Eicar .docx string not detected

Created: 12 Jan 2012 | Updated: 13 Jan 2012 | 2 comments

Chad_GCU

This issue has been solved. See solution.

I've saved the EICAR string into a standard Word 2010 .docx file but my 11.0.6200.754 SEP client isn't detecting it. It detected my .txt and .jpg EICAR files.

Any suggestions?

Thanks,

Chad

Discussion Filed Under:

Security, Endpoint Protection (AntiVirus) - 11.x, Endpoint Protection (AntiVirus), Malicious Code, Security Risks

Comments RSS Feed

Comments 2 Comments • Jump to latest comment

Brandon Noble Symantec Employee

Eicar .docx string not detected - Comment:13 Jan 2012 : Link

The EICAR test is designed to detected the EICAR string by itself.

The additional formatting within MS Word, both prior to the string and after the string, prevents the detection.

You can test this by creating the same Eicar.txt that was already being detected in a notepad document and than adding non-whitespace characters either before or after the string. This will prevent detection, as designed.

Brandon Noble
ESS Incident Response Officer
Security Response Liaisons
Symantec Corporation
www.symantec.com

SOLUTION

Chad_GCU

Eicar .docx string not detected - Comment:13 Jan 2012 : Link

I used the "Inspect Document" option in Word 2010 to remove all extra hidden content but the EICAR string still remained undetected. I'll just conclude that .docx files cannot be used to test EICAR.

Thanks!

Eicar .docx string not detected

Comments 2 Comments • Jump to latest comment

Would you like to reply?

Links