Wednesday, December 23, 2009

Microsoft, Avast and McAfee Missing Simple Tests

Using the simple "Quick'n Dirty" EICAR-GTUBE-Generator0.1 ( here last version ) I hided the EICAR signature inside a simple PDF file. Now let's give this pdf to AV and see what will happen.

Here the "fun" results (click to make it bigger):




Is it not weird that some AV leaders such as Microsoft, Avast and McAfee miss this easy control ?
Now, my question comes easily ... How can we be sure that recognize more complicated virus if they miss this easy signature control ?

More reading: Here, Here and Here

10 comments:

cdman83 said...

Please note that such tests are mostly invalid, because the EICAR test file was never meant to be used for testing complex situations like "file inside an archive" / "file which drops an other file" / etc, including the embedded PDF scenario you describe. Quoting from the official EICAR site (http://www.eicar.org/anti_virus_test_file.htm):

"Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long."

Ergo, while some vendors may implement the detection of the EICAR file in such a way that it is still detected when it is embedded in a PDF, inside an archive, etc, this proves nothing, since all that a conformant program has to do is to detect the literal copy of the EICAR file (ie the exact sequence of 68 bytes).

Regards.

Marco Ramilli said...

You are right man, in fact some AV detects EICAR as you see from the picture, but some others don't.

The most interesting thing to me is that some of most important AVs don't detect EICAR file while others do.

So, contrary what you said this test prove a lot. It proves that even EICAR file is only a standard testing file, some AV companies have elaborated it and they detects EICAR in various scenarios, while others AV (leaders) didn't.

cdman83 said...

I would respectfully disagree with some of the (implied) conclusions. You say:

"It proves that even EICAR file is only a standard testing file, some AV companies have elaborated it and they detects EICAR in various scenarios, while others AV (leaders) didn't."

I would say that it only shows this and doesn't prove as you seem to imply that products which don't detect it are of lower quality than those which do. In fact I could argue the exact opposite:

Modern AV/AM engines are like pipelines. For example if it has to scan a file F, first it can try using the most simple signatures, then try checking if the file is an archive and if it is, extract all the parts and again try to use the simple signatures on the extracted parts and so on (of course there are many more possible operations, I'm simplifying here).

What you are actually testing here is the construction of this pipeline: lets say that we have a method E which recognizes the EICAR file. Using the pipeline architecture mentioned before, we could insert the method E at every stage (ie. after we extracted additional artifacts from the file) or only at the beginning. Notice that given the description at the EICAR site, we are free to do it either way (and it is correct either way), but supposedly the second way (only checking it at the beginning) is faster (because the product is doing less work, even if the work we are talking about is very small).

In conclusion: what the result show can be explained by the different architectural decisions made by different AV vendors. A very good argument can be made that the vendors which do not detect the EICAR file inside the PDF are better in some way (since they seem to focus more on optimizing the scanning speed!). This certainly does not indicate anything about the detection capabilities of the individual products.

If you take a look at my blog, you will find that I'm all for calling out security vendors when they claim less-than-true things, but I'm also keen on using rock-solid arguments.

Happy Holidays!

Marco Ramilli said...

Well actually I realy care more about security and not about performance. I totally agree when you said that modern AV are close to pipeline ( well, it's not totally true, if you keepe a closer view... But it's a good approx.) and for such reason analyzing the evaluation process means evaluate the acvurancy of AV.

So I dont wanna say that some AV are better then others but I definitely can say that these av are less accurate, in this scenario.

Again, this is worring because AV's leader shouldn't miss this easy step.

Do you gotta a Bolg ? What's the address ?

Thank you to follow me.

cdman83 said...

I blog at http://hype-free.blogspot.com/

I would be happy to have you as one of my readers.

Regards.

Marco Ramilli said...

Definitely, I'll love to read your blog.
Just added to my favorite.

Anonymous said...

Technology truly is an inescapable aspect of our daily lives, and I am 99% certain that we have passed the point of no return in our relationship with technology.


I don't mean this in a bad way, of course! Ethical concerns aside... I just hope that as memory becomes cheaper, the possibility of copying our brains onto a digital medium becomes a true reality. It's one of the things I really wish I could experience in my lifetime.


(Posted on Nintendo DS running [url=http://kwstar88.zoomshare.com/2.shtml]R4i SDHC[/url] DS scPost)

Anonymous said...

[url=http://tonoviergates.net/][img]http://sopriventontes.net/img-add/euro2.jpg[/img][/url]
[b]buying microsoft software, [url=http://sopriventontes.net/]cheapest video editing software[/url]
[url=http://tonoviergates.net/]did adobe buy macromedia[/url] lap top loaded with adobe photoshop cs4 winzip 12 registration code
buy photoshop for windows [url=http://sopriventontes.net/]reason software price[/url] nero linux
[url=http://sopriventontes.net/]purchase software[/url] quarkxpress 5 free download
[url=http://sopriventontes.net/]buy ms software[/url] buy photoshop student
where to buy cheap software [url=http://sopriventontes.net/]old software store[/url][/b]

Anonymous said...

new guys! stop the latest unregulated rid of [url=http://www.casinolasvegass.com]casino[/url] games like roulette and slots !after means of escape the all trendy redeem [url=http://www.casinolasvegass.com]online casino[/url] games at the all flash www.casinolasvegass.com, the most trusted [url=http://www.casinolasvegass.com]online casinos[/url] on the cobweb! appropriate asset of our [url=http://www.casinolasvegass.com/download.html]free casino software download[/url] and be successful in money.
you can also substantiate other [url=http://sites.google.com/site/onlinecasinogames2010/]online casinos bonus[/url] . check out this new [url=http://www.place-a-bet.net/]online casino[/url].

Anonymous said...

cool guys! coincide the latest freeing [url=http://www.casinolasvegass.com]casino[/url] games like roulette and slots !mull over outlying the all budding redeem [url=http://www.casinolasvegass.com]online casino[/url] games at the all new www.casinolasvegass.com, the most trusted [url=http://www.casinolasvegass.com]online casinos[/url] on the cobweb! fancy our [url=http://www.casinolasvegass.com/download.html]free casino software download[/url] and bring impress upon the bacon money.
you can also brake other [url=http://sites.google.com/site/onlinecasinogames2010/]online casinos bonus[/url] . check out this new [url=http://www.place-a-bet.net/]online casino[/url].