AntiMalware App Testing (EICAR string type)


  1. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
       #1

    AntiMalware App Testing (EICAR string type)


    I have always used the EICAR ascii string to quasi-test a/v sw, but with amble apprehention, as it is very "specific" in it's signature, leaving more fluid/dynamic scans devoid of the luxury of being broken-in or tested whatsoever, oh my!

    Also, with a change from AVG to Avira (thank you Jacee), I feel as though I need more than a mere check for a/v sw responce (esp to this well known "nonVirus"). I hear many a/v suites have decided to no longer even recognize this old friend, I guess the signature takes up an extra 0.734 bytes, and theyre nailing down on streamlining, or something!?!

    I also have 64-bit win7 on many machines, and I believe the file is designed more along the 16-ish bit domain, so first would it even work on these machines?

    second I always compress the file and retest, compress the compressed file and retest, until I determine the limit to the a/v app's level of detection (I archive test as well, you see)

    is there anything better out there? Is there anybody out there?....I had seen long ago, in a more civil era, viri simulator proggies in development, although never really publically available. Have I missed these type of compilations? I mean, if I believe nothing I read and 1/2 of what I see, I need to see more than reports from, what I believe to likely be accurate, but none-the-less unknown entities showcasing bar graphs and such to compare systems in a controlled laboratorious environment!

    Maybe the subtle nusciances of my own system setup contribute to the demise of safeguards that protected the controlled systems, .....ya' know?

    What are thou's opinion on the topic of sutible testing (scan and res sheild included)

    offer what you offer, and I will be fixed

    Humbled by your presence,
    Mike
    Last edited by rubyrubyroo; 15 Nov 2011 at 11:23.
      My Computer


  2. Posts : 27
    Win 7 Ulitimate x64 - Signature Edition
       #2

    The quote below is from Wikipedia on EICAR

    The file is simply a text file of either 68 or 70 bytes that is a legitimate executable file called a COM file that can be run by Microsoft operating systems and some work-alikes (except for 64-bit due to 16-bit limitations), including OS/2.
    It is very difficult to find any other test viruses, so I don't know what else to say.

    Have a good day Mike.
      My Computer


  3. Posts : 53,363
    Windows 10 Home x64
       #3

    If an AV program cannot detect the well known EICAR, then they are very stupid. If nothing else they just need to make it a detection no matter what. You can try some malware/trojan tests. These are the 2 I remember off hand.

    Trojan Simulator

    Mischel Internet Security

    Spycar

    Spycar

    My protection won't let them download. If I close the 1st program that detects them, then the 2nd stops them, and so on. Good enough test for me that none will let me download, lol. A Guy
    Last edited by A Guy; 15 Nov 2011 at 22:40.
      My Computer


  4. Posts : 173
    windows 7 ultimate 32 bit
       #4

    Avast did not detect trojan stimulator

    edit : MBAM and kingsoft PC doctor also failed to detect it only Hitman found it. May be avast, mbam and pc doctor knows its a fp.
    Last edited by gautam7; 13 Nov 2011 at 14:11.
      My Computer


  5. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
    Thread Starter
       #5

    thanks all for the responses!


    DARCY:
    Yes, all win7 x86 pc's hit on it "easy-peasy", w/most a/v S/W and defined it comfortably as a test-string-EICAR, or similar name and threat level zero. but the 64-bit system seems to avoid detecting it like the plague (although I guess I'd rather DETECT the plague if it were coming, so I could leave town!) but nil/nix/nay/nada from everything else i tried (which insofar excludes Hitman) and while Vista x64 and XP x64 will likely follow the 64-bit version of windows, I'm going to go ahead and ask the unimaginable question...ready?..."Why?" I often overlook the obvious, and end up looking pretty dumb! But from a "black-box" reasoning, a 64-bit system can take virtually any 32-bit s/w and run it as if it were 32-bit addressing, and 64-bit apps can open "32-bit data files" (I understand my explanation is weak, flawed, and basically..well wrong) but the point is why everything BUT the detection of this file, remains fully functional in the 64-bit versions of window OS's?

    do the x64 registers reference to the "code segment" change due to the extended addressing size and seemingly no longer write over the program code space, thus no longer posing a "self-modifying" type of threat. I suspect it has something to do with this since the file is written as a com file, like an all but full-on DOS-type file! And Maybe it even, for simplicities sake, uses a relative address, ASSUMING the length of an address segment.

    blah blah blah...blah blah?

    any thoughts on mine? (I'm sure to get a one-two word reply on this one!...."uhh, yeah." type thing!)

    GUY: hey man! I really hate downloading most anything these days, and now I'm going to go and download "quasi-Trojans" from sites that I don't (Personally) know....GEEZ you asking a lot man! I'd almost feel better getting a real infection but be sure of what I'm shoving in my computer. "in the olden days":) I remember when just downloading a file couldn't cause any problems, just simply couldn't run it, right?! not god only knows what sites have uploaded some drive-by activex crap from a invisible pixel picture file or using some shockwave exploit to "prep" my system for this (among many) D/L-ed's so it get's executed upon D/L and now there's so little safe ground to walk on, and since a company would OBVIOUSLY have no reason to infect me with some shopping-superware-spy-bug-bot thing, I feel much better that it's coming from the corporate realm (plus I'm sure their REAL worried about security on the server that holds that file! Prime hacker's paradise!) But the though it good, and I guess it is exactly what I asked for (just wish it was a text string:))

    And I guess if the EICAR malware is not "functionally sound" as preforming viral-like behavior due to the 64-bit system architecture, for whatever reason, then, yeah I guess it should still hit on the viral signature, but not the action it is taking...there's surprisingly little info across the net, but I'm getting interested now...I need to know. thanks Guy

    GAUTAM:
    Sure they know it's a "sim" but every upgrade, every update, every new software version for years and years have known that since day...hmmm...... 2 - 1/2 maybe, so I doubt that everyone just suddenly stopped. It's been the topic of debate for many years, yet all a/v scans hit on it almost across the board, until what I assume is the 64-bit version of windows. as Darcey so delightfully pointed out, thanks for your efforts though G and all!

    maybe to help narrow things down someone has tried or is setup to fire up a VM of win7 (32-bit) and do a virus scan of the EICAR file - while physically running the VM software in a 64-bit version of windows 7.?

    other thoughts or preferably answers?
      My Computer


  6. Posts : 53,363
    Windows 10 Home x64
       #6

    No problem, but Mischel Internet Security is the Company that makes Trojan Hunter, amongst other tools. Well known and respected security company. A Guy
      My Computer


  7. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
    Thread Starter
       #7

    yeah I have heard of Trojan Hunter, don't think I've even used it personally, also the company name Mischel I can't say that I remember?! But my thoughts are, I'm backed up full image and a plug in replacement drive prepped and ready to swap out pretty routinely now (on a particularly important system) So technically, I should have nothing to fear even if It were some rouge, shady site, because my defense should be pretty powerful here, and If it is by chance malicious code, and my system fails, I find the flaw, fix it, reinstall backup, try again. Seems obvious enough, after all it's the newer strains and tactics I'd prefer to avoid, and by real viri, rather than a known "static" simulation, so I'll try your links first then see what I can turn up, (maybe click on a couple "unknown sender" email links too)

    but I'll try it as is.

    thanks again
    Mike


    [EDIT]

    According to our good friends at wikipedia, 64-bit system no longer contain the 16-bit (NTVDM) software (I'm guessing New Tech. Virtual DOS Machine? It seems to make sense by name/meaning):

    In an x86-64 CPU, virtual 8086 mode is available as a sub-mode only in its legacy mode (for running 16- and 32-bit operating systems), not in the native, 64-bit long mode. Rather than update the NTVDM to correctly work on 64bit versions of Windows, Microsoft choose to no longer include it thus versions of Windows NT for 64-bit architectures (x86-64 and IA-64) are unable to run DOS or 16-bit Windows applications. The only possibility to run them is to use Windows XP Mode or other virtualization software
    Last edited by rubyrubyroo; 16 Nov 2011 at 02:40. Reason: Addition
      My Computer


  8. Posts : 1,777
    MS Windows 7 Home Premium SP1 64-bit (Family Pack Lic.) Upgrade
    Thread Starter
       #8

    I have to agree, the software did as it said. My system is at minimum set up to detect infiltrating horses of the wooden variety! And I like the mem sim id/reg key mod sim portions as well, thanks, I got what i needed, so I'll hold off on the other link for now, but I will keep both links!

    Mike
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 01:58.
Find Us