Author Topic: Eicar test virus by email  (Read 11512 times)

0 Members and 1 Guest are viewing this topic.

Offline Jeccu

  • Jr. Member
  • **
  • Posts: 48
Eicar test virus by email
« on: June 15, 2004, 09:26:26 PM »
Hey all!

I just tested my avast! mail protection (4.1.418 Home + Outlook Express) with eicar test virus on http://www.testvirus.org/
Fortunately my ISP's mail server is not running anti-virus software so I could run the tests.

The web site provides several (25) different ways to send the test virus through email. Unfortunately avast! failed  9 of these tests. I have to say that I don't know anything about these encoding techniques, I'm just curious why avast! didn't recognize eicar? Should we worry about this?


Results:

PASSED Test #1: Eicar virus sent using base64 encoding
PASSED Test #2: Eicar virus sent using binary encoding
PASSED Test #3: Eicar virus sent using quoted-printable encoding
FAILED Test #4: Eicar virus sent using uuencoding
PASSED Test #5: Eicar virus sent using BinHex encoding
PASSED Test #6: Eicar virus embedded within another MIME segment
PASSED Test #7: Eicar virus sent using uuencoding within a MIME segment
PASSED Test #8: Eicar virus sent using BinHex encoding within a MIME segment
PASSED Test #9: Eicar virus sent as an inline attachment
PASSED Test #10: Eicar virus embedded within an RFC822 message
PASSED Test #11: Eicar virus within a ZIP file
FAILED Test #12: Eicar virus within a password protected ZIP file
PASSED Test #13: Eicar virus sent from Pegasus, which formats email in strange ways
FAILED Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat)
PASSED Test #15: Eicar virus without quotes around the filename
FAILED Test #16: Eicar string in HTML, to ensure that your mail server scans HTML segments
PASSED Test #17: Eicar virus hidden using the "CR Vulnerability"
PASSED Test #18: Eicar virus within zip file hidden using the "Space Gap Vulnerability"
FAILED Test #19: Eicar virus within zip file hidden using the "Blank Folding Vulnerability"
FAILED Test #20: Eicar virus within zip file hidden using the "MIME Boundary Space Gap Vulnerability"
FAILED Test #21: Eicar virus within zip file hidden using the "Long MIME Boundary Vulnerability"
PASSED Test #22: Eicar virus within zip file hidden using the "MIME Continuation Vulnerability"
FAILED Test #23: Eicar virus within zip file hidden using the "Empty MIME Boundary Vulnerability"
FAILED Test #24: Test for the "Partial (Fragmented) Vulnerability". This does not include Eicar virus, but your mail server still must block this since it can break a virus into multiple emails and reassemble it in your inbox.
PASSED Test #25: Attachment with a CLSID extension which may hide the real file extension. This does not include Eicar virus, but your mail server still must block this since it can hide the true extension of a file.


-- Jeccu --

« Last Edit: June 16, 2004, 10:14:33 AM by Jeccu »
Intel Celeron 2.4GHz, 768MB DDR RAM, 40GB + 30GB HD
Windows XP Home SP2 + Mozilla Firefox + OE6, NOD32, Ewido Security Suite Plus
Telewell TW-EA500 (ADSL + NAT Router + Firewall)

Offline niko

  • Poster
  • *
  • Posts: 448
  • Petit l├ęzard
Re:Eicar test virus by email
« Reply #1 on: June 15, 2004, 09:44:09 PM »
Hi Jeccu and welcome,
I'm just a avast! user, not a specialist...
Try to see your avast! mail scanner setup ?
Hope this help you :-\
@+
When you check AV you choose Avast!

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:Eicar test virus by email
« Reply #2 on: June 15, 2004, 09:45:16 PM »
Quote
FAILED Test #4: Eicar virus sent using uuencoding
uu* is an encoding method (similar like base64, ...)

Quote
FAILED Test #12: Eicar virus within a password protected ZIP file
we dont use any brute-force method for password detection

Quote
FAILED Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat)
TNEF packer will be supported in avast 4.5

pavels will answer the rest

Offline Kobra

  • Full Member
  • ***
  • Posts: 185
  • No Text
Re:Eicar test virus by email
« Reply #3 on: June 15, 2004, 11:48:37 PM »
I believe only F-Prot and CommandAV check password protected archives. Not sure how they do it, but its instant, and even on-access for Command.  :o

Heres another place to check your Email scanning:

http://www.gfi.com/emailsecuritytest/

Good luck.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11797
    • AVAST Software
Re:Eicar test virus by email
« Reply #4 on: June 16, 2004, 09:38:37 AM »
avast! also uses some kind of "heuristic" (I know you like the word ;D) to detects password-protected archives created by the Beagle worm.

Offline sedina

  • Avast team
  • Sr. Member
  • *
  • Posts: 237
Re:Eicar test virus by email
« Reply #5 on: June 17, 2004, 11:24:44 AM »
Hi all,
Bill Boebel (the author of www.testvirus.org) confirmed me that there had been several bugs in his test set. So after update, avast!'s result are...  (see picture below)

You can see 5 "failed" tests, but give me a chance to explain it ;-)
===
#4 - from my opinion (and also for OE, Outlook) that is not attachment. Body of attachment is in text part of email (as normal text). It's the same situation as when you have virus in picture file. There is no program to execute text part of email (or picture in my example) as executive code....
#12 - see posts above
#16 - eicar definition is not precise (if you modify it right way, avast! will catch it!)
#24 - the only one real problem in avast! - partial messages. We will fix it in future version.
#25 - doesn't contain virus, but avast! catches these kinds of viruses (in this case, avast! heuristic module warn you about dangerous extension)
---
following tests will fail if you try it with current version, but:
#14 - TNEF packer will be in avast! 4.5
#23 - has been fixed today ;-))) patch will be in the next program update


So... you are in safe with avast! believe me!!! :-)

pavels

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1789
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:Eicar test virus by email
« Reply #6 on: June 17, 2004, 11:47:25 AM »
i suggest to check with OE from XP SP2 RC2 , much better than OE from SP1
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline Jeccu

  • Jr. Member
  • **
  • Posts: 48
Re:Eicar test virus by email
« Reply #7 on: June 17, 2004, 02:06:50 PM »
Hi,

Thanks for your answer pavels.
You guys are great! You offer the best support I've ever seen.

Quote
So... you are in safe with avast! believe me!!! :-)

I have no doubt. Avast! is the best AV software I've ever used and I've been very satisfied with it.

-- Jeccu --
Intel Celeron 2.4GHz, 768MB DDR RAM, 40GB + 30GB HD
Windows XP Home SP2 + Mozilla Firefox + OE6, NOD32, Ewido Security Suite Plus
Telewell TW-EA500 (ADSL + NAT Router + Firewall)

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9365
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re:Eicar test virus by email
« Reply #8 on: June 17, 2004, 02:34:25 PM »
Well on my tests,i got everything ok :P
Most of them were picked by NAV mail server (my ISP),one was picked by avast! Mail heuristics,and last one was automatically thrown in spam folder by Opera :) Pretty cool hehe
Visit my webpage Angry Sheep Blog

Offline Farfouille

  • Jr. Member
  • **
  • Posts: 32
  • Welcome to the jungle
    • Flo paintings
Re:Eicar test virus by email
« Reply #9 on: November 11, 2004, 07:49:01 PM »
Hellewo

Just made a try with eicar stuff at www.testvirus.org with the last 4.5 version (4.5.518 and VPS  0446-2).

Avast failed for 4 times :

Test #4  uuencode : Pavels has already exposed its opinion about it.  There is no harm until uudecode takes place (who still use uudecode in Windows ?)

Test #14 : TNEF support. Pavels said (in this thread) that it will be supported in the 4.5. Not in the mail scanner for the moment. But if the attached file is scanned through avast it correctly detects eicar. So it's not really an issue even it would be safer if it can be detected by the mail scanner. Maybe it's because I'm using thunderbird and TNEF is a Microsoft format but  given the way avast handles mail it doesn't sound a good explanation.

Test #17 : Caught before. Is it because of Thunderbird ? Maybe I can't see any attachment in the mail  ???

Test #27 : A new one. Winrar can uncompress the modified archive without problem. Hopefully avast see the eicar in the uncompressed file but it should be better if it can handle such modified archive.

Here is the description of the failed tests :
sent     Test #4: Eicar virus sent using uuencoding

sent     Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat)

sent     Test #17: Eicar virus hidden using the "CR Vulnerability" (attachment can be opened
by all versions of Microsoft Outlook and Outlook Express)

sent     Test #27: Eicar virus within a ZIP file that has been manipulated to evade detection by some anti-virus software by changing the uncompressed size to zero within the ZIP file headers.  **New



IMO, test 14 and 27 are little issues but we shouldn't forget that avast passed all the other tests ;)

Farfouille
« Last Edit: November 14, 2004, 02:54:16 PM by Farfouille »

Offline Farfouille

  • Jr. Member
  • **
  • Posts: 32
  • Welcome to the jungle
    • Flo paintings
Re:Eicar test virus by email
« Reply #10 on: November 14, 2004, 02:59:21 PM »
See my previous reply to know how avast 4.5 behaves now.  

Offline Cousin Dave

  • Jr. Member
  • **
  • Posts: 83
  • Your momma's a llama!
Re:Eicar test virus by email
« Reply #11 on: November 14, 2004, 03:49:48 PM »
I got the same results.
Not too shabby. :)