I did some testing (Someone from Alwil should read this)

Hey guys, PotatoMan here!

I recently did a test on the heuristics of avast! professinal 4.8, with today’s detections.

I put the EICAR test string into notepad and saved it as free.com. Almost immediately the standard shield detected it. Good, everything is good right? I scanned it with Spybot and MalwareBytes - Same thing. Sweet! All security apps found it! Good so far.

I then uploaded it to virus total. All 36 engines detected it! Awesome!

But wait…

What if I modified the EICAR test string?

What if I changed three letters?

This is the unmodified test string


X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

This is the modified one. (Look in the word standard)

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDING-ANTIVIRUS-TEST-FILE!$H+H*

I entered this in notepad and once again saved it as free.com.

Wait, something is not right here…

No warning? No popup? No loud and sudden “A virus has been detected”???

So I thought, something must be wrong with the standard shield. I scanned it with the on demand scanner. Nothing.

I then scanned with Spybot and MalwareBytes. Still nothing!

Wow, what is going on here?

These are the virus total results from the modified free.com.com

AhnLab-V3 2008.8.21.0 2008.08.22 -
AntiVir 7.8.1.23 2008.08.23 -
Authentium 5.1.0.4 2008.08.23 EICAR_Test_File
Avast 4.8.1195.0 2008.08.22 -
AVG 8.0.0.161 2008.08.22 -
BitDefender 7.2 2008.08.23 -
CAT-QuickHeal 9.50 2008.08.22 -
ClamAV 0.93.1 2008.08.23 -
DrWeb 4.44.0.09170 2008.08.23 -
eSafe 7.0.17.0 2008.08.21 -
eTrust-Vet 31.6.6039 2008.08.21 -
Ewido 4.0 2008.08.23 -
F-Prot 4.4.4.56 2008.08.23 EICAR_Test_File
F-Secure 7.60.13501.0 2008.08.23 -
Fortinet 3.14.0.0 2008.08.23 -
GData 2.0.7306.1023 2008.08.20 -
Ikarus T3.1.1.34.0 2008.08.23 -
K7AntiVirus 7.10.425 2008.08.22 -
Kaspersky 7.0.0.125 2008.08.23 -
McAfee 5368 2008.08.22 -
Microsoft 1.3807 2008.08.23 -
NOD32v2 3382 2008.08.23 -
Norman 5.80.02 2008.08.22 -
Panda 9.0.0.4 2008.08.23 -
PCTools 4.4.2.0 2008.08.23 -
Prevx1 V2 2008.08.23 -
Rising 20.58.52.00 2008.08.23 EICAR-Test-File
Sophos 4.32.0 2008.08.23 -
Sunbelt 3.1.1575.1 2008.08.23 -
Symantec 10 2008.08.23 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.23 -
VBA32 3.12.8.4 2008.08.22 -
ViRobot 2008.8.22.1346 2008.08.22 -
VirusBuster 4.5.11.0 2008.08.23 -
Webwasher-Gateway 6.6.2 2008.08.23 -

Link: http://www.virustotal.com/analisis/8e55f210347ef61db097635888ef3fe5

This just shows how terrible heuristics are. I hope this is improved on in V5.

What is your guys opinions???

well i thing that when u changed the letters eicar test stopped being a virus…thats why all the engines didnt detect it…the 2 or 3 AV that found it as a virus must have found false positives…heuristics doesnt work like that…(by modifing a “virus” u can make it not being a virus anymore…)

I think you don’t understand. Do you know how Eicar is coded?

When you open EICAR, it displays the message, EICAR STANDARD ANTIVIRUS TEST FILE, I edited it so it would say EICAR STANDING ANTIVIRUS TEST FILE. All I did was change what it said, it still has the qualities of a virus.

The EICAR test is not a virus.

Most AV don’t detect modifications of the EICAR test except the ones allowed by the EICAR as the test was used by malware authors to fool users and analysts into believing that their malware was just a test.

There is a strict policy about EICAR. You can find it on their page. If modification isn’t bound to those rules, AV not detecting it is not really the one to blame.

Changing three letters is not even a real modification, all it does is make the message say something different when the EICAR file is launched. I swear, does everyone think I am stupid? Have you ever heard of EICAR_TEST.Modified? I got this idea from a link on wikipedia by the way.

The EICAR don’t allow such modification, so most AV don’t detect them for security reasons.

Well then there was no freaking point for doing this test, cause every member on this forum is going to do everything in there power to prove me wrong. Please lock this forum

mate calm down…we dont want to prove u wrong and there is no reason of doing it…i just dont think that by modifing 3letters in eicar test u can test heuristics…its not reliable…it doesnt make sense…the virus is the code written in eicar…if u modify it it stops being a virus…if u modify a letter from a code inside a game,will the game work???no why?coz the code isnt right…maybe by doing other modifications u can test heuristics but i dont think that changing 3letters is the way…i wish u prove me wrong…i really do…check www.av-comparatives.org to see heuristics of each AV…

I have a PhD in computer science and have been removing malware off of people’s computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK

If I code a virus in VBScript to show a popup saying

Your computer has a virus! Go to fakeavhere.com to fix this!!

Which would be

lol = msgbox (“Your computer has a virus! Please go to fakeavhere.com to fix this!” ,16, “Infection!”)

Now If I modified it to say

Your computer has a trojan!

It would be

lol = msgbox (“Your computer has a trojan!” ,16, “Infection!”)

Which would not make the popup not a popup, but would just make it say something different. This is what I did with EICAR.

I have a PhD in computer science and have been removing malware off of people's computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK
Sounds more like the pedantic ramblings of the resident curmudgeon ;)

I have a PhD in computer science and have been removing malware off of people’s computers for three years now. I know what AV Comparitives is. According to AV Comparitives, avast! has a 29% Heuristic Detection of new malware. OK

If I code a virus in VBScript to show a popup saying

Your computer has a virus! Go to fakeavhere.com to fix this!!

Which would be

lol = msgbox (“Your computer has a virus! Please go to fakeavhere.com to fix this!” ,16, “Infection!”)

Now If I modified it to say

Your computer has a trojan!

It would be

lol = msgbox (“Your computer has a trojan!” ,16, “Infection!”)

Which would not make the popup not a popup, but would just make it say something different. This is what I did with EICAR.
[/quote]
well i dont have any diploma in computer science since i’m only 18…u may be right since ure a computer expert…can u link any site that has a guide of doing such things?i like learning stuff like this 8)

well i dont have any diploma in computer science since i'm only 18..u may be right since ure a computer expert..can u link any site that has a guide of doing such things?i like learning stuff like this
I learned from the master: [b]"So how did I get infected in the first place?" © Tony Klein [/b] http://www.freedomlist.com/forum/viewtopic.php?t=22879

Oh, how mature, bring on the parade of poetic insults, that is very insightful, well I don’t find your masquerade funny in the slightest since.

Sounds more like the smart buttox ramblings of the resident know it all :wink:

How about a little common sense…hmmm?
PotatoMan, I do understand what you are saying, and the little message mod you made to the test string.

Having said that, let’s try a more sensible approach to the subject.
There are dozens of virus software. Why?
There are a whole handful of online comparisons, testers, blogs, info overload, all about the subject
of viruses. Again I ask…why?
There are entire support groups employed by anti-vir companies to deal with viruses, questions, product support…
same question…why?

The answer is very simple.
For every detection method, there is going to be some script kiddie who is going to figure a way around it.
Since this process is an ongoing affair with “who is smarter” running the show, anti-vir software is always going to be
a process in development, hence the constant updates to the virus database.
There is NO SUCH THING as the perfect anti-virus software. Also there is NO software available that is going to work 100% of the time with 100% of all viruses, old and unknown.
So, the end user has to decide which program works the best for them.
I personally use avast because of its’ modular construction. I like having some control over the different types of shields.
Others may prefer something else all together. The point is, you can rattle the alarm button all day long, it will not change these simple facts:
#1 All anti-virus products will always be “developing” better detection methods.
#2 For every detection method made, there WILL be a script kiddie to figure a way around it.
#3 Because of number 2, no anti-virus program is perfect.
#4 The only “PERFECT” method for not getting a virus is…do not surf the web. Download nothing into the system.

You can create all the alternative tests you want…(just like a script kiddie)…but in the end, I challenge you to find the “perfect” anti-vir software. It simply does not exist.
Just my two cents.

http://archive.cert.uni-stuttgart.de/bugtraq/2003/06/msg00251.html

Might be helpful in this discussion.

I agree 99.99991%

THAT IS THE LINK I GOT OFF OF WIKI!

That is the inspiration for this thread.

Now that someone else has done thesame thing, I guess I am not so stupid, hmm?

PotatoMan,

You admit to being a plagiarist. Thus, any degrees you may hold are not worth the paper they are written upon. Which non-English speaking institution(s) awarded your claimed qualifications?

O.K. Troll, I will play your way.

No, I did NOT take anything I wrote from above link, merely the ideal, and therefore your accusation of plagiarism is indeed void.

In the future, please make sure that you have read my whole post before proceeding to post stupid stuff.

I graduated from ITT Tech (see link) in 2007. itt-tech.edu/ with a PhD in Computer Science. Ever since 2005, three of my college friends have been running a business out of Toledo, removing Malware from computers.

Anything else?