpacks some password-protected archives, but no, it doesn't try to extract the passwords from emails. While it could be done, in my opinion it's too easy to bypass (obfuscating on HTML level or including images, making the user see something else than the extraction code does), plus for bigger archives it could cause unwanted performance issues. Asking the user for a password (if that's what Bitdefender is doing)... could be quite a hassle as well (windows asking for a password popping up during a scan - or even out of the blue because an application on background is currently downloading its update in form of a known password-protected archive).

Unless something special happens, I personally don't think it's worth the effort and associated troubles - considering the actual content of the archive has to be unpacked anyway before it could do any harm (and then the antivirus should detect it).

Offline Sanya7

  • Newbie
  • *
  • Posts: 4
Re: EICAR tests and Avast
« Reply #5 on: November 09, 2018, 04:36:23 PM »

Unless something special happens, I personally don't think it's worth the effort and associated troubles - considering the actual content of the archive has to be unpacked anyway before it could do any harm (and then the antivirus should detect it).

Absolutely agree! Thank you Igor!  :)
I just wonder if anyone would be able to pass the EICAR test with the password protected ZIP folder - if there is a way we could go around it and make the machine rate us with the "Pass"-mark? I simply don't understand what would prompt a "Fail" result if no actual harm was caused? :-[