Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: AntiMalware App Testing (EICAR string type)

04 Nov 2011   #1
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 
AntiMalware App Testing (EICAR string type)

I have always used the EICAR ascii string to quasi-test a/v sw, but with amble apprehention, as it is very "specific" in it's signature, leaving more fluid/dynamic scans devoid of the luxury of being broken-in or tested whatsoever, oh my!

Also, with a change from AVG to Avira (thank you Jacee), I feel as though I need more than a mere check for a/v sw responce (esp to this well known "nonVirus"). I hear many a/v suites have decided to no longer even recognize this old friend, I guess the signature takes up an extra 0.734 bytes, and theyre nailing down on streamlining, or something!?!

I also have 64-bit win7 on many machines, and I believe the file is designed more along the 16-ish bit domain, so first would it even work on these machines?

second I always compress the file and retest, compress the compressed file and retest, until I determine the limit to the a/v app's level of detection (I archive test as well, you see)

is there anything better out there? Is there anybody out there?....I had seen long ago, in a more civil era, viri simulator proggies in development, although never really publically available. Have I missed these type of compilations? I mean, if I believe nothing I read and 1/2 of what I see, I need to see more than reports from, what I believe to likely be accurate, but none-the-less unknown entities showcasing bar graphs and such to compare systems in a controlled laboratorious environment!

Maybe the subtle nusciances of my own system setup contribute to the demise of safeguards that protected the controlled systems, .....ya' know?

What are thou's opinion on the topic of sutible testing (scan and res sheild included)

offer what you offer, and I will be fixed

Humbled by your presence,
Mike


My System SpecsSystem Spec
.
13 Nov 2011   #2
Darcy Peal

Win 7 Ulitimate x64 - Signature Edition
 
 

The quote below is from Wikipedia on EICAR

Quote:
The file is simply a text file of either 68 or 70 bytes that is a legitimate executable file called a COM file that can be run by Microsoft operating systems and some work-alikes (except for 64-bit due to 16-bit limitations), including OS/2.
It is very difficult to find any other test viruses, so I don't know what else to say.

Have a good day Mike.
My System SpecsSystem Spec
13 Nov 2011   #3
A Guy

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

If an AV program cannot detect the well known EICAR, then they are very stupid. If nothing else they just need to make it a detection no matter what. You can try some malware/trojan tests. These are the 2 I remember off hand.

Trojan Simulator

Mischel Internet Security

Spycar

Spycar

My protection won't let them download. If I close the 1st program that detects them, then the 2nd stops them, and so on. Good enough test for me that none will let me download, lol. A Guy
My System SpecsSystem Spec
.

13 Nov 2011   #4
gautam7

windows 7 ultimate 32 bit
 
 

Avast did not detect trojan stimulator

edit : MBAM and kingsoft PC doctor also failed to detect it only Hitman found it. May be avast, mbam and pc doctor knows its a fp.
My System SpecsSystem Spec
15 Nov 2011   #5
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

thanks all for the responses!


DARCY:
Yes, all win7 x86 pc's hit on it "easy-peasy", w/most a/v S/W and defined it comfortably as a test-string-EICAR, or similar name and threat level zero. but the 64-bit system seems to avoid detecting it like the plague (although I guess I'd rather DETECT the plague if it were coming, so I could leave town!) but nil/nix/nay/nada from everything else i tried (which insofar excludes Hitman) and while Vista x64 and XP x64 will likely follow the 64-bit version of windows, I'm going to go ahead and ask the unimaginable question...ready?..."Why?" I often overlook the obvious, and end up looking pretty dumb! But from a "black-box" reasoning, a 64-bit system can take virtually any 32-bit s/w and run it as if it were 32-bit addressing, and 64-bit apps can open "32-bit data files" (I understand my explanation is weak, flawed, and basically..well wrong) but the point is why everything BUT the detection of this file, remains fully functional in the 64-bit versions of window OS's?

do the x64 registers reference to the "code segment" change due to the extended addressing size and seemingly no longer write over the program code space, thus no longer posing a "self-modifying" type of threat. I suspect it has something to do with this since the file is written as a com file, like an all but full-on DOS-type file! And Maybe it even, for simplicities sake, uses a relative address, ASSUMING the length of an address segment.

blah blah blah...blah blah?

any thoughts on mine? (I'm sure to get a one-two word reply on this one!...."uhh, yeah." type thing!)

GUY: hey man! I really hate downloading most anything these days, and now I'm going to go and download "quasi-Trojans" from sites that I don't (Personally) know....GEEZ you asking a lot man! I'd almost feel better getting a real infection but be sure of what I'm shoving in my computer. "in the olden days" I remember when just downloading a file couldn't cause any problems, just simply couldn't run it, right?! not god only knows what sites have uploaded some drive-by activex crap from a invisible pixel picture file or using some shockwave exploit to "prep" my system for this (among many) D/L-ed's so it get's executed upon D/L and now there's so little safe ground to walk on, and since a company would OBVIOUSLY have no reason to infect me with some shopping-superware-spy-bug-bot thing, I feel much better that it's coming from the corporate realm (plus I'm sure their REAL worried about security on the server that holds that file! Prime hacker's paradise!) But the though it good, and I guess it is exactly what I asked for (just wish it was a text string)

And I guess if the EICAR malware is not "functionally sound" as preforming viral-like behavior due to the 64-bit system architecture, for whatever reason, then, yeah I guess it should still hit on the viral signature, but not the action it is taking...there's surprisingly little info across the net, but I'm getting interested now...I need to know. thanks Guy

GAUTAM:
Sure they know it's a "sim" but every upgrade, every update, every new software version for years and years have known that since day...hmmm...... 2 - 1/2 maybe, so I doubt that everyone just suddenly stopped. It's been the topic of debate for many years, yet all a/v scans hit on it almost across the board, until what I assume is the 64-bit version of windows. as Darcey so delightfully pointed out, thanks for your efforts though G and all!

maybe to help narrow things down someone has tried or is setup to fire up a VM of win7 (32-bit) and do a virus scan of the EICAR file - while physically running the VM software in a 64-bit version of windows 7.?

other thoughts or preferably answers?
My System SpecsSystem Spec
15 Nov 2011   #6
A Guy

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 

No problem, but Mischel Internet Security is the Company that makes Trojan Hunter, amongst other tools. Well known and respected security company. A Guy
My System SpecsSystem Spec
16 Nov 2011   #7
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

yeah I have heard of Trojan Hunter, don't think I've even used it personally, also the company name Mischel I can't say that I remember?! But my thoughts are, I'm backed up full image and a plug in replacement drive prepped and ready to swap out pretty routinely now (on a particularly important system) So technically, I should have nothing to fear even if It were some rouge, shady site, because my defense should be pretty powerful here, and If it is by chance malicious code, and my system fails, I find the flaw, fix it, reinstall backup, try again. Seems obvious enough, after all it's the newer strains and tactics I'd prefer to avoid, and by real viri, rather than a known "static" simulation, so I'll try your links first then see what I can turn up, (maybe click on a couple "unknown sender" email links too)

but I'll try it as is.

thanks again
Mike


[EDIT]

According to our good friends at wikipedia, 64-bit system no longer contain the 16-bit (NTVDM) software (I'm guessing New Tech. Virtual DOS Machine? It seems to make sense by name/meaning):

Quote:
In an x86-64 CPU, virtual 8086 mode is available as a sub-mode only in its legacy mode (for running 16- and 32-bit operating systems), not in the native, 64-bit long mode. Rather than update the NTVDM to correctly work on 64bit versions of Windows, Microsoft choose to no longer include it thus versions of Windows NT for 64-bit architectures (x86-64 and IA-64) are unable to run DOS or 16-bit Windows applications. The only possibility to run them is to use Windows XP Mode or other virtualization software
My System SpecsSystem Spec
16 Nov 2011   #8
rubyrubyroo

MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
 
 

I have to agree, the software did as it said. My system is at minimum set up to detect infiltrating horses of the wooden variety! And I like the mem sim id/reg key mod sim portions as well, thanks, I got what i needed, so I'll hold off on the other link for now, but I will keep both links!

Mike
My System SpecsSystem Spec
Reply

 AntiMalware App Testing (EICAR string type)




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Testing AntiVirus and AntiMalware programs?
How can I test AntiVirus and AntiMalware programs? Are there any sites with safe TEST files like EICAR, but with more test files (malware types)? I'm testing different AV realtime programs right now and would like to see what happens when a malware/virus file tries to infect the PC. - Does the...
Security Basics
Is default email account type deteremined by type of device?
I set up an Outlook account on a new-to-me laptop. I had been unable to download email for several months, since I didn't have a computer. I had been saving the emails I wanted to keep and had planned on downloading them into my new computer. After setting up the account, it appeared the system...
Microsoft Office
Test your anti-malware/anti-virus protection with EICAR
As many of you know(quite a few don't) what EICAR is, this is a open poll to see what programs pick it up and what programs fail the basic tests. I am conducting this poll because A-Squared failed to see this on a scan, but MSE picked it up before it could be downloaded. So after you take...
System Security
Search string delimiter?
So I noticed 7 doesn't support a semicolon as a delimiter for searches. For example, A search like *.jpg;*.bmp always comes up with no results, even though I know there are both jpg's and bmp's in this folder, and running a search on *.jpg and *bmp separately yields those results, but now we just...
General Discussion
Win 7 or Avast problem? EICAR-test
On this site eicar | THE ANTI-VIRUS OR ANTI-MALWARE TEST FILE (scroll to the buttom) with the testvirus EICAR, Avast don't warn about EICAR in the SSL enabled https protocol, except from the first test. The 4 test above with standard prot0col, all 4 gives warnings. Is this a Avast...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 14:41.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App