EICAR detected only by dragging into BoClean...

I was just testing my newly modified icons so i used EICAR as my tool to display required icon (warning icon in this case). However what i noticed is more surprising than icons. And i’m not sure if this is normal. Executing EICAR from desktop doesn’t trigger BoClean at all. But dragging it into BoClean interface does trigger it. Am i missing something or is there a problem with BoClean?
I don’t want real malware to just walk past by BoClean even though it has definitions to detect it…

I’m using Windows Vista Home Premium 32bit (fully updated) and AOL Active Virus Shield (disabled during this test). BoClean is version 4.24.

to test c-BOClean, you need to use either GRC’s “leatest” or the “trojansimulator”, or both…

here are the links for those:


i don’t know what to tell you about the “eicar” bit, except that i wouldn’t worry about it…

From what I know, leaktests/firewall bypassing is for firewalls, not for anti-trojans

(someone “famous” did this and called him ----)

Hiya! That was done QUITE deliberately as we’d intended to add “file detection” to BOClean and because people had complained that we didn’t detect EICAR on the “drag and drop” thing, we added that FILE-ONLY sig as a “courtesy.” Eicar is designed as a file sig for testing, and even though you can execute it to display the text message within, it doesn’t DO anything or call ANY API functions that can do much of anything. Simply put, it’s a “hello world” print to screen application and nothing else. As a result, there is no memory signature for that AV test file … but since people insisted on dragging and dropping it, we did create a “file sig” for it and thus, BOClean does what I designed it to do WRT that particular file. Some so-called “AT tests” included the EICAR thingy so we had to at least include a detect as a file for it. But it runs for too short a time, does nothing, and is not a threat at all so I personally never felt the need to add a file hook there to BOClean which might interfere with an AV doing its job. In fact a LOT of BOClean’s “holdoffs” were done DELIBERATELY so as to let an AV do its thing and ONLY if the AV failed to catch it, would WE step in a few milliseconds later. And for our “get along” design, we’ve been dissed MANY times. :frowning:

Well i usually take it on developers comment since they usually don’t hide stuff so drag&drop wouldn’t even be necessary. I just like to have some benign test file to check my programs.
I wanted to test my hacked icons version to see if hack itself could cause detection problems.
But then i restored original executable which resulted in same issue, so i found that it’s not related to my hack but apperantly program design itself (or shall i say nature of EICAR file).

Trojan Simulator did the trick (detected by BoClean).