Heuristic examples with Eicar?

[Kobra]

If nothing else, I was playing around today testing heuristical pickups on EICAR with Avast and various other AV products.  I am aware Avast has no heuristics, but I at least expected it to pick up some, and it didn't. =(   Any date on when we can see some advanced Heuristics in Avast?  Pretty please?

Anyway, interestingly, the full version of Command AV picked up everything.  First, heres my modifications of Eicar, very simply changing the text within Eicar, and on one occaison, completely removing the text to see if any AV's would pick up fragments. I found that DrWeb simply looks for "Eicar" in every file, nothing more, nothing less, and doesn't even use Heuristics for that.  Avast was fooled by any alteration, even changing "Standard" to "Standing"..  Ugh.

Smith1.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
(Changed STANDARD to STANDING)

Smith2.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICON-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(Changed Eicar to Eicon)

Smith3.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICON-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
(Changed EICAR to EICON, and STANDARD to STANDING)

Smith4.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$BALLZ-STINDORK-ANTISACKS-TEST-FORK!$H+H*
(Random Words)

Smith5.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$!$H+H*
(Completely removed text string)

Smith6.Txt
X5O!P%@AP[42233\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(Additional Numbers added to binary)

Smith7.Txt
X5O!P%@AP[42233\PZX54(P^)7CC)7}$RAIC-TARNDARD-ILIKESMOKE-TUST-FULE!$H+H*
(Inserted Random letters with addition numbers added into binary)

Smith8.Txt
X5O22!P%@AP[4\PZX5422(P^)7CC)7}$!$H+H*
(Removed text string, inserted 22 twice into string to break up signature)


Command AV 4.90.4 Results:
Started scan: 6/14/2004 4:33:03 PM

C:\Downloads\SmithTest\Smith1.txt  Infection: EICAR_Test_File.unknown?
C:\Downloads\SmithTest\Smith2.txt  Infection: EICAR_Test_File (exact)
C:\Downloads\SmithTest\Smith3.txt  Infection: EICAR_Test_File.unknown?
C:\Downloads\SmithTest\Smith4.txt  Infection: EICAR_Test_File.unknown?
C:\Downloads\SmithTest\Smith5.txt Infection: New or modified variant of Trivial
C:\Downloads\SmithTest\Smith6.txt Infection: New or modified variant of Trivial
C:\Downloads\SmithTest\Smith7.txt Infection: New or modified variant of Trivial
C:\Downloads\SmithTest\Smith8.txt Infection: New or modified variant of Trivial

Discuss?

[softwareguy]

I wonder how Avast will behave with real samples?  

[Kobra]

By definition Eicar *IS* a real sample according to the eicar standards - someone can correct me if i'm wrong.  Essentially what I was doing, was taking a real sample, modifying it to create my own "Intert Virus Sample", and seeing how the products react.

I do have real viruses on-hand for testing, and I think the results would be the same, since as I said, Eicar is supposed to be treated as a real virus.  

[Vlk]

Kobra no offense but you're absolutely wrong about those eicar-mod tests. As I said, they just don't make any sense. They really don't.

[Kobra]

RAV and Kaspersky failed as well.  But I do have to say, F-Prot/Command are known for STRONG heuristical signatures and trace detection.  Command is picking up slight traces of the Eicar signature in its comparatives.

I'd do this with real samples, but I don't want the FBI knocking at my door for creating new virus strains!  LOL!

[Vlk]

known for STRONG heuristical signatures and trace detection.

Don't you see that the eicar-mod tests just don't make any sense?

1. How heuristics work: it looks for 'suspicious' actions the program might be using (typically by using code emulation techniques), rates them depending on finely-tuned weights and if the sum exceeds give threshold the file is deemed infected...

2. What is eicar: eicar is a tiny dos program that basically prints the string 'EICAR-TEST-NOT-VIRUS' on the screen and terminates.


You see the difference? 1. has absolutely positively NO chance to "detect" 2. has it? The eicar file is per se completely benign, legit MS-DOS program, with NO malicious symptoms at all. Zero. Even Notepad would rate 1000x more for a heuristics engine (it can save files etc). Its complete, unmodified string is detected because that's what the industry agreed on but  that's it!!

You see what I mean?

[softwareguy]

Vlk,
I suppose the only heuristics engine that Avast has now is the Blocker?
Would Code Emulation be included in the next major?
Thanks!

[Vlk]

Would Code Emulation be included in the next major?

No. The next major is scheduled for July. Creating a reliable code emulation engine would be matter of year(s). That's how it is.

[Kobra]

Do *ANY* AV's use Code Emulation at this point?  Norman?  F-Secure?  Just curious..

VLK, I guess its not heuristics then.  What is it, just a way detailed way of comparing signatures to code?  What Command seems to be doing here is finding "Traces" of Eicar, and picking them up as "Suspicious" or "Modifications".  I guess thats not really heuristics, just strong comparatives?

Would that be a better way to put it?

[softwareguy]

I know Norman uses the code emulation technology that Vlk pointed out.
Norman calls it Norman sandbox technology.

P.S. Any sneakpeaks on the features for the next major? Anything to improve detection?

[Kobra]

This is a good article I think:

http://www.extremetech.com/article2/0,1558,1166168,00.asp