Author Topic: Heuristic examples with Eicar?  (Read 6440 times)

0 Members and 1 Guest are viewing this topic.

Kobra

  • Guest
Heuristic examples with Eicar?
« on: June 14, 2004, 10:34:46 PM »
If nothing else, I was playing around today testing heuristical pickups on EICAR with Avast and various other AV products.  I am aware Avast has no heuristics, but I at least expected it to pick up some, and it didn't. =(   Any date on when we can see some advanced Heuristics in Avast?  Pretty please?

Anyway, interestingly, the full version of Command AV picked up everything.  First, heres my modifications of Eicar, very simply changing the text within Eicar, and on one occaison, completely removing the text to see if any AV's would pick up fragments. I found that DrWeb simply looks for "Eicar" in every file, nothing more, nothing less, and doesn't even use Heuristics for that.  Avast was fooled by any alteration, even changing "Standard" to "Standing"..  Ugh.

Smith1.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
(Changed STANDARD to STANDING)

Smith2.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICON-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(Changed Eicar to Eicon)

Smith3.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICON-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
(Changed EICAR to EICON, and STANDARD to STANDING)

Smith4.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$BALLZ-STINDORK-ANTISACKS-TEST-FORK!$H+H*
(Random Words)

Smith5.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$!$H+H*
(Completely removed text string)

Smith6.Txt
X5O!P%@AP[42233\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(Additional Numbers added to binary)

Smith7.Txt
X5O!P%@AP[42233\PZX54(P^)7CC)7}$RAIC-TARNDARD-ILIKESMOKE-TUST-FULE!$H+H*
(Inserted Random letters with addition numbers added into binary)

Smith8.Txt
X5O22!P%@AP[4\PZX5422(P^)7CC)7}$!$H+H*
(Removed text string, inserted 22 twice into string to break up signature)


Command AV 4.90.4 Results:
Started scan: 6/14/2004 4:33:03 PM

C:\Downloads\SmithTest\Smith1.txt  Infection: EICAR_Test_File.unknown?
C:\Downloads\SmithTest\Smith2.txt  Infection: EICAR_Test_File (exact)
C:\Downloads\SmithTest\Smith3.txt  Infection: EICAR_Test_File.unknown?
C:\Downloads\SmithTest\Smith4.txt  Infection: EICAR_Test_File.unknown?
C:\Downloads\SmithTest\Smith5.txt Infection: New or modified variant of Trivial
C:\Downloads\SmithTest\Smith6.txt Infection: New or modified variant of Trivial
C:\Downloads\SmithTest\Smith7.txt Infection: New or modified variant of Trivial
C:\Downloads\SmithTest\Smith8.txt Infection: New or modified variant of Trivial

Discuss?

softwareguy

  • Guest
Re:Heuristic examples with Eicar?
« Reply #1 on: June 14, 2004, 10:39:45 PM »
I wonder how Avast will behave with real samples?  :-\

Kobra

  • Guest
Re:Heuristic examples with Eicar?
« Reply #2 on: June 14, 2004, 10:42:51 PM »
By definition Eicar *IS* a real sample according to the eicar standards - someone can correct me if i'm wrong.  Essentially what I was doing, was taking a real sample, modifying it to create my own "Intert Virus Sample", and seeing how the products react.

I do have real viruses on-hand for testing, and I think the results would be the same, since as I said, Eicar is supposed to be treated as a real virus.   ;)

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Heuristic examples with Eicar?
« Reply #3 on: June 14, 2004, 10:46:11 PM »
Kobra no offense but you're absolutely wrong about those eicar-mod tests. As I said, they just don't make any sense. They really don't.
If at first you don't succeed, then skydiving's not for you.

Kobra

  • Guest
Re:Heuristic examples with Eicar?
« Reply #4 on: June 14, 2004, 10:49:54 PM »
RAV and Kaspersky failed as well.  But I do have to say, F-Prot/Command are known for STRONG heuristical signatures and trace detection.  Command is picking up slight traces of the Eicar signature in its comparatives.

I'd do this with real samples, but I don't want the FBI knocking at my door for creating new virus strains!  LOL!

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Heuristic examples with Eicar?
« Reply #5 on: June 14, 2004, 10:57:01 PM »
Quote
known for STRONG heuristical signatures and trace detection.


Don't you see that the eicar-mod tests just don't make any sense?

1. How heuristics work: it looks for 'suspicious' actions the program might be using (typically by using code emulation techniques), rates them depending on finely-tuned weights and if the sum exceeds give threshold the file is deemed infected...

2. What is eicar: eicar is a tiny dos program that basically prints the string 'EICAR-TEST-NOT-VIRUS' on the screen and terminates.


You see the difference? 1. has absolutely positively NO chance to "detect" 2. has it? The eicar file is per se completely benign, legit MS-DOS program, with NO malicious symptoms at all. Zero. Even Notepad would rate 1000x more for a heuristics engine (it can save files etc). Its complete, unmodified string is detected because that's what the industry agreed on but  that's it!!

You see what I mean?
If at first you don't succeed, then skydiving's not for you.

softwareguy

  • Guest
Re:Heuristic examples with Eicar?
« Reply #6 on: June 14, 2004, 11:00:07 PM »
Vlk,
I suppose the only heuristics engine that Avast has now is the Blocker?
Would Code Emulation be included in the next major?
Thanks!

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Heuristic examples with Eicar?
« Reply #7 on: June 14, 2004, 11:03:17 PM »
Quote
Would Code Emulation be included in the next major?

No. The next major is scheduled for July. Creating a reliable code emulation engine would be matter of year(s). That's how it is. :)
If at first you don't succeed, then skydiving's not for you.

Kobra

  • Guest
Re:Heuristic examples with Eicar?
« Reply #8 on: June 14, 2004, 11:07:18 PM »
Do *ANY* AV's use Code Emulation at this point?  Norman?  F-Secure?  Just curious..

VLK, I guess its not heuristics then.  What is it, just a way detailed way of comparing signatures to code?  What Command seems to be doing here is finding "Traces" of Eicar, and picking them up as "Suspicious" or "Modifications".  I guess thats not really heuristics, just strong comparatives?

Would that be a better way to put it?

softwareguy

  • Guest
Re:Heuristic examples with Eicar?
« Reply #9 on: June 14, 2004, 11:10:49 PM »
I know Norman uses the code emulation technology that Vlk pointed out.
Norman calls it Norman sandbox technology. :P

P.S. Any sneakpeaks on the features for the next major? Anything to improve detection?
« Last Edit: June 14, 2004, 11:32:03 PM by softwareguy »

Kobra

  • Guest
Re:Heuristic examples with Eicar?
« Reply #10 on: June 14, 2004, 11:46:18 PM »