Author Topic: I did some testing (Someone from Alwil should read this)  (Read 15255 times)

0 Members and 1 Guest are viewing this topic.

Offline PotatoMan

  • Jr. Member
  • **
  • Posts: 67
I did some testing (Someone from Alwil should read this)
« on: August 23, 2008, 03:57:24 PM »
Hey guys, PotatoMan here!

I recently did a test on the heuristics of avast! professinal 4.8, with today's detections.

I put the EICAR test string into notepad and saved it as free.com. Almost immediately the standard shield detected it. Good, everything is good right? I scanned it with Spybot and MalwareBytes - Same thing. Sweet! All security apps found it! Good so far.

I then uploaded it to virus total. All 36 engines detected it! Awesome!

But wait...

What if I modified the EICAR test string?

What if I changed three letters?

This is the unmodified test string
Code: [Select]
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
This is the modified one. (Look in the word standard)

Code: [Select]
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
I entered this in notepad and once again saved it as free.com.

Wait, something is not right here...

No warning? No popup? No loud and sudden "A virus has been detected"???

So I thought, something must be wrong with the standard shield. I scanned it with the on demand scanner. Nothing.

I then scanned with Spybot and MalwareBytes. Still nothing!

Wow, what is going on here?

These are the virus total results from the modified free.com.com

AhnLab-V3   2008.8.21.0   2008.08.22   -
AntiVir   7.8.1.23   2008.08.23   -
Authentium   5.1.0.4   2008.08.23   EICAR_Test_File
Avast   4.8.1195.0   2008.08.22   -
AVG   8.0.0.161   2008.08.22   -
BitDefender   7.2   2008.08.23   -
CAT-QuickHeal   9.50   2008.08.22   -
ClamAV   0.93.1   2008.08.23   -
DrWeb   4.44.0.09170   2008.08.23   -
eSafe   7.0.17.0   2008.08.21   -
eTrust-Vet   31.6.6039   2008.08.21   -
Ewido   4.0   2008.08.23   -
F-Prot   4.4.4.56   2008.08.23   EICAR_Test_File
F-Secure   7.60.13501.0   2008.08.23   -
Fortinet   3.14.0.0   2008.08.23   -
GData   2.0.7306.1023   2008.08.20   -
Ikarus   T3.1.1.34.0   2008.08.23   -
K7AntiVirus   7.10.425   2008.08.22   -
Kaspersky   7.0.0.125   2008.08.23   -
McAfee   5368   2008.08.22   -
Microsoft   1.3807   2008.08.23   -
NOD32v2   3382   2008.08.23   -
Norman   5.80.02   2008.08.22   -
Panda   9.0.0.4   2008.08.23   -
PCTools   4.4.2.0   2008.08.23   -
Prevx1   V2   2008.08.23   -
Rising   20.58.52.00   2008.08.23   EICAR-Test-File
Sophos   4.32.0   2008.08.23   -
Sunbelt   3.1.1575.1   2008.08.23   -
Symantec   10   2008.08.23   -
TheHacker   6.3.0.6.060   2008.08.23   -
TrendMicro   8.700.0.1004   2008.08.23   -
VBA32   3.12.8.4   2008.08.22   -
ViRobot   2008.8.22.1346   2008.08.22   -
VirusBuster   4.5.11.0   2008.08.23   -
Webwasher-Gateway   6.6.2   2008.08.23   -

Link: http://www.virustotal.com/analisis/8e55f210347ef61db097635888ef3fe5

This just shows how terrible heuristics are. I hope this is improved on in V5.

What is your guys opinions???

Offline BJ_GeOrgE

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 350
  • prevention is better than cure
Re: I did some testing (Someone from Alwil should read this)
« Reply #1 on: August 23, 2008, 04:16:56 PM »
well i thing that when u changed the letters eicar test stopped being a virus...thats why all the engines didnt detect it...the 2 or 3 AV that found it as a virus must have found false positives...heuristics doesnt work like that..(by modifing a "virus" u can make it not being a virus anymore..)
OS:Windows 7 Professional 64-bit SP1
Antivirus: Avast Free v8.0.1497/Firewall: Windows Firewall/On Demand: Malwarebytes Free Edition/Other tools: CCleaner

Offline PotatoMan

  • Jr. Member
  • **
  • Posts: 67
Re: I did some testing (Someone from Alwil should read this)
« Reply #2 on: August 23, 2008, 04:23:26 PM »
well i thing that when u changed the letters eicar test stopped being a virus...thats why all the engines didnt detect it...the 2 or 3 AV that found it as a virus must have found false positives...heuristics doesnt work like that..(by modifing a "virus" u can make it not being a virus anymore..)

I think you don't understand. Do you know how Eicar is coded?

When you open EICAR, it displays the message, EICAR STANDARD ANTIVIRUS TEST FILE, I edited it so it would say EICAR STANDING ANTIVIRUS TEST FILE. All I did was change what it said, it still has the qualities of a virus.

Offline ggf31416

  • Newbie
  • *
  • Posts: 19
Re: I did some testing (Someone from Alwil should read this)
« Reply #3 on: August 23, 2008, 04:34:20 PM »
The EICAR test is not a virus.

Most AV don't detect modifications of the EICAR test except the ones allowed by the EICAR as the test was used by malware authors to fool users and analysts into believing that their malware was just a test.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9271
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: I did some testing (Someone from Alwil should read this)
« Reply #4 on: August 23, 2008, 04:38:59 PM »
There is a strict policy about EICAR. You can find it on their page. If modification isn't bound to those rules, AV not detecting it is not really the one to blame.
Visit my webpage RejZoR's Flock of Sheep

Offline PotatoMan

  • Jr. Member
  • **
  • Posts: 67
Re: I did some testing (Someone from Alwil should read this)
« Reply #5 on: August 23, 2008, 04:45:03 PM »
There is a strict policy about EICAR. You can find it on their page. If modification isn't bound to those rules, AV not detecting it is not really the one to blame.

Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

Offline ggf31416

  • Newbie
  • *
  • Posts: 19
Re: I did some testing (Someone from Alwil should read this)
« Reply #6 on: August 23, 2008, 04:56:40 PM »
Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

The EICAR don't allow such modification, so most AV don't detect them for security reasons.

Offline PotatoMan

  • Jr. Member
  • **
  • Posts: 67
Re: I did some testing (Someone from Alwil should read this)
« Reply #7 on: August 23, 2008, 05:20:52 PM »
Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

The EICAR don't allow such modification, so most AV don't detect them for security reasons.

Well then there was no freaking point for doing this test, cause every member on this forum is going to do everything in there power to prove me wrong. Please lock this forum

Offline BJ_GeOrgE

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 350
  • prevention is better than cure
Re: I did some testing (Someone from Alwil should read this)
« Reply #8 on: August 23, 2008, 05:45:11 PM »
Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

The EICAR don't allow such modification, so most AV don't detect them for security reasons.

Well then there was no freaking point for doing this test, cause every member on this forum is going to do everything in there power to prove me wrong. Please lock this forum

mate calm down...we dont want to prove u wrong and there is no reason of doing it..i just dont think that by modifing 3letters in eicar test u can test heuristics..its not reliable...it doesnt make sense..the virus is the code written in eicar..if u modify it it stops being a virus...if u modify a letter from a code inside a game,will the game work???no why?coz the code isnt right..maybe by doing other modifications u can test heuristics but i dont think that changing 3letters is the way..i wish u prove me wrong...i really do...check www.av-comparatives.org to see heuristics of each AV...
OS:Windows 7 Professional 64-bit SP1
Antivirus: Avast Free v8.0.1497/Firewall: Windows Firewall/On Demand: Malwarebytes Free Edition/Other tools: CCleaner

Offline PotatoMan

  • Jr. Member
  • **
  • Posts: 67
Re: I did some testing (Someone from Alwil should read this)
« Reply #9 on: August 23, 2008, 06:00:49 PM »
Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

The EICAR don't allow such modification, so most AV don't detect them for security reasons.

Well then there was no freaking point for doing this test, cause every member on this forum is going to do everything in there power to prove me wrong. Please lock this forum

mate calm down...we dont want to prove u wrong and there is no reason of doing it..i just dont think that by modifing 3letters in eicar test u can test heuristics..its not reliable...it doesnt make sense..the virus is the code written in eicar..if u modify it it stops being a virus...if u modify a letter from a code inside a game,will the game work???no why?coz the code isnt right..maybe by doing other modifications u can test heuristics but i dont think that changing 3letters is the way..i wish u prove me wrong...i really do...check www.av-comparatives.org to see heuristics of each AV...

I have a PhD in computer science and have been removing malware off of people's computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK

If I code a virus in VBScript to show a popup saying

Your computer has a virus! Go to fakeavhere.com to fix this!!

Which would be

lol = msgbox ("Your computer has a virus! Please go to fakeavhere.com to fix this!" ,16, "Infection!")

Now If I modified it to say

Your computer has a trojan!

It would be

lol = msgbox ("Your computer has a trojan!" ,16, "Infection!")

Which would not make the popup not a popup, but would just make it say something different. This is what I did with EICAR.

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: I did some testing (Someone from Alwil should read this)
« Reply #10 on: August 23, 2008, 06:08:00 PM »
Quote
I have a PhD in computer science and have been removing malware off of people's computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK 
Sounds more like the pedantic ramblings of the resident curmudgeon ;)
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline BJ_GeOrgE

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 350
  • prevention is better than cure
Re: I did some testing (Someone from Alwil should read this)
« Reply #11 on: August 23, 2008, 06:11:31 PM »


I have a PhD in computer science and have been removing malware off of people's computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK

If I code a virus in VBScript to show a popup saying

Your computer has a virus! Go to fakeavhere.com to fix this!!

Which would be

lol = msgbox ("Your computer has a virus! Please go to fakeavhere.com to fix this!" ,16, "Infection!")

Now If I modified it to say

Your computer has a trojan!

It would be

lol = msgbox ("Your computer has a trojan!" ,16, "Infection!")

Which would not make the popup not a popup, but would just make it say something different. This is what I did with EICAR.

[/quote]
well i dont have any diploma in computer science since i'm only 18..u may be right since ure a computer expert..can u link any site that has a guide of doing such things?i like learning stuff like this  8)
OS:Windows 7 Professional 64-bit SP1
Antivirus: Avast Free v8.0.1497/Firewall: Windows Firewall/On Demand: Malwarebytes Free Edition/Other tools: CCleaner

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: I did some testing (Someone from Alwil should read this)
« Reply #12 on: August 23, 2008, 06:16:38 PM »
Quote
well i dont have any diploma in computer science since i'm only 18..u may be right since ure a computer expert..can u link any site that has a guide of doing such things?i like learning stuff like this 
I learned from the master:
"So how did I get infected in the first place?" © Tony Klein
http://www.freedomlist.com/forum/viewtopic.php?t=22879
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline PotatoMan

  • Jr. Member
  • **
  • Posts: 67
Re: I did some testing (Someone from Alwil should read this)
« Reply #13 on: August 23, 2008, 06:26:03 PM »
Quote
I have a PhD in computer science and have been removing malware off of people's computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK 
Sounds more like the pedantic ramblings of the resident curmudgeon ;)

Oh, how mature, bring on the parade of poetic insults, that is very insightful, well I don't find your masquerade funny in the slightest since.

Sounds more like the smart buttox ramblings of the resident know it all ;)

Offline PapaSmurf

  • Full Member
  • ***
  • Posts: 159
Re: I did some testing (Someone from Alwil should read this)
« Reply #14 on: August 23, 2008, 06:34:06 PM »
How about a little common sense..hmmm?
PotatoMan, I do understand what you are saying, and the little message mod you made to the test string.


Having said that, let's try a more sensible approach to the subject.
There are dozens of virus software. Why?
There are a whole handful of online comparisons, testers, blogs, info overload, all about the subject
of viruses. Again I ask...why?
There are entire support groups employed by anti-vir companies to deal with viruses, questions, product support...
same question..why?

The answer is very simple.
For every detection method, there is going to be some script kiddie who is going to figure a way around it.
Since this process is an ongoing affair with "who is smarter" running the show, anti-vir software is always going to be
a process in development, hence the constant updates to the virus database.
There is NO SUCH THING as the perfect anti-virus software. Also there is NO software available that is going to work 100% of the time with 100% of all viruses, old and unknown.
So, the end user has to decide which program works the best for them.
I personally use avast  because of its' modular construction. I like having some control over the different types of shields.
Others may prefer something else all together. The point is, you can rattle the alarm button all day long, it will not change these simple facts:
#1 All anti-virus products will always be "developing" better detection methods.
#2 For every detection method made, there WILL be a script kiddie to figure a way around it.
#3 Because of number 2, no anti-virus program is perfect.
#4 The only "PERFECT" method for not getting a virus is...do not surf the web. Download nothing into the system.

You can create all the alternative tests you want...(just like a script kiddie)..but in the end, I challenge you to find the "perfect" anti-vir software. It simply does not exist.
Just my two cents.
PapaSmurf is running Windows XP  Professional (SP3)
NVIDIA GeForce 7600 GT
Pentium 4/ 3.* Ghz  Memory 1024MB
avast! Antivirus  v5.05 Home Edition, Outpost Firewall Pro 7.0, Mozilla FireFox/NoScript/AdBlock Plus