I just tested my avast! mail protection (4.1.418 Home + Outlook Express) with eicar test virus on http://www.testvirus.org/
Fortunately my ISP’s mail server is not running anti-virus software so I could run the tests.
The web site provides several (25) different ways to send the test virus through email. Unfortunately avast! failed 9 of these tests. I have to say that I don’t know anything about these encoding techniques, I’m just curious why avast! didn’t recognize eicar? Should we worry about this?
Results:
PASSED Test #1: Eicar virus sent using base64 encoding
PASSED Test #2: Eicar virus sent using binary encoding
PASSED Test #3: Eicar virus sent using quoted-printable encoding
FAILED Test #4: Eicar virus sent using uuencoding
PASSED Test #5: Eicar virus sent using BinHex encoding
PASSED Test #6: Eicar virus embedded within another MIME segment
PASSED Test #7: Eicar virus sent using uuencoding within a MIME segment
PASSED Test #8: Eicar virus sent using BinHex encoding within a MIME segment
PASSED Test #9: Eicar virus sent as an inline attachment
PASSED Test #10: Eicar virus embedded within an RFC822 message
PASSED Test #11: Eicar virus within a ZIP file
FAILED Test #12: Eicar virus within a password protected ZIP file
PASSED Test #13: Eicar virus sent from Pegasus, which formats email in strange ways
FAILED Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat)
PASSED Test #15: Eicar virus without quotes around the filename
FAILED Test #16: Eicar string in HTML, to ensure that your mail server scans HTML segments
PASSED Test #17: Eicar virus hidden using the “CR Vulnerability”
PASSED Test #18: Eicar virus within zip file hidden using the “Space Gap Vulnerability”
FAILED Test #19: Eicar virus within zip file hidden using the “Blank Folding Vulnerability”
FAILED Test #20: Eicar virus within zip file hidden using the “MIME Boundary Space Gap Vulnerability”
FAILED Test #21: Eicar virus within zip file hidden using the “Long MIME Boundary Vulnerability”
PASSED Test #22: Eicar virus within zip file hidden using the “MIME Continuation Vulnerability”
FAILED Test #23: Eicar virus within zip file hidden using the “Empty MIME Boundary Vulnerability”
FAILED Test #24: Test for the “Partial (Fragmented) Vulnerability”. This does not include Eicar virus, but your mail server still must block this since it can break a virus into multiple emails and reassemble it in your inbox.
PASSED Test #25: Attachment with a CLSID extension which may hide the real file extension. This does not include Eicar virus, but your mail server still must block this since it can hide the true extension of a file.
Hi all,
Bill Boebel (the author of www.testvirus.org) confirmed me that there had been several bugs in his test set. So after update, avast!'s result are… (see picture below)
You can see 5 “failed” tests, but give me a chance to explain it
#4 - from my opinion (and also for OE, Outlook) that is not attachment. Body of attachment is in text part of email (as normal text). It’s the same situation as when you have virus in picture file. There is no program to execute text part of email (or picture in my example) as executive code… #12 - see posts above #16 - eicar definition is not precise (if you modify it right way, avast! will catch it!) #24 - the only one real problem in avast! - partial messages. We will fix it in future version. #25 - doesn’t contain virus, but avast! catches these kinds of viruses (in this case, avast! heuristic module warn you about dangerous extension)
following tests will fail if you try it with current version, but: #14 - TNEF packer will be in avast! 4.5 #23 - has been fixed today ;-))) patch will be in the next program update
Well on my tests,i got everything ok
Most of them were picked by NAV mail server (my ISP),one was picked by avast! Mail heuristics,and last one was automatically thrown in spam folder by Opera Pretty cool hehe
Just made a try with eicar stuff at www.testvirus.org with the last 4.5 version (4.5.518 and VPS 0446-2).
Avast failed for 4 times :
Test #4 uuencode : Pavels has already exposed its opinion about it. There is no harm until uudecode takes place (who still use uudecode in Windows ?)
Test #14 : TNEF support. Pavels said (in this thread) that it will be supported in the 4.5. Not in the mail scanner for the moment. But if the attached file is scanned through avast it correctly detects eicar. So it’s not really an issue even it would be safer if it can be detected by the mail scanner. Maybe it’s because I’m using thunderbird and TNEF is a Microsoft format but given the way avast handles mail it doesn’t sound a good explanation.
Test #17 : Caught before. Is it because of Thunderbird ? Maybe I can’t see any attachment in the mail ???
Test #27 : A new one. Winrar can uncompress the modified archive without problem. Hopefully avast see the eicar in the uncompressed file but it should be better if it can handle such modified archive.
Here is the description of the failed tests :
sent Test #4: Eicar virus sent using uuencoding
sent Test #14: Eicar virus sent in a Microsoft TNEF file (winmail.dat)
sent Test #17: Eicar virus hidden using the “CR Vulnerability” (attachment can be opened
by all versions of Microsoft Outlook and Outlook Express)
sent Test #27: Eicar virus within a ZIP file that has been manipulated to evade detection by some anti-virus software by changing the uncompressed size to zero within the ZIP file headers. **New
IMO, test 14 and 27 are little issues but we shouldn’t forget that avast passed all the other tests