Eicar Antivirus Test file ( not detecting sometimes !! )

Problem with deleting Eicar Antivirus test file

The CAVS sometimes fails to detect the eicar antivirus test file and it fails to delete the file ( if found ) .

And the firewall is really gud

Regads
Muthusrinivasan :slight_smile:

The problem with detection of the Eicar test file has been reported by several users. I have yet to hear a definitive answer to the problem but I hope it is fixed with the next release.

Perhaps the CAVS team are busy concentrating on improving detection of real nasties but it would be nice if they could fix the Eicar problem as the test does reassure many people that their antivirus is working correctly.

:SMLR

I read on a nod32 reseller page that a good antivirus would not recognize those simulated threats by eicar because they are just that, simulated threats. Here is the exact writing:

Simulated Virus" Snake Oil !!!

As far as ethical members of the antivirus industry are concerned, there is no such thing as a "simulated" virus.
It's either a virus or it's not ... and no decent antivirus program will detect simulated viruses.
Beware of any antivirus vendor who offers "proof" of his product's detection figures based on such rubbish.
Don't believe the results of computer magazine tests which use simulated viruses either.
They're fairy tales!

And the link: Snake Oil

Not sure how true any of it actually is, or what theory the guys in the comododevelopment theory subscribe to but it is a thought.

psych1610

My opinion is that without a test eicar or simulated virus you never know if your antivirus is working …

If a malware neutralizes your antivirus with an eicar test you know!

The resolution/workaround for FF downloads is an extension called SafeDownload. Then plug CAVS in (you’ll need to use the command line scanner) and you’ll have scans of all downloads…

There’s a thread here in CAVS forum with the command-line parameters. The module is cavscon.exe, I believe.

LM

Thanks LM, I can use the download status bar add on in a similar way.

I usually scan downloaded files manually before opening them anyway.

My real concern is that on-demand detects eicar but on-access does not. I am wondering if the same would be true of a real virus?

:SMLR

Strange behaviour… One of the reasons why I won’t use CAVS at the moment.
I have reported something similar a long time ago: the email scanner detected (detects?) viruses that were (are?) missed by the on-demand scanner.

I haven’t had any problem with on-access not detecting it. Now, it won’t detect on download (apparently just with non-IE browsers), but it will if you actually try to access the file. Obviously, an on-demand scan will detect it as well.

Have you tried actually running the eicar file after downloading? I dl’d all three versions (regular, zipped, and double-zipped) of it a while back, and CAVS triggered on all of them, whether on-demand or on-access.

The only odd detections I’ve had from the email scanner are due to an issue with TBird, as I recall; it actually had nothing to do with an email, but was a problem with the cavs email server. I’ve never tried to email an eicar file to myself, so I don’t know how it would react.

LM

I am not talking about test files. The on-demand scanner completely missed viruses that where sent as attachments to spam emails, although the email scanner initially detected them. It would not even detect them after saving the unaltered exe files to disk and scanning those.

I don’t know whether this has been fixed by now, but is seems to be a similar problem to the one Anderow mentioned.

Didn’t mean to imply you were talking about test files, user4; just that I don’t know how it would react to a virus as I’ve not had one come through; I typically don’t. Since the thread was only discussing the eicar test, I figured it was applicable to use that on the email scanner… As for why the on-demand wouldn’t detect the viruses you received, I don’t know… the engines are all different, but the database should be the same. What version of CAVS did you experience that with?

LM

I have tried this suggestion, but on my machine also with plug-in “SafeDownload” for Firefox (https://addons.mozilla.org/it/firefox/addon/3581) and with module cavscon.exe with parameter ”/D" the result does not change… Eicar test does not come found.

While a scansion on-demand finds it perfectly…

I correct:
Eicar test comes found but it does not cleaned up…

I tried all three versions and on-access did not react to any of them. Downloading, extracting the zip files, running the file - nothing from CAVS at all at any stage. I have on-access set to scan all files, highest level of heuristics, no excluded files.

:SMLR

Comodo Antivirus claims to have only 23000 signatures in included in its database. Look at avira, for example, has 1.000.230 signatures. It’s a big difference ! I will continue to support Comodo Antivirus sending files but i will not install it on my pc as primary antivirus (only on-demand scan, no on-acces). The virus collection from Virus Heavens website is only 12.3 % detected. A long way to go and a lot of work … i hope it will get to a result.

Edward

For the record: current signatures in CAVS are 258,621, a few more than 23000 methinks. The number is increasing rapidly with daily updates and the new version is already being developed with an improved detection engine and which will incorporate the signatures included in BOClean.

Also, remember that CAVS has the great addition of HIPS which is a useful first line defence - prevention rather than cure.

Keep watching for the new CAVS version though - it will be worth it.

(:WIN)