Vlk
6
known for STRONG heuristical signatures and trace detection.
Don’t you see that the eicar-mod tests just don’t make any sense?
-
How heuristics work: it looks for ‘suspicious’ actions the program might be using (typically by using code emulation techniques), rates them depending on finely-tuned weights and if the sum exceeds give threshold the file is deemed infected…
-
What is eicar: eicar is a tiny dos program that basically prints the string ‘EICAR-TEST-NOT-VIRUS’ on the screen and terminates.
You see the difference? 1. has absolutely positively NO chance to “detect” 2. has it? The eicar file is per se completely benign, legit MS-DOS program, with NO malicious symptoms at all. Zero. Even Notepad would rate 1000x more for a heuristics engine (it can save files etc). Its complete, unmodified string is detected because that’s what the industry agreed on but that’s it!!
You see what I mean?