Author Topic: eicarcom2.zip test  (Read 5559 times)

0 Members and 1 Guest are viewing this topic.

Markus

  • Guest
eicarcom2.zip test
« on: March 08, 2004, 07:45:45 AM »
I just tested the eicarcom2.zip (which is a ZIP file containg a ZIP file)
the results:
On demand scanner caught it and was able to move it to the chest! :D
Neither of the resident scanners (Standsrd Sheild or Outlook plugin (All settings on High) and with patched  DefTasks.xml file) were able to detect it.  :(

I've enclosed an article from the LangaList about detecting password protected archive files (haven't tried it yet but I hope it works)

regards

Markus

  • Guest
Re:eicarcom2.zip test
« Reply #1 on: March 08, 2004, 07:57:27 AM »
opps used the wrong file type :)With the release of Beagle.H and Beagle.I, virus writers
     started enclosing the infected files within password protected
     ZIP files... I've found that the A/V software does see the
     file within the ZIP archive, but cannot process it because it
     does not recognize the extension.  When the archive is
     password protected, the file enclosed receives a "+" character
     at the end of the extension (ie test.exe becomes test.exe+)
     Since the A/V software doesn't recognize that kind of
     extension, it lets it pass thru.
     
     I found that by adding the "+" character to file extensions
     that are blocked (.exe+, .cmd+, .vbs+ etc etc), the A/V
     software can now recognize that file extension and perform the
     necessary actions on it.
     
     I've only tested this out on Norton Anti-Virus for Exchange
     V2.1, but it should work on the other A/V software programs. -
     --Mike Maloney, Sr. System Engineer, Middlesex County College

                                      Click to email this item to a friend
                                               http://langa.com/sendit.htm

« Last Edit: March 08, 2004, 08:08:00 AM by Markus »

Markus

  • Guest
Re:eicarcom2.zip test
« Reply #2 on: March 08, 2004, 10:24:47 AM »
IT WORKS!!! ;D ;D

I edited the FileDeftasks.xml file by adding EXE+ filetype.
Then I checked Spybot S&D recovery files and it appeared to sucessfuly scan them.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re:eicarcom2.zip test
« Reply #3 on: March 08, 2004, 11:07:07 AM »
I am afraid I am going to disappoint you, but it is a nonsence. There is nothing like EXE+ extension. avast! knows the true name of the file inside the archive, it doesn't append any + after the extension. But since the file is password protected, it cannot be unpacked and scanned.
In the latest update, a special detection of the Beagle password-protected ZIP files has been added - but it has nothing to do with scanning of S&D recovery files. If avast! doesn't give you any warning, that you may have changed something such that they are not scanned at all (or not reported) - but you certainly didn't make avast! scan its password protected files.