Hey guys, PotatoMan here!
I recently did a test on the heuristics of avast! professinal 4.8, with today’s detections.
I put the EICAR test string into notepad and saved it as free.com. Almost immediately the standard shield detected it. Good, everything is good right? I scanned it with Spybot and MalwareBytes - Same thing. Sweet! All security apps found it! Good so far.
I then uploaded it to virus total. All 36 engines detected it! Awesome!
But wait…
What if I modified the EICAR test string?
What if I changed three letters?
This is the unmodified test string
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
This is the modified one. (Look in the word standard)
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDING-ANTIVIRUS-TEST-FILE!$H+H*
I entered this in notepad and once again saved it as free.com.
Wait, something is not right here…
No warning? No popup? No loud and sudden “A virus has been detected”???
So I thought, something must be wrong with the standard shield. I scanned it with the on demand scanner. Nothing.
I then scanned with Spybot and MalwareBytes. Still nothing!
Wow, what is going on here?
These are the virus total results from the modified free.com.com
AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.23 -
Authentium 5.1.0.4 2008.08.23 EICAR_Test_File
Avast 4.8.1195.0 2008.08.22 -
AVG 8.0.0.161 2008.08.22 -
BitDefender 7.2 2008.08.23 -
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.23 -
DrWeb 4.44.0.09170 2008.08.23 -
eSafe 7.0.17.0 2008.08.21 -
eTrust-Vet 31.6.6039 2008.08.21 -
Ewido 4.0 2008.08.23 -
F-Prot 4.4.4.56 2008.08.23 EICAR_Test_File
F-Secure 7.60.13501.0 2008.08.23 -
Fortinet 3.14.0.0 2008.08.23 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.23 -
K7AntiVirus 7.10.425 2008.08.22 -
Kaspersky 7.0.0.125 2008.08.23 -
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.23 -
NOD32v2 3382 2008.08.23 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.23 -
PCTools 4.4.2.0 2008.08.23 -
Prevx1 V2 2008.08.23 -
Rising 20.58.52.00 2008.08.23 EICAR-Test-File
Sophos 4.32.0 2008.08.23 -
Sunbelt 3.1.1575.1 2008.08.23 -
Symantec 10 2008.08.23 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.22 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.23 -
Webwasher-Gateway 6.6.2 2008.08.23 -
Link: http://www.virustotal.com/analisis/8e55f210347ef61db097635888ef3fe5
This just shows how terrible heuristics are. I hope this is improved on in V5.
What is your guys opinions???