Avast is detecting the eicar test files perfectly, but I noticed that if I attaced the string to a excisting jpg file and scanned that file, Avast did not detect it. Is this the way it is supposed to be?
Of course. From http://www.eicar.org/anti_virus_test_file.htm :
[i]Any anti-virus product that supports the eicar test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The first 68 characters is the known string. It may be optionally appended by any combination of whitespace characters with the total file length not exceeding 128 characters. The only whitespace characters allowed are the space character, tab, LF, CR, CTRL-Z. [/i]
Thanks Vlk, I always was undere he impression AV software should react on it no matter where in a file it was or how long the file was. Learned something new
You are right, the length certainly shouldn’t make any difference for most viruses.
Eicar, however, is a special case. This special restriction has been incorporated because some true viruses attached (or prepended, or somehow used) the Eicar test string to make them look like “Eicar - not a virus”, even though they were really dangerous. To avoid these misdetection, Eicar detection has been restricted as Vlk posted.
Life is becoming dangerous
I suppose the “impersonators” could use the size-and-location restrictions themselves – but in that case (unless I’ve missed something) they’d be back to just Eicar itself, which of course is no hazard.