Eicar test virus by email

[Jeccu]

Hey all!

I just tested my avast! mail protection (4.1.418 Home + Outlook Express) with eicar test virus on http://www.testvirus.org/
Fortunately my ISP's mail server is not running anti-virus software so I could run the tests.

The web site provides several (25) different ways to send the test virus through email. Unfortunately avast! failed  9 of these tests. I have to say that I don't know anything about these encoding techniques, I'm just curious why avast! didn't recognize eicar? Should we worry about this?


Results:

PASSED Test #1: Eicar virus sent using base64 encoding
PASSED Test #2: Eicar virus sent using binary encoding
PASSED Test #3: Eicar virus sent using quoted-printable encoding
FAILED Test #4: Eicar virus sent using uuencoding
PASSED Test #5: Eicar virus sent using BinHex encoding
PASSED Test #6: Eicar virus embedded within another MIME segment
PASSED Test #7: Eicar virus sent using uuencoding within a MIME segment
PASSED Test #8: Eicar virus sent using BinHex encoding within a MIME segment
PASSED Test #9: Eicar virus sent as an inline attachment
PASSED Test #10: Eicar virus embedded within an RFC822 message
PASSED Test #11: Eicar virus within a ZIP file
FAILED Test #12: Eicar virus within a password protected ZIP file
PASSED Test #13: Eicar virus sent from Pegasus, which formats email in strange ways
FAILED Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat)
PASSED Test #15: Eicar virus without quotes around the filename
FAILED Test #16: Eicar string in HTML, to ensure that your mail server scans HTML segments
PASSED Test #17: Eicar virus hidden using the "CR Vulnerability"
PASSED Test #18: Eicar virus within zip file hidden using the "Space Gap Vulnerability"
FAILED Test #19: Eicar virus within zip file hidden using the "Blank Folding Vulnerability"
FAILED Test #20: Eicar virus within zip file hidden using the "MIME Boundary Space Gap Vulnerability"
FAILED Test #21: Eicar virus within zip file hidden using the "Long MIME Boundary Vulnerability"
PASSED Test #22: Eicar virus within zip file hidden using the "MIME Continuation Vulnerability"
FAILED Test #23: Eicar virus within zip file hidden using the "Empty MIME Boundary Vulnerability"
FAILED Test #24: Test for the "Partial (Fragmented) Vulnerability". This does not include Eicar virus, but your mail server still must block this since it can break a virus into multiple emails and reassemble it in your inbox.
PASSED Test #25: Attachment with a CLSID extension which may hide the real file extension. This does not include Eicar virus, but your mail server still must block this since it can hide the true extension of a file.


-- Jeccu --

[niko]

Hi Jeccu and welcome,
I'm just a avast! user, not a specialist...
Try to see your avast! mail scanner setup ?
Hope this help you
@+

[pk]

FAILED Test #4: Eicar virus sent using uuencoding

uu* is an encoding method (similar like base64, ...)

FAILED Test #12: Eicar virus within a password protected ZIP file

we dont use any brute-force method for password detection

FAILED Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat)

TNEF packer will be supported in avast 4.5

pavels will answer the rest

[Kobra]

I believe only F-Prot and CommandAV check password protected archives. Not sure how they do it, but its instant, and even on-access for Command.  

Heres another place to check your Email scanning:

http://www.gfi.com/emailsecuritytest/

Good luck.

[igor]

avast! also uses some kind of "heuristic" (I know you like the word ) to detects password-protected archives created by the Beagle worm.

[sedina]

Hi all,
Bill Boebel (the author of www.testvirus.org) confirmed me that there had been several bugs in his test set. So after update, avast!'s result are...  (see picture below)

You can see 5 "failed" tests, but give me a chance to explain it ;-)
===
#4 - from my opinion (and also for OE, Outlook) that is not attachment. Body of attachment is in text part of email (as normal text). It's the same situation as when you have virus in picture file. There is no program to execute text part of email (or picture in my example) as executive code....
#12 - see posts above
#16 - eicar definition is not precise (if you modify it right way, avast! will catch it!)
#24 - the only one real problem in avast! - partial messages. We will fix it in future version.
#25 - doesn't contain virus, but avast! catches these kinds of viruses (in this case, avast! heuristic module warn you about dangerous extension)
---
following tests will fail if you try it with current version, but:
#14 - TNEF packer will be in avast! 4.5
#23 - has been fixed today ;-))) patch will be in the next program update


So... you are in safe with avast! believe me!!! :-)

pavels

[Dwarden]

i suggest to check with OE from XP SP2 RC2 , much better than OE from SP1

[Jeccu]

Hi,

Thanks for your answer pavels.
You guys are great! You offer the best support I've ever seen.

So... you are in safe with avast! believe me!!! :-)

I have no doubt. Avast! is the best AV software I've ever used and I've been very satisfied with it.

-- Jeccu --

[RejZoR]

Well on my tests,i got everything ok
Most of them were picked by NAV mail server (my ISP),one was picked by avast! Mail heuristics,and last one was automatically thrown in spam folder by Opera Pretty cool hehe

[farfouille]

Hellewo

Just made a try with eicar stuff at www.testvirus.org with the last 4.5 version (4.5.518 and VPS  0446-2).

Avast failed for 4 times :

Test #4  uuencode : Pavels has already exposed its opinion about it.  There is no harm until uudecode takes place (who still use uudecode in Windows ?)

Test #14 : TNEF support. Pavels said (in this thread) that it will be supported in the 4.5. Not in the mail scanner for the moment. But if the attached file is scanned through avast it correctly detects eicar. So it's not really an issue even it would be safer if it can be detected by the mail scanner. Maybe it's because I'm using thunderbird and TNEF is a Microsoft format but  given the way avast handles mail it doesn't sound a good explanation.

Test #17 : Caught before. Is it because of Thunderbird ? Maybe I can't see any attachment in the mail  

Test #27 : A new one. Winrar can uncompress the modified archive without problem. Hopefully avast see the eicar in the uncompressed file but it should be better if it can handle such modified archive.

Here is the description of the failed tests :
sent     Test #4: Eicar virus sent using uuencoding

sent     Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat)

sent     Test #17: Eicar virus hidden using the "CR Vulnerability" (attachment can be opened
by all versions of Microsoft Outlook and Outlook Express)

sent     Test #27: Eicar virus within a ZIP file that has been manipulated to evade detection by some anti-virus software by changing the uncompressed size to zero within the ZIP file headers.  **New



IMO, test 14 and 27 are little issues but we shouldn't forget that avast passed all the other tests

Farfouille

[farfouille]

See my previous reply to know how avast 4.5 behaves now.  

[cousindave]

I got the same results.
Not too shabby.