eicar testing

New user
Win98 SE
OE-5.5; IE-5.5
Avast-4.6.691 vis 0536-2

I hope there’s an easy answer to this. Since I’m new to avast! I’ve been testing the installation with eicar (& the jpg exploit). Most of the tests check out fine.

However, when I copy the eicar text file into an email…

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H

and mail it to myself, I get the pop up warning, ‘Caution, A Virus has been detected’, whether I click ‘delete’ or ‘move to vault’, the email message is still being sent. Why isn’t the message being deleted? I checked my options under, ‘Internet Mail’ and there’s no check mark for ‘send infected mail’. It should be deleted or moved.

Thanks for your response.

I use OE-5.5 and Avast is filtering my mail.

So, you say that you simply copied the EICAR string into e-mail body and sent it?
Can you post a screenshot of the warning window, please?

Yes, I copied the eicar text string into a new mail message and mailed it to myself.

Sorry, I can’t post a pic of the screenshot. Don’t have the means to do that. But it’s the standard pop up, “caution, a virus has been detected” statement or voice in a black and yellow box.

I just tried it again and the message gets sent with a statement at the bottom, ‘INFECTED’. Here’s a copy:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

avast! Antivirus: Outbound message INFECTED:
\PartNo_0#2378949696 (EICAR Test-NOT virus!!) was deleted from the message.

Virus Database (VPS): 0536-2, 09/07/2005
Tested on: 9/7/05 2:29:50 PM
avast! - copyright (c) 1988-2005 ALWIL Software.

Make sure you have “Allow sending of infected mail” in the Internet mail provider unchecked.

Yep. I already posted that it was not checked.


A different test with an attachment of eicar2.zip went well. It was detected, the attachment was stripped off or deleted from the message, then the email sent. Here’s a copy:

test

avast! Antivirus: Outbound message INFECTED:
\eicar.zip#2228673907\eicar.com (EICAR Test-NOT virus!!) was deleted from the message.

Virus Database (VPS): 0536-2, 09/07/2005
Tested on: 9/7/05 2:57:49 PM
avast! - copyright (c) 1988-2005 ALWIL Software.
http://www.avast.com

I’m not sure that you have the correct string, otherwise I would have thought when you pasted it into the forum, when anyone went to the thread web shield should have alarmed?

Can anyone at Alwil confirm this action by web shield detecting the eicar string in a web page?

Well I got the text string from the official web site:

http://www.eicar.org/anti_virus_test_file.htm

scroll down to the bottom and click on “eicar.com.txt”. It must be right because Avast alarms and says it’s infected. It’s just that it shouldn’t be sent out thru OE. (I do not have “Allow sending of infected mail” checked)

Thanx.

Strange, I would have expected web shield to alarm when it found the string in a web page, perhaps not.

First, the important thing: if you read the eicar.org page carefully, you’ll find out that Eicar test string should be detected if and only if it is in the very beginning of the file, the file is not longer than 128 bytes, and the fixed test string may only be padded with white spaces. So, it is not detected in this web page.

For the same reason, it should not be detected in the e-mail body either.
According to the detected object (\PartNo_0#something), I would say that the e-mail client is sending the message in two forms actually - first, as an e-mail (the “body”), and second, as an attachment (probably text file, containing the eicar string only). The attachment is what was detected and deleted; the e-mail itself was (correctly) left as it was.
To be absolutely sure, it would be necessary to check the e-mail source (before it was sent), but I think this is quite a likely explanation.

I think he wants to say that he didn’t attached the EICAR string as text file in attachement. He pasted the EICAR string right into the e-mail message body.
In any way,it shouldn’t be sent if it’s detected when incoming.

Thanks for your reply.

That makes sense as to why it’s not detected in a web page… “Eicar test string should be detected if and only if it is in the very beginning of the file, the file is not longer than 128 bytes”

In the email body, the text string is the first thing in the message. It IS being detected. That’s good. But my concern is that it is being sent out of my email client even when I say to delete it… or vault it, etc.

Thanx.

I know - but Outlook likes to send the message “twice”. At least, I often receive e-mail where the message is duplicated somehow - the e-mail body contains the message, but it’s also included as an attachment. It’s probably because one of them is TXT, and the other HTML, don’t know - but I’m sure the sender didn’t type two identical messages :wink:

It wasn’t - check the appended notes. In the outgoing message, the string was detected and deleted; you only don’t see it was deleted, because it was the attachment that was removed, the string in the e-mail body was left intact - and that’s what the e-mail client displays when you receive it (so, you may think avast! didn’t do anything).

In the email body, the text string is the first thing in the message.

No. You can see it in the beginning, but there are lots of (normally invisible) e-mail headers before that.

Okay, I’m confused here. The eicar text string was the first thing in the body of the message. IT WAS DETECTED. No problem with that… that’s good. But the settings I have in avast is NOT TO SEND infected email. Since the eicar message was detected, I click on ‘delete’. It is still mailed… and I receive the email with the eicar text string. At the bottom of the message it says “Outbound message INFECTED:” Now I understand why the received message was not detected as infected because of all the spaces around the text string (like you pointed out RejZoR).

I just want to make sure I have things set right and avast is working correctly. This is the only test I’m having trouble with. Something doesn’t seem just right. The attachment of eicar (a different test) works just fine. The attachment is stripped off.

BTW, I’ve never had any trouble with double emails being sent with Outlook Express.

Thanks.

I was trying to explain that:

  • The fact that the eicar string was the first thing in the body of the message doesn’t mean that it was the first in the real e-mail “file”; the e-mail consists of many parts you normally don’t see (the headers in particular: “From”, “To”, “Subject”, …). So, the string sent in the body is not the first part of any e-mail.

  • I believe that when you pasted the Eicar test string into the e-mail and sent it, Outlook actually sent the following:

  1. E-mail headers
  2. The e-mail body, containing the Eicar test string
  3. An attachment, containing the Eicar test string again

The 3rd part is what avast! detected and removed when you clicked Delete (so, it was not mailed). The 2nd part, however, was (correctly) not detected and kept in the e-mail (and sent). That is what you see when you receive the message.

Thanks Igor,

I think I understand your description. Thanks for taking the time to explain. :slight_smile:

As I may have mentioned before, I had been using McAfee AV (Vers 7 - the last good ver IMHO) for quite some time and just not familiar with Avast’s operation. I had just hoped that since the email was detected as ‘infected’, the whole message would not be sent. BUT I understand that normally an infected email would have the attachment that was infected. In this case, the attachment would be stripped off… like it was in my other test. This way the recipient would receive at least the body of the message.

Thanks again.