Monday, January 4, 2010

More on EICAR


Hi folks, today I wanna show these two easy experiments made by using the new version of "Quick'n Dirty" EICAR-GTUBE-Generator0.1. I know that EICAR file it's only a test file and it is not supposed to be recognized inside other files, BUT for some reasons some AVs do that. Analyzing this file we can analyze the AV's detection chain (as already explained in some past posts ) and maybe find some incompleteness.

Exp 1. Hiding EICAR file in the JPG header



Most AVs (but not all ... ) detect EICAR file even if embedded into the JPG header. Some main AV companies like AVAST, McAfee and Microsoft dont (why they cannot detect it ?).

2) Hiding EICAR file in the JPG tail:



Surprisingly only two AV companies detect it. My best compliments to Authentium and F-Port. So why Authentium and F-Port can detect EICAR even if hidden in the JPG'tail and other AV companies cannot ? What's the difference between their detection chain ?

I'll ask directly to these people during this week, I'll be back with some answers ... hopefully.

No comments: