If nothing else, I was playing around today testing heuristical pickups on EICAR with Avast and various other AV products. I am aware Avast has no heuristics, but I at least expected it to pick up some, and it didn’t. =( Any date on when we can see some advanced Heuristics in Avast? Pretty please?
Anyway, interestingly, the full version of Command AV picked up everything. First, heres my modifications of Eicar, very simply changing the text within Eicar, and on one occaison, completely removing the text to see if any AV’s would pick up fragments. I found that DrWeb simply looks for “Eicar” in every file, nothing more, nothing less, and doesn’t even use Heuristics for that. Avast was fooled by any alteration, even changing “Standard” to “Standing”… Ugh.
Smith1.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
(Changed STANDARD to STANDING)
Smith2.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICON-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(Changed Eicar to Eicon)
Smith3.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICON-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
(Changed EICAR to EICON, and STANDARD to STANDING)
Smith4.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$BALLZ-STINDORK-ANTISACKS-TEST-FORK!$H+H*
(Random Words)
Smith5.Txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$!$H+H*
(Completely removed text string)
Smith6.Txt
X5O!P%@AP[42233\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(Additional Numbers added to binary)
Smith7.Txt
X5O!P%@AP[42233\PZX54(P^)7CC)7}$RAIC-TARNDARD-ILIKESMOKE-TUST-FULE!$H+H*
(Inserted Random letters with addition numbers added into binary)
Smith8.Txt
X5O22!P%@AP[4\PZX5422(P^)7CC)7}$!$H+H*
(Removed text string, inserted 22 twice into string to break up signature)
Command AV 4.90.4 Results:
Started scan: 6/14/2004 4:33:03 PM
C:\Downloads\SmithTest\Smith1.txt Infection: EICAR_Test_File.unknown?
C:\Downloads\SmithTest\Smith2.txt Infection: EICAR_Test_File (exact)
C:\Downloads\SmithTest\Smith3.txt Infection: EICAR_Test_File.unknown?
C:\Downloads\SmithTest\Smith4.txt Infection: EICAR_Test_File.unknown?
C:\Downloads\SmithTest\Smith5.txt Infection: New or modified variant of Trivial
C:\Downloads\SmithTest\Smith6.txt Infection: New or modified variant of Trivial
C:\Downloads\SmithTest\Smith7.txt Infection: New or modified variant of Trivial
C:\Downloads\SmithTest\Smith8.txt Infection: New or modified variant of Trivial
Discuss?