Video Screencast Help

EICAR Virus test file is still executable!

Created: 24 Jan 2008 • Updated: 22 May 2010 | 3 comments
Hi,
 
  • First I was testing the operation of the SEP (trial edition) by attempting to download the EICAR test file
  • I managed to copy the contents of the file and paste it into a file which I called ABC with .exe extension
  • I opened the abc.exe file in a command prompt and SEP did not even notice that! The result is as shown below:

C:\Documents and Settings\Administrator\Desktop>abc
▼¶÷↑}♦&₧.♫¡⌠/3↑2╣╖&f♂┬♦⌠÷½j¼.N3j↨µ▬σ▼&÷#/./&V/▼²■╖tªH-÷←♣V⌡p)⌡┤∟═╥╨♠/÷▒↑ª╡ívJ┌←+
(/~÷v‼÷÷"_■+♫÷5vu═D♂PnV.♂á♦ ♦¢▼_■i╥'╧±╨uC«↨≤D,¼╖H┬v♦.f╨UB-*ĵ%ív/╢⌡ W╪å./⌠·¼0÷½▲
║±║Xq#4◄¡«.♫╜1ß÷╨d┤♠+∟▓Om╖²→╚◄╒i&u¥à},▼⌡Ç║e0░↑y╢n]▐←╥ª╚]V←☼Vö←¼e← 6←→/6¼
Divide overflow

My concern is that it could be very easy for some malware to circumvent the protection mechanism of SEP

 

Kindly advice

 

Thanks

 
I was able to copy the text within the EICAR test file



Message Edited by Raed Al-Jarrah on 01-24-2008 03:51 AM

Comments 3 CommentsJump to latest comment

GrahamA's picture

Hi,
 
AntiVirus solutions look for a very specific string when detecing eicar. Any unexpected additional spaces or carriage returns in the file could lead to it not being detected.
 
The way to properly download and test with eicar is to go to the following webpage, download the file direct:
 
Let me know how you get on.

GrahamA Product Management, Symantec Security Solutions

Raed Al-Jarrah's picture
Hi,
 
The test file is detected upon download and there is no issue with that but as I mentioned , I was able to still save the file to my desktop , open it , copy its contents , paste it into an .EXE file and then run it
 
I acomplished that by clicking on the following link:
 
 
which will immediately open in Internet Explorer that will show only the following text:
 
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
which is the payload of the virus test file itself.Just copy it to 
a file , give it .exe extension after which you can execute the 
virus without SEP noticing that !
By the way , I tried to repeat the above steps on my home laptop but the PCtools AV just detected the file upon saving the contents and immediately deleted it
 
Obviuosly sophisticated viruses can do much more than that
 
Thanks
Oivin's picture

I am trying to follow your steps, but my SEP will not allow me to save the .exe file with the eicar text string.

Also, I am using Eicar all the time, to test my SEP installations in different environment, and I have never seen it fail before. So, now I am curious of how you managed to do this.  :smileywink: