January 9th, 2004, 11:35 AM
If a AV detects EICAR.. don't mean shite.. I like the idea of a Neutered Virii.. perhaps a couple of different types.. and their sting would be a message box "Ya F****n AV ain't work'n Mate"
Why different types.. different doors of infection..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
January 9th, 2004, 12:05 PM
Sorry val, but you have to use the real thing.
EICAR just shows if the AV has loaded properly IMHO. All AVs will find it
If you rename a live virus to .txt it is interesting, but some AVs won't report it because it is not executable (not good methinks, so the test is useful)
I usually put them on a floppy and scan that (remember to write protect the floppy or they will be killed)
Another problem is that if you draw the "teeth" it might not be detected, because the "teeth" could be what the AV uses to detect that particular specimen?
I would be worried if my AV actually let me download a live virus though
I used to get a lot of them from work, the Users (most of them) would forward their dodgy e-mails so I could check them, even bring me ones from their home PCs. Also the lads down the pub were a good source.
I used to get one of my trusty "labrat" boxes and load up a few AV apps then show them a virus ridden floppy.......interesting to see which were detected and at what stage.
I can't remember the name at the moment, but I did test one AV that gave you the option of telling it that it was looking at a "zoo" so it wouldn't bleep at every detection......just gave you a list at the end...........rather neat I thought!
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
January 9th, 2004, 03:40 PM
I just downloaded the *.zip of your test file. AV picked it, AV deleted the *.com from within the *.zip file. Nice results, but not that tough of a test however.
If you really want a test download some *.asm files from here. Put them on a cd, and scan it. They aren't live, and they contain the same makeup as if the were. Granted some of them once live do lots of different things to hide. So unless you wanna let lose some live viruses on your set, this is a good alternative. Search the net for virus downloads. Get some live viruses off the net that are zipped, and scan them that way. So long as you practice safe virus handling you should be fine.
I've got a cd I've put together over the years. I've had lots of help from many other peeps, sort of a group effort. It contains 9256 files to date. Norton scored the highest in scanning accuracy. Norton found 9251 of them. The files range from .exe, .zip, .com, .tar, .bat, .txt, .asm, and some double extensions. like .jpg.exe and the such. They are mostly older virii trojans and the such. With new ones added as they are found.
Like nihil pointed out if you rename the extension of a live virus, some scanners simply don't see them. Norton only missed 5 of them. I've seen AV scanners miss as many as 30. If I remember correctly it was Dr. Solomon's. As far as that goes, I've seen AV call things viral that aren't. Final though, IMHO the best you can ever hope for when using an AV is that some protection is most defenitley better than none. Just be sure you have good backups, so in the event of a disaster, you can bounce back quickly.
be safe and stay free
Your heart was talking, not your mind.