Special Viruses

system · April 19, 2006, 7:56pm

Hello,

I found those samples on the kaspery web site ,even though the virus is eicar avast does not seem to reconize the file as infected.

http://tav.kaspersky.fr/test/Eicarhqx.bin
http://tav.kaspersky.fr/test/suspicious.exe
http://tav.kaspersky.fr/test/warning.exe
http://tav.kaspersky.fr/test/Eicarmsc.bin
http://tav.kaspersky.fr/test/Eicar.msc

Thank You

MounierNetwork

P.S: Keep up the good work Alwil

polonus · April 19, 2006, 9:07pm

Hi mouniernetwork,

But the DrWeb hyperlink scanner add-on finds them all.
Glad I have it on board as a little add-on inside my browser.

polonus

DavidR · April 19, 2006, 10:41pm

It just looks like avast doesn’t support/unpack ‘MS Compress’ or ‘archive MAIL’, so if this was unpacked then from MS Compress it would be detected ?

Dr Web didn’t find them all:
“suspicious.exe - OK”
“warning.exe - OK”

Archives by there nature are inert until unpacked and then run so risk is low in downloading an archive file. Once unpacked then it could be detected.

system · April 19, 2006, 11:39pm

So all there is to do is for Alwil to add those two unpackers Right?
That should be easy ;D
Do You think it will add in the next release ???

Mounier Network

DavidR · April 20, 2006, 2:09pm

I can’t speak for Alwil, as I don’t know what packers are supported or what might be supported in the near future, but avast has one of the best package of supported packers.

I don’t know how easy or difficult it is adding additional packer support.

One of the other problems is the fact that the Eicar test virus has to be in a certain format and some have made additions to that format that don’t conform to the standard format, in those cases AV’s that are looking for the correct format won’t find it regardless of the packer used, supported or otherwise. So it is a little more complex than simply adding packer support.

You could send the undetected eicar tests files to avast!, if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces). They can check and see why it wasn’t detected and possibly consider the addition of those packers if not already supported.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus or false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

Lisandro · April 21, 2006, 1:48am

Actual supported packers… (at least, most of them)

DavidR · April 21, 2006, 2:22pm

I assume that this list is only selectable when using the Pro version ?

Lisandro · April 21, 2006, 3:25pm

Yes. The Home version uses these packers but then can’t be unselected. It’s 80 or 8, every one or no one…

Special Viruses

Announcements